Maintained by: NLnet Labs

[Unbound-users] Unbound doesn't cache ANY query result from some DNSSEC-signed zone

Paul Wouters
Wed Jul 24 15:23:55 CEST 2013


On Wed, 24 Jul 2013, Matthijs Mekking wrote:

>>   At nameserver-side, giving non-zero TTL for NSEC3PARAM records
>> might be an workaround against this issue.
>> Unfortunately OpenDNSSEC decided to set zero-TTL
>> to NSEC3PARAM of signing zones [1].
>>
>> [1] https://issues.opendnssec.org/browse/OPENDNSSEC-330
>
> FYI: We are going back to default TTL in the upcoming patch versions for
> OpenDNSSEC 1.3 and 1.4

Please make this a configurable option. It will otherwise cause issues
for people who run/compare a dual signer setup with bind.

Paul