[Freeipa-users] Does ipa dns enforce RRSet TTLs?
Petr Spacek
pspacek at redhat.com
Thu Mar 20 17:19:08 UTC 2014
On 20.3.2014 18:05, Rich Megginson wrote:
> http://tools.ietf.org/html/rfc2181#section-5
>
> Specifically, this:
> "Consequently the use of differing TTLs in an RRSet is hereby deprecated, the
> TTLs of all RRs in an RRSet must be the same."
>
> The answer is:
>
> IPA is even more strict, one DNS *name* can have only one TTL for all RRsets.
>
> This limitation is enforced by LDAP structure we use. All DNS records for
> single DNS name are stored in one LDAP object and DNS TTL is represented as
> one attribute.
>
> The follow up question is:
>
> But dnsrecord_add/mod has a dnsttl attribute. What happens if I do a
> dnsrecord_mod {"dnsttl": adifferentvalue}? Does it change the ttl for _all_
> records?
Yes it does, it should always affect the whole DNS name.
IMHO the right behavior for "import scripts" is to compute min(TTL in IPA, TTL
of the new record) and use this value when adding a record.
Default TTL is now 86400 seconds. There is a plan to implement per-zone
default TTL.
Let me know if you have some problems because of this, we can try to find some
solution.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list