...
Note that the KSK and ZSK rollover intervals affect TTLs used by RRs in signed zones.
A grace period is half of the key rollover interval. For example, if the KSK rollover interval is 1 year (365 days), then the grace period is 182.5 days; if the ZSK rollover interval is 30 days, then the grace period is 15 days.
The DNSKEY RRset in the zone is assigned a TTL that , which is the minimum half of the KSK and ZSK grace period. In the preceding example, the minimum or lowest of these is 15 days. Therefore, the TTLs used for the DNSKEY RRset are 15 days (1296000 signature validity interval. The default signature validity interval is set to 4 days, so DNSKEY RRset TTL is set to 2 days (172800 seconds).
All other RRs in the signed zone are is limited to a "zone “zone maximum TTL," ” which is the grace period of the ZSK. In the example, this is also 15 days.
When the zone is initially signed, if the TTL of an RR exceeds the zone maximum TTL, the Grid Master reduces the TTL to the zone maximum TTL. Additionally, the TTL settings for the signed zone are set to override; the values are inherited from the Grid DNS properties at that time, and the default TTL setting is reduced to the zone maximum TTL if the Grid property exceeds it. If the zone is later unsigned, the zone DNS properties remain at their overriden overridden settings.
.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...