Apply floor of 60s to TTL of DNSKEY and DS records in cache.

Short TTLs and specifically zero TTLs can mess up DNSSEC validation.
2025-12-19 10:18:25 +00:00 · 2020-07-12 17:43:25 +01:00
parent 9beb4d9ea2
commit 7e194a0a7d
2 changed files with 18 additions and 4 deletions
--- a/src/config.h
+++ b/src/config.h
@@ -40,6 +40,7 @@
 #define DHCP_PACKET_MAX 16384 /* hard limit on DHCP packet size */
 #define SMALLDNAME 50 /* most domain names are smaller than this */
 #define CNAME_CHAIN 10 /* chains longer than this atr dropped for loop protection */
+#define DNSSEC_MIN_TTL 60 /* DNSKEY and DS records in cache last at least this long */
 #define HOSTSFILE "/etc/hosts"
 #define ETHERSFILE "/etc/ethers"
 #define DEFLEASE 3600 /* default lease time, 1 hour */