Craig Whitmore wrote: If an ISP (or anyone) is breaking/changing TTL's (and maybe other stuff in DNS) on purpose I would think IMHO this is bad. Think would make DNSSEC signed zones fail + other stuff you have said as the ISP is playing around with it. Um, no, messing with the TTL doesn't break DNSSEC (the TTL isn't signed), although potentially a vastly extended TTL could push caching of a DNSSEC records beyond the expiry of their keys. (If a < 24 hour expiry did this, whoever is maintaining the DNSSEC keys is Doing It Wrong.) But in general, every recursive name server updates the TTL of its cached records every time it issues a cached answer to a query. It's still not a good thing to do, for the reasons Cameron already mentioned. I imagine folks might do it to reduce the outbound query load, especially if the source name server was unreliable. Mark Foster wrote: What you're describing sounds to me more like 'legacy zone files & config left behind' and is relatively common (as the removal of zone files is a manual process as part of the deprovisioning work, and is often overlooked, if not by the customer than certainly by the DNS host losing the business. A very old problem. Are there still ISPs putting recursive and authortative name service in the same processes? If there are, can we name them please, so we can all point and laugh and tell everyone we know that they're clueless fracking idiots who don't deserve to have customers? -- don