diff --git a/DnsServerCore/Dns/Zones/AuthZone.cs b/DnsServerCore/Dns/Zones/AuthZone.cs
index 34a709a7..60f7fc1f 100644
--- a/DnsServerCore/Dns/Zones/AuthZone.cs
+++ b/DnsServerCore/Dns/Zones/AuthZone.cs
@@ -475,7 +475,7 @@ namespace DnsServerCore.Dns.Zones
 
             DnsNSECRecordData newNSecRecord = new DnsNSECRecordData(nextDomainName, types);
 
-            if (!_entries.TryGetValue(DnsResourceRecordType.NSEC, out IReadOnlyList<DnsResourceRecord> existingRecords) || !existingRecords[0].RDATA.Equals(newNSecRecord))
+            if (!_entries.TryGetValue(DnsResourceRecordType.NSEC, out IReadOnlyList<DnsResourceRecord> existingRecords) || (existingRecords[0].TtlValue != ttl) || !existingRecords[0].RDATA.Equals(newNSecRecord))
                 return new DnsResourceRecord[] { new DnsResourceRecord(_name, DnsResourceRecordType.NSEC, DnsClass.IN, ttl, newNSecRecord) };
 
             return Array.Empty<DnsResourceRecord>();
@@ -483,7 +483,7 @@ namespace DnsServerCore.Dns.Zones
 
         internal IReadOnlyList<DnsResourceRecord> GetUpdatedNSec3RRSet(IReadOnlyList<DnsResourceRecord> newNSec3Records)
         {
-            if (!_entries.TryGetValue(DnsResourceRecordType.NSEC3, out IReadOnlyList<DnsResourceRecord> existingRecords) || !existingRecords[0].RDATA.Equals(newNSec3Records[0].RDATA))
+            if (!_entries.TryGetValue(DnsResourceRecordType.NSEC3, out IReadOnlyList<DnsResourceRecord> existingRecords) || (existingRecords[0].TtlValue != newNSec3Records[0].TtlValue) || !existingRecords[0].RDATA.Equals(newNSec3Records[0].RDATA))
                 return newNSec3Records;
 
             return Array.Empty<DnsResourceRecord>();