[dns-operations] Org Dnskey TTL

Chris Thompson cet1 at cam.ac.uk
Mon Apr 19 14:53:48 UTC 2010

On Jun 18 2009, Dave Knight wrote:

>On 17-Jun-09, at 8:28 PM, Mark Andrews wrote:
>> In message <E807EEC1-6B38-40D9-9D13-8C9EF9B0E3CA at ca.afilias.info>,  
>> Dave Knight writes:


>>> Our DNSSEC signer appliance takes the TTL for the DNSKEY records and
>>> their signatures from the TTL of the SOA. Until this weekend ORGs SOA
>>> TTL was 0, it has now been changed to 900. We will do a followup
>>> maintenance soon to correct the DNSKEY TTLs. I'll follow-up to the
>>> list when that happens.


>> 	Why still a low a ttl for DNSKEY?  I can understand for
>> 	negative responses but changes to DNSKEY would have to be
>> 	on the order of days anyway as that is what it takes to
>> 	change trust anchors.
>Our signer solution doesn't currently allow the TTL of these records  
>to be set individually, a fix for this is in the pipeline though.

Noticing again that the "org" DNSKEY TTL is still 900 (that's a loooong
pipeline!) I've put together this list of DNSKEY (original) TTLs for
signed TLDs:

  arpa.  172800  (2d)
  bg.      3600  (1h)
  br.     21600  (6h)
  ch.     86400  (1d)
  cz.      3600  (1h)
  gov.    86400  (1d)
  li.     86400  (1d)
  na.    345600  (4d)
  nu.     86400  (1d)
  org.      900  (15m)
  pm.    172800  (2d)
  pr.     86400  (1d)
  pt.     28800  (8h)
  se.      3600  (1h)
  th.      7200  (2h)
  tm.     86400  (1d)
  uk.    172800  (2d)
  us.    518400  (6d)
  xn--*    3600  (1h)

[the last entry representing the 11 IDN TLDs listed in the IANA ITAR]

It would seem that the variation is rather extreme, and has little to
do with individual key rollover policies.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list