[dns-operations] Org Dnskey TTL

Chris Thompson cet1 at cam.ac.uk
Tue Apr 20 10:12:20 UTC 2010


On Apr 20 2010, Doug Barton wrote:

>On 4/19/2010 7:53 AM, Chris Thompson wrote:
>
>>   org.      900  (15m)
>
>> It would seem that the variation is rather extreme, and has little to
>> do with individual key rollover policies.
>
>Sorry if this is a silly question, but is there an operational problem
>that you've observed as a result of this TTL?

Obviously, it means that DNSKEY records are fetched more often than they
should need to be. But no, I can't say that it causes any significant
operational problem so far. Maybe when more *.org zones are signed?

BIND, at least, doesn't expire already-validated RRsets just because
the TTLs (as opposed to the RRSIG expiry times) on the DNSKEYs used
during validation have elapsed.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list