[dns-operations] Org Dnskey TTL
Chris Thompson
cet1 at cam.ac.uk
Tue Apr 20 10:12:20 UTC 2010
On Apr 20 2010, Doug Barton wrote:
>On 4/19/2010 7:53 AM, Chris Thompson wrote:
>
>> org. 900 (15m)
>
>> It would seem that the variation is rather extreme, and has little to
>> do with individual key rollover policies.
>
>Sorry if this is a silly question, but is there an operational problem
>that you've observed as a result of this TTL?
Obviously, it means that DNSKEY records are fetched more often than they
should need to be. But no, I can't say that it causes any significant
operational problem so far. Maybe when more *.org zones are signed?
BIND, at least, doesn't expire already-validated RRsets just because
the TTLs (as opposed to the RRSIG expiry times) on the DNSKEYs used
during validation have elapsed.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list