[dns-operations] Org Dnskey TTL
george.barwood at blueyonder.co.uk
Tue Apr 20 13:48:35 UTC 2010
> Sorry if this is a silly question, but is there an operational problem
> that you've observed as a result of this TTL?
I doubt there would be an actual operational problem at 15 minutes, but it's not at all green.
24 hours would be a more appropriate TTL for a DNSKEY RRset I think.
o We suggest the Minimum Zone TTL to be long enough to both fetch
and verify all the RRs in the trust chain. In workshop
environments, it has been demonstrated  that a low TTL (under
5 to 10 minutes) caused disruptions because of the following two
1. During validation, some data may expire before the
validation is complete. The validator should be able to
keep all data until it is completed. This applies to all
RRs needed to complete the chain of trust: DSes, DNSKEYs,
RRSIGs, and the final answers, i.e., the RRSet that is
returned for the initial query.
2. Frequent verification causes load on recursive nameservers.
Data at delegation points, DSes, DNSKEYs, and RRSIGs
benefit from caching. The TTL on those should be
More information about the dns-operations