[dns-operations] Org Dnskey TTL

Tue Apr 20 13:48:35 UTC 2010

> Sorry if this is a silly question, but is there an operational problem
> that you've observed as a result of this TTL?

I doubt there would be an actual operational problem at 15 minutes, but it's not at all green. 
24 hours would be a more appropriate TTL for a DNSKEY RRset I think.

http://tools.ietf.org/html/rfc4641#section-4.1

says

   o  We suggest the Minimum Zone TTL to be long enough to both fetch
      and verify all the RRs in the trust chain.  In workshop
      environments, it has been demonstrated [18] that a low TTL (under
      5 to 10 minutes) caused disruptions because of the following two
      problems:

         1.  During validation, some data may expire before the
             validation is complete.  The validator should be able to
             keep all data until it is completed.  This applies to all
             RRs needed to complete the chain of trust: DSes, DNSKEYs,
             RRSIGs, and the final answers, i.e., the RRSet that is
             returned for the initial query.

         2.  Frequent verification causes load on recursive nameservers.
             Data at delegation points, DSes, DNSKEYs, and RRSIGs
             benefit from caching.  The TTL on those should be
             relatively long.
George