[dns-operations] Org Dnskey TTL

Mark Andrews marka at isc.org
Tue Apr 20 22:03:53 UTC 2010

In message <20100420134129.GC43732 at shinkuro.com>, Andrew Sullivan writes:
> On Tue, Apr 20, 2010 at 09:38:18PM +1000, Mark Andrews wrote:
> > No.  The fetching of DNSKEY is unrelated to the number of child
> > zone that are signed.  The DNSKEY is used to verify the contents
> > of the ORG zone not its children.
> Except that, of course, if you're validating your way up the chain you
> will validate .org more often as more zones inside it are signed, no?

No.  You have to verify DS or not DS for each delegation.

If anything it is likely to be less often with more secure delegations
as the TTL of DS is likely to be greater than the negative cache
ttl of the not DS response but you also have to factor in the ttl of
the DNSKEY RRset.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list