[dns-operations] Org Dnskey TTL
Andrew Sullivan
ajs at shinkuro.com
Tue Apr 20 22:07:19 UTC 2010
On Wed, Apr 21, 2010 at 08:03:53AM +1000, Mark Andrews wrote:
>
> No. You have to verify DS or not DS for each delegation.
Oh, duh. I'm an idiot. So in the case of .org, you'd need to
validate whether the no-DS answer is valid, so you'd still need to
fetch the DNSKEY.
> If anything it is likely to be less often with more secure delegations
> as the TTL of DS is likely to be greater than the negative cache
> ttl of the not DS response but you also have to factor in the ttl of
> the DNSKEY RRset.
Right.
A
--
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.
More information about the dns-operations
mailing list