[dns-operations] Org Dnskey TTL

Andrew Sullivan ajs at shinkuro.com
Tue Apr 20 22:07:19 UTC 2010


On Wed, Apr 21, 2010 at 08:03:53AM +1000, Mark Andrews wrote:
> 
> No.  You have to verify DS or not DS for each delegation.

Oh, duh.  I'm an idiot.  So in the case of .org, you'd need to
validate whether the no-DS answer is valid, so you'd still need to
fetch the DNSKEY.

> If anything it is likely to be less often with more secure delegations
> as the TTL of DS is likely to be greater than the negative cache
> ttl of the not DS response but you also have to factor in the ttl of
> the DNSKEY RRset.

Right.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.



More information about the dns-operations mailing list