[dns-operations] Org Dnskey TTL

Matthew Pounsett matt at conundrum.com
Tue Apr 27 21:46:22 UTC 2010

On 2010/04/19, at 10:53, Chris Thompson wrote:

> On Jun 18 2009, Dave Knight wrote:
>> On 17-Jun-09, at 8:28 PM, Mark Andrews wrote:
>>> 	Why still a low a ttl for DNSKEY?  I can understand for
>>> 	negative responses but changes to DNSKEY would have to be
>>> 	on the order of days anyway as that is what it takes to
>>> 	change trust anchors.
>> Our signer solution doesn't currently allow the TTL of these records  to be set individually, a fix for this is in the pipeline though.
> Noticing again that the "org" DNSKEY TTL is still 900 (that's a loooong
> pipeline!) I've put together this list of DNSKEY (original) TTLs for
> signed TLDs:

Sorry for taking so long to weigh in on this.

As Dave noted back in June, our solution for signing the org zone didn't allow for us to set a separate TTL for the DNSKEY records from the SOA.  A software update we recently installed now permits us to set an arbitrary TTL for the DNSKEY records.  We're doing some investigation and testing before we settle on a value .. but a change should be in place soon (where the value for "soon" is sometime before full production rollout of DNSSEC for org, which is scheduled for June).


More information about the dns-operations mailing list