[dns-operations] root-servers.net TTLs (Was: How much trouble am in in on May 5?)

Doug Barton dougb at dougbarton.us
Sun May 9 20:40:41 UTC 2010

So, just to get back to my actual, main point for a second (sorry I'm
being obtuse):

It makes no sense that the TTL values IN THE ROOT ZONE for the address
records of [a-m].root-servers.net are different from the TTLs for the
same records in the root-servers.net zone and the root.hints file.

If someone wants to demonstrate that there is somehow utility in this
please do it sooner than later, since otherwise I plan to file a trouble
ticket with IANA.

Now, moving on ...

On 05/06/10 11:12, George Barwood wrote:
> ----- Original Message ----- From: "Doug Barton"
>> And of course this all circles back to my previous question, what
>> possible value could 41+day TTLs have for the A records given that
>> the . NS records are only 6 days?
> There is value in this set-up.
> When the NS RRset is sent, if the response size is restricted,

Less and less true over time.

> not all the A and AAAA records may be included.
> That means missing records may have to be fetched separately, so
> caching them for longer is good.

Um, so what? You only need one valid address for a priming query, and in
a query for ". ns" I get back all of the addresses for a-j in a 500 byte
response, including 4 AAAAs. If I add +dnssec I get ALL the address
records in an 800 byte response (but of course, I have working EDNS).

I understand the rationale for what you're suggesting, but it's a
pointless nano-optimization.

> Using a relatively short TTL for the NS records means the name
> servers can be re-configured relatively quickly, using a long/very
> long TTL for the A/AAA records is fine, because if necessary any 
> emergency re-configuration can be done by changing the NS RRset.

There are numerous holes in this logic, the biggest 2 of which are:
A) 6 days (or 3 days for the theoretical average site, if you prefer) is
still a long time. In the event of an actual emergency the mitigation
strategy is far more likely to involve other solutions anyway, but more
B) Which has changed more often over time, the NS set, or the address

My vote personally would be for the address and NS records to use the
same TTL for both RRs; that the TTL for the NS records in the root,
root.hints, and ARPA zones match; that the TTLs for the address records
in the root, root-servers.net, and root.hints match; and that the value
be closer to 6 days than 42 ... but this could all just be my OCD talking.

> This becomes more significant if root-servers.net were to be signed,
> as in that case the signed A/AAAA records would not fit in a 1500
> byte internet MTU packet.

DNSSEC implies EDNS, and we've now given people an actual motivation to
make sure that EDNS and TCP work. :)



	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

More information about the dns-operations mailing list