[dns-operations] 5s TTL on IANA /8s

Mauricio Vergara mauricio.vergara at icann.org
Thu Jul 16 00:49:32 UTC 2015

Hi Rubens,

Thanks for being on the ball and keeping an eye out for anomalies in the
various DNS zones.

There is an operational reason to have the TTLs low, the good thing is
that it is completely temporary, and by the time you get this those TTLs
will be back to normal "everyday" values.

ICANN manages the a rather large domain portfolio, including in-addr.arpa.
Over the last 4 months we have been working rather hard on migrating to a
new set of DNSSEC signing infrastructure. The move to the new DNSSEC kit
meant we couldn't export/import the keys from the old hardware security
modules (HSMs).

So we had to roll the KSKs for a huge slab of zones, in-addr.arpa being
one. The downside to this particular Key roll is the necessity to leave
the TTLs at the lower value, for longer than we planned, to allow
administrative process of updating the DS records for in-addr.arpa in the
parent to take its course.

We are actually thinking, if there is interest, of sharing our experiences
at the Montreal DNS-OARC workshop.

Kind regards,


On 20150715, 8:45 , "dns-operations on behalf of Rubens Kuhl"
<dns-operations-bounces at dns-oarc.net on behalf of rubensk at nic.br> wrote:

>% dig @a.in-addr-servers.arpa. 12.in-addr.arpa. ns
>12.in-addr.arpa.    5    IN    NS    cmtu.mt.ns.els-gms.att.net.
>12.in-addr.arpa.    5    IN    NS    dbru.br.ns.els-gms.att.net.
>12.in-addr.arpa.    5    IN    NS    cbru.br.ns.els-gms.att.net.
>12.in-addr.arpa.    5    IN    NS    dmtu.mt.ns.els-gms.att.net.
>% dig @b.in-addr-servers.arpa. 1.in-addr.arpa. ns
>1.in-addr.arpa.        5    IN    NS    ns1.apnic.net.
>1.in-addr.arpa.        5    IN    NS    ns2.lacnic.net.
>1.in-addr.arpa.        5    IN    NS    ns3.apnic.net.
>1.in-addr.arpa.        5    IN    NS    ns4.apnic.net.
>1.in-addr.arpa.        5    IN    NS    sec1.authdns.ripe.net.
>1.in-addr.arpa.        5    IN    NS    apnic1.dnsnode.net.
>1.in-addr.arpa.        5    IN    NS    tinnie.arin.net.
>	€ 200.in-addr.arpa.       5       IN      NS      sec1.authdns.ripe.net.
>	€ 200.in-addr.arpa.       5       IN      NS      ns-lacnic.nic.mx.
>	€ 200.in-addr.arpa.       5       IN      NS      ns3.afrinic.net.
>	€ 200.in-addr.arpa.       5       IN      NS      a.arpa.dns.br.
>	€ 200.in-addr.arpa.       5       IN      NS      ns.lacnic.net.
>	€ 200.in-addr.arpa.       5       IN      NS      sec3.apnic.net.
>	€ 200.in-addr.arpa.       5       IN      NS      ns2.lacnic.net.
>	€ 200.in-addr.arpa.       5       IN      NS      tinnie.arin.net.
>	€ ;; Received 256 bytes from 2001:67c:e0::1#53(2001:67c:e0::1) in 225 ms
>I tried to think on operational reasons to keep TTLs so low for these
>resources but couldn't think of anything... any ideas ?
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-jobs mailing list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5100 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150716/fddf80b3/attachment.bin>

More information about the dns-operations mailing list