Am 2022-08-03 15:27, schrieb Bob Harold:
I think the best way to soften the effect, and make DNSSEC much less brittle, without losing any of the security, is to reduce the TTL of the DS record in the parent zone (usually TLD's) drastically - from 2 days to like 30 minutes. That allows quick recovery from a failure. I realize that will cause an increase in DNS traffic, and I don't know how much of an increase, but the 24-48 hour TTL of the DS record is the real down-side of DNSSEC, and why it is taking me so long to try to develop a bullet-proof process before signing my zones.
These days, companies of all sizes are using ultra-short TTLs of 60s (and I've seen less) for all sorts of "fail-over" mechanisms and load-balancing schemes.
One more thing should *in theory* not matter much. Personally, I'm not too happy about short TTLs. This trend is likely significantly undermining the stability and redundancy of the internet as a whole already.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users