>>>>> "RB" == Richard Barnes <[email protected]> writes:
RB> So short TTLs are the only tool you have. And that really ought to be sufficient. It is not at all uncommon to have TTLs as low as an hour or even a minute for some RRs without any significant impact on the dns servers. And even if it is for a TLS server which gets so much traffic that a short DNS TTL would have a noticeable impact on the hardware or net pipes, that still will be *dwarfed* by the TLS load and traffic. Some sites, typically those with very small or expensive pipes, may (try to) force their caching resolvers to recheck less often than the TTLs. But even they tend to cache for no more than a day or two. And there is the option to use a type 2 with one's own CA, CRL, ocsp et al if that is more comfortable. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
