Dear colleagues,
Users may request reverse DNS delegation by creating "domain" objects in
the RIPE Database. Such domain objects must contain "nserver" attributes
to specify the name servers for a reverse DNS zone, and may contain
"ds-rdata" attributes, to specify delegation signer (DS) records.
When the RIPE NCC publishes these records in the appropriate parent
zones, the Time to Live (TTL) of all these records is set at 172800 (two
days).
The TTL of delegation NS records may be overridden by the TTL of NS
records from a zone's apex. Alternatively, many large resolvers ignore
the TTL values of NS records and cap them at much lower values such as
21600. Finally, there is no way for a zone operator to change the TTL of
a DS record, which is only present in a parent zone.
Long TTLs can cause problems for users when they want to change their
name servers or perform DNSSEC key roll-overs. A long TTL on a DS record
is especially harmful when a user needs to do a key roll-over in an
emergency.
We propose to lower, in the first quarter of 2022, the TTL on NS records
to 86400 and on DS records to 3600.
We welcome feedback or discussion about this, ideally via the DNS
Working Group mailing list. If you prefer to send your feedback directly
to us, you can email [email protected].
Regards,
Anand Buddhdev
RIPE NCC
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/dns-wg
