This covers a lunch time discussion about whether EPP ought to include a TTL in the request to add a DS record. (No offense to those who want DNSKEY - that's a different issue.) Before launching into the specifics of the TTL of the DS RR, here's a preamble about the issue with respect to the NS RR - which has been known for some time but little discussed. It's here to set context.
I am of two minds about this issue as well.
On one hand, the DS is the parent's data, and thus is allowed to set the TTL to whatever it wants.
On the other hand, the child has a vested interest in the length of the TTL because it factors into the time-to-recover from a SEP key compromise.
One one hand, the DNSSEC documents say this (protocol-09, section 2.4):
The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset (that is, the NS RRset from the same zone containing the DS RRset).
On the other hand, I'm not sure that this advice makes much sense.
-- David Blacka <[EMAIL PROTECTED]> Sr. Engineer VeriSign Applied Research . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
