[dnsop] DOP #8: Short TTL recomendation.

Mon, 13 Jun 2005 07:11:20 -0700 

Also see thread starting at:
    http://darkwing.uoregon.edu/~llynch/dnsop/msg03465.html


Ed was the last to reply to Olaf's comments.
> >>
> >>  #   o  We suggest the minimum zone TTL to be long enough to both fetch
> >>  #      and verify all the RRs in the authentication chain.  A low TTL
> >>  #      could cause two problems:
> >>  #         1.  During validation, some data may expire before the
> >>  #         validation is complete.  The validator should be able to keep
> >>  #         all data, until is completed.  This applies to all RRs needed
> >>  #         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
> >>  #         final answers i.e. the RR set that is returned for the initial
> >>  #         query.
> >>  #         2.  Frequent verification causes load on recursive nameservers.
> >>  #         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
> >>  #         caching.  The TTL on those should be relatively long.
> >>
> >>  A low TTL has been demonstrated in workshops to be detrimental.  (Not a
> >>  "could.")  Even in a close-in workshop, TTL's of under 5 or 10 minuted
> >>  disrupted operations.  In the wide Internet, the floor of the TTL will
> >>  have to be much higher.
> >
> >Do we have a reference to the minutes of these workshops? If not I
> >propose to start the above paragraph with:
> >
> >
> >   o We suggest the minimum zone TTL to be long enough to both fetch
> >     and verify all the RRs in the authentication chain.  In workshop
> >     environments it has been demonstrated [E.Lewis: private
> >     communication] that a low TTL (under 5 to 10 minutes) caused
> >     disruptions because of the following two problems:
> 
> We should locate notes...or use the WG list as reference.  (Usually 
> docs don't explicitly reference the list of a WG, they indicate that 
> the doc is a product of a WG.)

I've found:
Scott Rose, "NIST DNSSEC workshop notes". Minutes of a DNSSEC workshop at NIST 
North Campus - Gaithersburg MD,
June 26-27, 2001. http://www.cafax.se/dnssec/maillist/0000-00/msg00153.html


So I propose the above text with instead of "[E.Lewis: private
communication]" a reference to the minutes mentioned above.



-- Olaf

---------------------------------| Olaf M. Kolkman
---------------------------------| RIPE NCC
---------------------------------| JID: olaf at jabber.secret-wg.org
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html

Reply via email to