Hi Rubens,
Thanks for being on the ball and keeping an eye out for anomalies in the
various DNS zones.
There is an operational reason to have the TTLs low, the good thing is
that it is completely temporary, and by the time you get this those TTLs
will be back to normal everyday values.
ICANN manages the a rather large domain portfolio, including in-addr.arpa.
Over the last 4 months we have been working rather hard on migrating to a
new set of DNSSEC signing infrastructure. The move to the new DNSSEC kit
meant we couldn't export/import the keys from the old hardware security
modules (HSMs).
So we had to roll the KSKs for a huge slab of zones, in-addr.arpa being
one. The downside to this particular Key roll is the necessity to leave
the TTLs at the lower value, for longer than we planned, to allow
administrative process of updating the DS records for in-addr.arpa in the
parent to take its course.
We are actually thinking, if there is interest, of sharing our experiences
at the Montreal DNS-OARC workshop.
Kind regards,
Mauricio
On 20150715, 8:45 , dns-operations on behalf of Rubens Kuhl
dns-operations-boun...@dns-oarc.net on behalf of rube...@nic.br wrote:
% dig @a.in-addr-servers.arpa. 12.in-addr.arpa. ns
...
12.in-addr.arpa.5INNScmtu.mt.ns.els-gms.att.net.
12.in-addr.arpa.5INNSdbru.br.ns.els-gms.att.net.
12.in-addr.arpa.5INNScbru.br.ns.els-gms.att.net.
12.in-addr.arpa.5INNSdmtu.mt.ns.els-gms.att.net.
% dig @b.in-addr-servers.arpa. 1.in-addr.arpa. ns
1.in-addr.arpa.5INNSns1.apnic.net.
1.in-addr.arpa.5INNSns2.lacnic.net.
1.in-addr.arpa.5INNSns3.apnic.net.
1.in-addr.arpa.5INNSns4.apnic.net.
1.in-addr.arpa.5INNSsec1.authdns.ripe.net.
1.in-addr.arpa.5INNSapnic1.dnsnode.net.
1.in-addr.arpa.5INNStinnie.arin.net.
200.in-addr.arpa. 5 IN NS sec1.authdns.ripe.net.
200.in-addr.arpa. 5 IN NS ns-lacnic.nic.mx.
200.in-addr.arpa. 5 IN NS ns3.afrinic.net.
200.in-addr.arpa. 5 IN NS a.arpa.dns.br.
200.in-addr.arpa. 5 IN NS ns.lacnic.net.
200.in-addr.arpa. 5 IN NS sec3.apnic.net.
200.in-addr.arpa. 5 IN NS ns2.lacnic.net.
200.in-addr.arpa. 5 IN NS tinnie.arin.net.
;; Received 256 bytes from 2001:67c:e0::1#53(2001:67c:e0::1) in 225 ms
I tried to think on operational reasons to keep TTLs so low for these
resources but couldn't think of anything... any ideas ?
Rubens
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
smime.p7s
Description: S/MIME cryptographic signature
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs