Re: [dnsext] TTL on DS records
Ralf Weber <dns@fl1ger.de> Mon, 23 February 2015 04:17 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FA531A0187 for <dnsext@ietfa.amsl.com>; Sun, 22 Feb 2015 20:17:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.547
X-Spam-Level: ***
X-Spam-Status: No, score=3.547 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_NET=0.611, HOST_EQ_STATICB=1.372, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFhutronrUUl for <dnsext@ietfa.amsl.com>; Sun, 22 Feb 2015 20:17:16 -0800 (PST)
Received: from smtp.guxx.net (static.85-10-208-173.clients.your-server.de [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 9579D1A0167 for <dnsext@ietf.org>; Sun, 22 Feb 2015 20:17:16 -0800 (PST)
Received: by nyx.guxx.net (Postfix, from userid 107) id 1E8425F40E38; Mon, 23 Feb 2015 05:17:13 +0100 (CET)
Received: from PorcupineTree.Speedport_W_724V_01011601_00_009 (p5DD46E20.dip0.t-ipconnect.de [93.212.110.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 664B95F402D3; Mon, 23 Feb 2015 05:17:12 +0100 (CET)
Date: Mon, 23 Feb 2015 05:17:10 +0100
From: Ralf Weber <dns@fl1ger.de>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Message-ID: <20150223041710.GA43131@PorcupineTree.Speedport_W_724V_01011601_00_009>
References: <FB3C26C9-BC39-4819-9BE8-167E2A3711B7@verisign.com> <54E862FF.1080808@blipp.com> <CFE90DD0-9AD1-469F-8272-20C9443056FD@frobbit.se> <20150221122103.GJ13877@mx1.yitter.info> <20150221191934.GA43112@PorcupineTree.Speedport_W_724V_01011601_00_009> <20150221205034.GT13877@mx1.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150221205034.GT13877@mx1.yitter.info>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/1opdTPVtmeY-NXSw5Cx7okF6WfQ>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] TTL on DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 04:17:17 -0000
Moin! On Sat, Feb 21, 2015 at 03:50:34PM -0500, Andrew Sullivan wrote: > Well, this could be, but if you're validating, reducing the TTL on the > DS automatically entails a lookup as frequently as the DS. Now of > course, if browsers are doing this validation themselves (and not > relying on the system validator), they might pin anyway. Don't most browser validators still use at least the system stub resolvers and thus your configured recursive resolver anyway? What you describe is correct, but the lookup only has to fill the DS from the parent and nothing from the child (unless it expired of course). > > I think we need to move away from TTLs in the days or even week range > > to TTLs that are in the hours range. > > What do you mean _we_? The DNS community within the IETF (and possible other venues). > Your zone, your rules. That's part of why I'm > objecting to parents having very short DS TTLs: it affects what the > child's cache behaviour is like, and we have historically supposed > that zone administrators have pretty good control over that for their > own zones. If the parent side TTL gets short, then setting the TTL on > the child side isn't the only thing one can do to affect caching. > That seems like a pretty big change to the operational environment. Yes there may be one round trip to the parent name server when the DS expires, but you still control how often your server is asked with the TTL of your records (unless there is an attack ;-). > That could be. It seems to me that without actually studying this, we > could all make up numbers. I gather that OARC is going to run another > DITL this year. Maybe that'd be something worth getting large > recursive operators involved in so that we have something to study. You have to as in the DITL run you might not see the effect of different DS TTL because the root might not be asked in the cache refill scenario. Just one side note of personal experience running or helping people to run large resolver farms over the last 20 years. While the average TTL, especially for often used records has gone down during that time frame, the cache hit rate has gone up. These days it is not uncommon to see cache hit rates of 90% or more. So I don't think lowering the TTL of the DS record will have an impact on the cache hotness and thus performance of resolution. So long -Ralf
- [dnsext] TTL on DS records Wessels, Duane
- Re: [dnsext] TTL on DS records Patrik Wallström
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Eric Brunner-Williams
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Ralf Weber
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Olafur Gudmundsson
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Ralf Weber