Re: [dnsext] TTL on DS records
Olafur Gudmundsson <ogud@ogud.com> Sun, 22 February 2015 01:42 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9E41A0196 for <dnsext@ietfa.amsl.com>; Sat, 21 Feb 2015 17:42:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1vGw6U5gomqG for <dnsext@ietfa.amsl.com>; Sat, 21 Feb 2015 17:42:41 -0800 (PST)
Received: from smtp91.ord1c.emailsrvr.com (smtp91.ord1c.emailsrvr.com [108.166.43.91]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E05E81A0191 for <dnsext@ietf.org>; Sat, 21 Feb 2015 17:42:41 -0800 (PST)
Received: from smtp20.relay.ord1c.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp20.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 2A710800F0; Sat, 21 Feb 2015 20:42:41 -0500 (EST)
Received: by smtp20.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id E32AC800D0; Sat, 21 Feb 2015 20:42:39 -0500 (EST)
X-Sender-Id: ogud@ogud.com
Received: from [10.20.30.43] (pool-74-96-189-180.washdc.fios.verizon.net [74.96.189.180]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.4.2); Sun, 22 Feb 2015 01:42:41 GMT
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <20150221205034.GT13877@mx1.yitter.info>
Date: Sat, 21 Feb 2015 20:42:38 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <8025FA20-9C5D-4CB9-9A6F-C43080C35229@ogud.com>
References: <FB3C26C9-BC39-4819-9BE8-167E2A3711B7@verisign.com> <54E862FF.1080808@blipp.com> <CFE90DD0-9AD1-469F-8272-20C9443056FD@frobbit.se> <20150221122103.GJ13877@mx1.yitter.info> <20150221191934.GA43112@PorcupineTree.Speedport_W_724V_01011601_00_009> <20150221205034.GT13877@mx1.yitter.info>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/96E4NqQxlUTIlyJYWu7Czw3EOkM>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] TTL on DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Feb 2015 01:42:44 -0000
> On Feb 21, 2015, at 3:50 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote: > > On Sat, Feb 21, 2015 at 08:19:34PM +0100, Ralf Weber wrote: >> I don't see how this will increase latency of page loading. Most >> recursive resolvers these day do pre fetching for often used records >> and if the record isn't in the cache the difference in latency comes >> from validation anyway. > > Well, this could be, but if you're validating, reducing the TTL on the > DS automatically entails a lookup as frequently as the DS. Now of > course, if browsers are doing this validation themselves (and not > relying on the system validator), they might pin anyway. No Andrew it effectively is the MAX( DS TTL, DNSKEY TTL) and with prefetching you can compare existing records to the new ones thus avoid validation. In most cases there is plenty of headroom for calculations so I think we should be thinking about what is good for the internet. Long TTL’s are good for unstable networks, Short TTL meet customers expectations. > >> I think we need to move away from TTLs in the days or even week range >> to TTLs that are in the hours range. > > What do you mean _we_? Your zone, your rules. That's part of why I'm > objecting to parents having very short DS TTLs: it affects what the > child's cache behaviour is like, and we have historically supposed > that zone administrators have pretty good control over that for their > own zones. If the parent side TTL gets short, then setting the TTL on > the child side isn't the only thing one can do to affect caching. > That seems like a pretty big change to the operational environment. Not putting words in Ralph’s mouth, but I agree with him. Long TTL are artifacts of decisions taken long time ago and they need to be reexamined. > >> I think one hour is a good TTL for DNSSEC stuff. If your domain >> isn't asked once an hour in a big providers network chances are it >> would have fallen out of the cache becuse of LRU anyway during that >> time frame. > > That could be. It seems to me that without actually studying this, we > could all make up numbers. I gather that OARC is going to run another > DITL this year. Maybe that'd be something worth getting large > recursive operators involved in so that we have something to study. Yep we need to study and experiment. A simple study is to compare how much more traffic a resolver with MAXCACHE = 1H asks than one with MAXCACHE = 6H or 12H Olafur
- [dnsext] TTL on DS records Wessels, Duane
- Re: [dnsext] TTL on DS records Patrik Wallström
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Eric Brunner-Williams
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Ralf Weber
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Olafur Gudmundsson
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Ralf Weber