Re: [dnsext] TTL on DS records
Andrew Sullivan <ajs@anvilwalrusden.com> Sat, 21 February 2015 20:50 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 673D71A6EF3 for <dnsext@ietfa.amsl.com>; Sat, 21 Feb 2015 12:50:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.559
X-Spam-Level: **
X-Spam-Status: No, score=2.559 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yz5hqyX5Qvvp for <dnsext@ietfa.amsl.com>; Sat, 21 Feb 2015 12:50:51 -0800 (PST)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56A121A7016 for <dnsext@ietf.org>; Sat, 21 Feb 2015 12:50:37 -0800 (PST)
Received: from mx1.yitter.info (unknown [50.189.173.0]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 2B4C88A031 for <dnsext@ietf.org>; Sat, 21 Feb 2015 20:50:36 +0000 (UTC)
Date: Sat, 21 Feb 2015 15:50:34 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsext@ietf.org
Message-ID: <20150221205034.GT13877@mx1.yitter.info>
References: <FB3C26C9-BC39-4819-9BE8-167E2A3711B7@verisign.com> <54E862FF.1080808@blipp.com> <CFE90DD0-9AD1-469F-8272-20C9443056FD@frobbit.se> <20150221122103.GJ13877@mx1.yitter.info> <20150221191934.GA43112@PorcupineTree.Speedport_W_724V_01011601_00_009>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150221191934.GA43112@PorcupineTree.Speedport_W_724V_01011601_00_009>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/m4UpdCEmWgCpM8lS8TExeoNknjk>
Subject: Re: [dnsext] TTL on DS records
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 20:50:52 -0000
On Sat, Feb 21, 2015 at 08:19:34PM +0100, Ralf Weber wrote: > I don't see how this will increase latency of page loading. Most > recursive resolvers these day do pre fetching for often used records > and if the record isn't in the cache the difference in latency comes > from validation anyway. Well, this could be, but if you're validating, reducing the TTL on the DS automatically entails a lookup as frequently as the DS. Now of course, if browsers are doing this validation themselves (and not relying on the system validator), they might pin anyway. > I think we need to move away from TTLs in the days or even week range > to TTLs that are in the hours range. What do you mean _we_? Your zone, your rules. That's part of why I'm objecting to parents having very short DS TTLs: it affects what the child's cache behaviour is like, and we have historically supposed that zone administrators have pretty good control over that for their own zones. If the parent side TTL gets short, then setting the TTL on the child side isn't the only thing one can do to affect caching. That seems like a pretty big change to the operational environment. > I think one hour is a good TTL for DNSSEC stuff. If your domain > isn't asked once an hour in a big providers network chances are it > would have fallen out of the cache becuse of LRU anyway during that > time frame. That could be. It seems to me that without actually studying this, we could all make up numbers. I gather that OARC is going to run another DITL this year. Maybe that'd be something worth getting large recursive operators involved in so that we have something to study. A -- Andrew Sullivan ajs@anvilwalrusden.com
- [dnsext] TTL on DS records Wessels, Duane
- Re: [dnsext] TTL on DS records Patrik Wallström
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Eric Brunner-Williams
- Re: [dnsext] TTL on DS records Patrik Fältström
- Re: [dnsext] TTL on DS records Ralf Weber
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Olafur Gudmundsson
- Re: [dnsext] TTL on DS records Andrew Sullivan
- Re: [dnsext] TTL on DS records Ralf Weber