Re: Tips for DNS zone administration

["Eric A. Hall" <ehall@ehsco.com>]

> > * If possible, make the TTLs for the NS records for your domain as
> >   long as possible (604800 seconds--one week, is a good number).
> >   This will speed up accesses to your domain, since caches will not
> >   have to query the root servers as often before querying your name
> >   servers.
> 
> If you do remember to set it down well before any changes... I think
> that TTL's over 1-2 days should be well motivated before use.

If an authoritative DNS server does get renumbered, then full-service
resolvers which are unable to reach that server at its cached address will
flag it as unreachable, and will use the other servers which are listed as
being authoritative for the zone. In those situations, the loss of
connectivity for one of the Name Servers will likely cause some minor
hiccups, but it should not trigger any fatal errors unless zone
replication is also prevented (if all of the copies of the zone expire
because the primary master server was unreachable for an extended period
of time, major problems will definitely occur). But for lookups, large
TTLs on NS RRs are fine, since other servers will just stop querying them.

Also, the delegation glue from the gTLDs is 2 days, so the in-zone
versions of the NS *and* A RRs should definitely be at least that long (if
your zone is in one of those portions of the namespace). In other words,
the TTL of the NS (and the associated A) RRs for your in-zone list should
be longer than the parent delegation RRs. Both the NS and A RRs should
have the same TTL, otherwise deadlocks can occur.

> Instead, recommend a long expire. I've seen 1 hour in zones... A week
> or two is usually good.

Short TTLs and long expires for non-NS hosts is an excellent suggestion

-- 
Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/