To:
Roy Arends <Roy.Arends@nominum.com>
Cc:
Wesley Griffin <wgriffin@tislabs.com>, Dan Massey <masseyd@isi.edu>, <dnssec@cafax.se>
From:
Randy Bush <randy@psg.com>
Date:
Sat, 07 Jul 2001 10:02:44 -0700
Delivery-Date:
Sun Jul 8 21:41:14 2001
Sender:
owner-dnssec@cafax.se
Subject:
Re: SSH keys in DNS
> Sorry to burst this again, but this is a standard rollover issue. Whenever > you roll a keyset over, take the TTL in account. i.e. wait for a certain > amount of time before obsoleting the old key. If one is concerned with > emergency key rollovers, always advertise a key with TTL=0. fyi, research shows that ttls of non-ns rrs is not important to overall dns traffic load. ns rr ttls do affect dns performance. i suspect that, should dnssec become widely deployed, we will see similar results for dnssec rrs associated ns rrs. so be careful with advice to turn down ttls, at least advise when to turn them back up. randy