[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Roy Arends <Roy.Arends@nominum.com>
Cc: Wesley Griffin <wgriffin@tislabs.com>, Dan Massey <masseyd@isi.edu>, <dnssec@cafax.se>
From: Randy Bush <randy@psg.com>
Date: Sat, 07 Jul 2001 10:02:44 -0700
Delivery-Date: Sun Jul 8 21:41:14 2001
Sender: owner-dnssec@cafax.se
Subject: Re: SSH keys in DNS

> Sorry to burst this again, but this is a standard rollover issue. Whenever
> you roll a keyset over, take the TTL in account. i.e. wait for a certain
> amount of time before obsoleting the old key. If one is concerned with
> emergency key rollovers, always advertise a key with TTL=0.

fyi, research shows that ttls of non-ns rrs is not important to overall dns
traffic load.  ns rr ttls do affect dns performance.  

i suspect that, should dnssec become widely deployed, we will see similar
results for dnssec rrs associated ns rrs.  so be careful with advice to turn
down ttls, at least advise when to turn them back up.

randy

Home | Date list | Subject list