To:
Randy Bush <randy@psg.com>
Cc:
Roy Arends <Roy.Arends@nominum.com>, Wesley Griffin <wgriffin@tislabs.com>, Dan Massey <masseyd@isi.edu>, <dnssec@cafax.se>
From:
Roy Arends <Roy.Arends@nominum.com>
Date:
Sat, 7 Jul 2001 19:23:08 +0200 (CEST)
Delivery-Date:
Sun Jul 8 21:41:15 2001
In-Reply-To:
<E15IvTg-0004YZ-00@rip.psg.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: SSH keys in DNS
On Sat, 7 Jul 2001, Randy Bush wrote: > > Sorry to burst this again, but this is a standard rollover issue. Whenever > > you roll a keyset over, take the TTL in account. i.e. wait for a certain > > amount of time before obsoleting the old key. If one is concerned with > > emergency key rollovers, always advertise a key with TTL=0. > > fyi, research shows that ttls of non-ns rrs is not important to overall dns > traffic load. ns rr ttls do affect dns performance. Okay. Interesting. Are there some pointers available ? Anyway, I _was_ talking about non-ns rrs, I referred to key rrs. The issue here is that there is no revocation mechanism for keys, so when one is concerned about emergencies, state in some policy doc what the length of a key-sig delta and ttl should be. > i suspect that, should dnssec become widely deployed, we will see similar > results for dnssec rrs associated ns rrs. Is this wrt DS (or key@parent) ? I can see the similarities. But not for none-zone-keys though. > so be careful with advice to turn down ttls, at least advise when to > turn them back up. Regards Roy Arends Nominum