Re: [ietf-provreg] Re: draft-gould-rfc4310bis-04.txt Submitted forReview

[Olafur Gudmundsson <ogud@ogud.com>]

On 16/02/2010 1:00 PM, Howard Eland wrote:
> Hi James,
>
> Thanks for the ping about this issue.
>
> Transfers (specifically, those that involve changes to a DNS provider)
> are a complex issue, and are of a much bigger scope than what we can
> accomplish in 4310-bis. For a transfer involving glue (in which the IP
> address of the glue record would change), there is the issue of TTL on
> the glue record. Regardless of how well a registrant turns down the TTL
> for the RS and RRSIG records, it will still be subject to glue TTL,
> which, as I mentioned, is out of scope for us. Thus, the ability to set
> the TTL on DS and RRSIGs is not sufficient to ensure a smooth transfer.
>
> There is also the ability for registrars (or registrants, through their
> registrar GUI) to misuse theTTL value. I would not want to see a TTL of
> 0, nor would I want to see $HUGE_VAL. In fact, short DS and RRSIG TTLs
> could cause an inordinate amount of queries to hit the parent name
> server, resulting in amplification attacks. This could, of course, be
> controlled by server policy, but that policy may hinder the ability of
> the registrant to turn down the TTL, which defeats the purpose.

Howard,
as you mention above this is big issue.
While I'm sympathetic to your concerns on possible flood of DS 
questions, that would only take place if the DNSKEY in the child also
had a small TTL and the child was a popular domain :-)

My suggestion is suggest that each parent set a resonable default and
a floor on how low the TTL can be set, the child would be allowed to
seletct at TTL between these two numbers.
	
	Olafur

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se