DNSSEC adoption
rainer at ultra-secure.de
rainer at ultra-secure.de
Wed Aug 3 13:51:37 UTC 2022
Am 2022-08-03 15:27, schrieb Bob Harold:
> I think the best way to soften the effect, and make DNSSEC much less
> brittle, without losing any of the security, is to reduce the TTL of
> the DS record in the parent zone (usually TLD's) drastically - from 2
> days to like 30 minutes. That allows quick recovery from a failure.
> I realize that will cause an increase in DNS traffic, and I don't know
> how much of an increase, but the 24-48 hour TTL of the DS record is
> the real down-side of DNSSEC, and why it is taking me so long to try
> to develop a bullet-proof process before signing my zones.
These days, companies of all sizes are using ultra-short TTLs of 60s
(and I've seen less) for all sorts of "fail-over" mechanisms and
load-balancing schemes.
One more thing should *in theory* not matter much. Personally, I'm not
too happy about short TTLs. This trend is likely significantly
undermining the stability and redundancy of the internet as a whole
already.
More information about the bind-users
mailing list