[dns-resolver-tf] Draft Minutes - DNS Resolver Best Common Practice Task Force - 8 August 2023

Dear TF members,
 
Here are the minutes from our seventh call.
 
Cheers,
Boris 
 
***
 
Tuesday, 8 August 2023 17:00 (UTC+2)
 
Attendees: Marteen Aertsen, Shane Kerr, Andronikos Kyriakou, Tim Wicinski
 
Scribe: Boris Duval 


1.  Recommended Knobs Settings 
The Task Force discussed recommendations for specific DNS settings:
https://github.com/DNS-Resolver-BCP-TF/Resolver-Recommendations/issues/10

Here’s a summary:

DNSSEC Validation:
·       Recommended enabling DNSSEC validation.
·       Negative caching (NSEC, NSEC3) reduces traffic, safeguards against random subdomain attacks (RFC 8198).
·       Root KSK update essential; RFC 5011 or resolver operator for updates via OS.
·       Valuable material in RFC9364 for DNSSEC operations.
TTL Limits (max & min):
·       Software default TTL of 1-2 days; potential reduction for cache size.
·       Lower TTL removes infrequently-used records, minimal operational impact, memory savings.
·       Some implementations allow minimum TTL, though a DNS protocol violation.
·       Software can set differing max/min TTL, impacting queries.
TTL Record Pre-fetch:
·       Certain resolvers prefetch records before cache expiration to extend TTL.
·       Feature not standardized; related proposal: https://datatracker.ietf.org/doc/html/draft-wkumari-dnsop-hammer-03
·       Recommended enabling if available. 
Cache Saving:
·       Exploring downsides; input sought from implementors, DNS OARC list.
Local Root (and maybe local TLD?):
·       Beneficial to use local root (RFC8806).
·       Not applicable to most TLDs due to frequent changes.

Shane offered to develop these notes and come up with a first draft.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/dns-resolver-tf/attachments/20230824/8255a1cc/attachment-0001.html>