This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] Updating RIPE 203

Previous message (by thread): [dns-wg] Updating RIPE 203
Next message (by thread): [dns-wg] Updating RIPE 203

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Carsten Strotmann carsten at strotmann.de
Mon Aug 14 09:25:30 CEST 2017

Hello Tony,

Tony Finch writes:

> Serial numbers should ideally be managed automatically, so that you
> don't have to care, but ISO 8601 style is definitely the most friendly
> of the common options.
>
> The minimum/negative TTL should match the default TTL, and I agree 1
> hour is a good starting point.
>
> Regarding the refresh timer, NOTIFY should make it irrelevant, but
> there are cases like stealth secondaries where it still matters.

In about 50 % of all customer DNS setups that I've seen over the last
years, NOTIFY was not working and zone refresh was only relying on SOA
values. Of course that was because of other misconfigurations that are
out of scope of this document. For us that we work with DNS for some
time NOTIFY is "just working", but surprisingly there are many ways to
get DNS wrong enough to break NOTIFY.

> I think that batch rebuild jobs are most easy to communicate to
> colleagues if they happen hourly, so the refresh time should probably
> be 1 hour, to match. (The result is that routine updates propagate
> within an hour if things are working properly, or two hours in awkward
> cases.)

Good point.

>
> I agree with Paul that a short retry timer also makes sense, so
> recovery from failure is short. I use 15 minutes, but it is happily
> not something I have had to worry about :-)

15 minutes sounds like a good value for me as well.

>
> Novices are not expected to be responsible for DNSSEC but they might
> be looking after a zone signed by someone else. In a signed zone, the
> expiry time needs to be less than the RRSIG lifetime. A broken
> secondary should return an error (making resolvers try other,
> hopefully working, secondaries) before it returns bogus data. The
> default RRSIG lifetime (in BIND and I think other signers) is 30 days
> and records are re-signed weekly, so the default expiry time should be
> about 3 weeks (500 hours).

good point, I've missed that. We'll adjust the EXPIRE value to take the
RRSIG validity into account, and I will also add text explaining the
dependency between RRSIG validity and EXPIRE.

Best regards

Carsten Strotmann

Previous message (by thread): [dns-wg] Updating RIPE 203
Next message (by thread): [dns-wg] Updating RIPE 203

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]