[dns-wg] Lower TTLs for NS and DS records in reverse DNS delegations

Dear colleagues,

Users may request reverse DNS delegation by creating "domain" objects in 
the RIPE Database. Such domain objects must contain "nserver" attributes 
to specify the name servers for a reverse DNS zone, and may contain 
"ds-rdata" attributes, to specify delegation signer (DS) records.

When the RIPE NCC publishes these records in the appropriate parent 
zones, the Time to Live (TTL) of all these records is set at 172800 (two 
days).

The TTL of delegation NS records may be overridden by the TTL of NS 
records from a zone's apex. Alternatively, many large resolvers ignore 
the TTL values of NS records and cap them at much lower values such as 
21600. Finally, there is no way for a zone operator to change the TTL of 
a DS record, which is only present in a parent zone.

Long TTLs can cause problems for users when they want to change their 
name servers or perform DNSSEC key roll-overs. A long TTL on a DS record 
is especially harmful when a user needs to do a key roll-over in an 
emergency.

We propose to lower, in the first quarter of 2022, the TTL on NS records 
to 86400 and on DS records to 3600.

We welcome feedback or discussion about this, ideally via the DNS 
Working Group mailing list. If you prefer to send your feedback directly 
to us, you can email dns at ripe.net.

Regards,
Anand Buddhdev
RIPE NCC