[rssac-caucus] call for document leaders / contributors of root zone TTL work party
Steve Sheng
steve.sheng at icann.org
Tue Jan 20 15:39:28 UTC 2015
Dear RSSAC caucus,
In its last teleconference meeting, the RSSAC has identified root zone TTLs
to be a work item for the group. According to the process recently sent out,
the RSSAC is looking for volunteers for document leaders and participants
for the effort. If you're interested in leading the effort and/or
contributing the effort, please send a message indicating that to both Liman
and Steve Sheng (staff support)
Steve Sheng <steve.sheng at icann.org>
Lars-Johan Liman <liman at netnod.se>
Before 2015-01-30 2400 UTC. The scope of the task at hand is as follows:
#----------------------------------------------------------------------
STATEMENT OF WORK AND SCOPE FOR root zone TTLs
TTLs of records in the root zone have remain unchanged for as far back in
time as we know from available root zone archives (i.e., at least 1999).
This predates both a signed root zone and the use of anycast on root name
servers. Until very recently, there has been little reason to consider
changes to root zone TTLs.
Records in the root zone presently have three TTL values: 24 hours, 48
hours, and 6 days. Most authoritiatve data in the zone is given a 24 hour
TTL. This includes SOA, DS, NSEC, and their associated RRSIGs.
The TLD delegation records (NS and glue), as well as DNSKEY records, are
given a 48 hour TTL. Since the NS+glue are not authoritative, the only
RRSIG records with a 48 hour TTL are the DNSKEY signatures.
The only remaining records in the zone are the NS+glue (and RRSIG) for the
root zone itself. These are given a 6 day TTL.
Until just recently, all RRSIG records in the root zone were given a
signature validity period of 7 days. This meant that a root server instance
that was not updated within 24 hours could return NS RRset responses whose
TTL exceeded the signature validity. This is not a problem for validating
or non-validating resolvers alone, but could cause problems when a validator
is behind (i.e., forwarding to) a non-validator. The signature validity
period was increased to 10 days to alleviate this problem.
Lowering of the NS RRset TTL is another way to alleviate the problem. If
the NS RRset TTL were lowered, it would be reasonable to again reduce
signature validity values to previous levels.
Verisign, as the Root Zone Maintainer, requests the RSSAC Caucus to consider
the extent to which: (1) the current root zone TTLs are appropriate for
today's environment, (2) lowering the NS RRset TTL makes sense, and (3) the
impacts that TTL changes would have on the wider DNS.
#----------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/rssac-caucus/attachments/20150120/1f01ede4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5023 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/rssac-caucus/attachments/20150120/1f01ede4/smime.p7s>
More information about the rssac-caucus
mailing list