Time To Die for TTL
Zone files contain an awful lot of TTL values, and sometimes it is good to take a step back to see if what you've set up is still meaningful. We took a deeper look at our TTL values and it seems an extreme TTL makeover is called for.
Start Of Authority
Anybody who ever has worked with name servers and zone files is familiar with the start of authority a.k.a. SOA record.
Just for the few of us who have a hard time remembering which field is exactly which. Here comes a short reminder, with the current settings for .se and .nu.
Besides being inconsistent, it seems that these values were chosen in another time. Currently on the internet, updates does not take hours propagate. Many cloud services use TTL values of only a few seconds, which shows that the global DNS infrastructure has the capacity to handle much faster updates. Currently both .se and .nu zones are updated every hour and in the near future we would like to update even more frequently. Considering this, it seems our TTL values are a bit off.
Copy with pride
When in doubt, look what others have done.
Unfortunately the results are inconclusive. Many ccTLDs around the world seem to have quite different opinions on what values to set.
DDOS?
Faster updates put more stress on resolvers and makes DDOS easier to pull off. But is this really a factor any longer in todays internet? DDOS patterns have changed over time and nowadays servers and anycast networks are not so easy to attack.
Aggressive NSEC
The relatively new aggressive NSEC RFC (RFC 8198) calls for a synchronization of TTL values for NSEC/3 and SOA minimum, which further speaks for an TTL overhaul.
Data TTL
The .se and .nu zones contains NS records for delegation, A and AAAA records as glue for these delegations and DS records for DNSSEC validation. Because .se and .nu are signed we also add some more records: RRSIG for the DS records (but not for NS, A and AAAA), NSEC (.se) and NSEC3 (.nu) for authenticated denial of existence and a corresponding RRSIG record. What TTL should these records have?
Today
| .se | .nu | |
| NS | 86400 | 3600 |
| A | 86400 | 3600 |
| AAAA | 86400 | 3600 |
| DS | 3600 | 3600 |
| NSEC/NSEC3 | 7200 | 7200 |
As for data of the .se zone itself. Currently we use
| .se | .nu | |
| NS | 172800 | 172800 |
| A | 172800 | 172800 |
| AAAA | 172800 | 172800 |
| TXT | 172800 | 172800 |
Solution?
Here is our idea for a new source of authority for both .se and .nu:
The mname field of the SOA record should point to an existing name server which is included in the NS set of the zone. Therefore we propose a change to the mname field. For nearly two decades our technical support has been reachable through hostmaster@nic.se/.nu. We think it is time to reflect this in our zone files.
The idea with the TTL values below is to ensure that the secondary name servers are keeping up to date with the master, even if a notify is missed. Checking the master every 10 minutes, with a retry every five minutes if the master does not answer, seems quite reasonable by todays standards.
The zones will be available for 10 days even if no updates are published. After that time our signatures (RRSIG) would expire anyway. Last but not least, a quite short negative caching TTL of five minutes, just to make new domain names available to everybody a bit quicker (even if you queried for it right before registration).
| .se | .nu | |
| NS | 900 | 900 |
| A | 900 | 900 |
| AAAA | 900 | 900 |
| DS | 900 | 900 |
| NSEC/NSEC3 | 300 | 300 |
For the in-zone data, we will continue with the long TTL values. We do change our infrastructure, but very carefully and with long pauses in between updates.
| .se | .nu | |
| NS | 172800 | 172800 |
| A | 172800 | 172800 |
| AAAA | 172800 | 172800 |
| TXT | 172800 | 172800 |
Feedback
Is our case convincing to you? Better ideas? Please let us know.
