0

I'm working on transferring zones from DynDNS to Route53, any suggestion on what the TTLs (SOA and NS records) should be - during this transition period (i.e. before/when I update the registrar to point to Route53 instead of DynDNS) ?

according to https://www.rfc-editor.org/rfc/rfc6781#section-4.4.1 I see I should NOT go under 10min:

We suggest that the Minimum Zone TTL be long enough to both fetch and verify all the RRs in the trust chain. In workshop environments, it has been demonstrated [NIST-Workshop] that a low TTL (under 5 to 10 minutes) caused disruptions

I was thinking to go with something like 1hr during the transition period, and bump it up after zone transfer is done, but wanted to see if there's any recommendation for that period.

any pointer to documentation for this is greatly appreciated as well.

Community
  • 1
Mahyar
  • 107
  • 3
  • Many recursive nameservers do not obey, even if that is contrary to the standard, too small TTLs. I recommend never going below 5 minutes, so 10 is fine. You may also want to lower the negative TTL (last item in the SOA) and/or touch the retry/expire ones (still in SOA) depending on your current setup. Note that the *parent* TTLs comes into effect too, as some nameservers will be more parent centric (hence obeying the parent NS TTL) than child centric. There is no standard way, make sure your old nameservers continue to publish the zone for extended time (days...) after the switch. – Patrick Mevzek Jul 29 '20 at 20:15

1 Answers1

0

Geez, how long does validation take? Even 5-10 seconds is an eternity for a recursive DNS lookup. Most servers timeout at 2 seconds. As far as zone TTLs, I wouldn't set them higher than 10 minutes personally. Otherwise any mistakes made will take the TTL expiration time to correct. A low TTL is fine if your DNS server can handle it. I have some 30 second ones.

DubStep
  • 264
  • 2
  • 8
  • " As far as zone TTLs, I wouldn't set them higher than 10 minutes personally. " Long TTLs are better for resiliency and performance reasons. – Patrick Mevzek Aug 03 '20 at 05:09
  • Not for when you are doing transfers to another DNS host. If you set a long TTL and make a mistake or need to rollback, you are at the mercy of how long you set the TTL. Also, the 30 second ones I mentioned are for failover purposes. If you are in the hosting business, it make failing over an entire environment and making sure it is online and available to everyone as quickly as possible fairly painless. Microsoft, Amazon, Google and countless others use this technique. – DubStep Aug 12 '20 at 14:36
  • "Not for when you are doing transfers to another DNS host." Of course, but I was saying that outside of these it can make sense to have longer TTLs and hence I disagree with your statement that over 10 minutes is not good. The fact that some do it does not mean it is the perfect solution for everyone. TTLs are a classical type of tradeoff handling between memory and CPU. There is certainly no one fits all here. You seem to forget various cases where short TTLs created problems. – Patrick Mevzek Aug 12 '20 at 15:11
  • But I mean the question asked was about TTLs during zone transfers, so I was answering that...they already stated they were going to raise them after, so the idea that they wouldn't always be 10 minutes was implied. Also, I never said over 10 minutes was not good. I was providing the 30 second one as an example to illustrate that a low TTL doesn't automatically mean things are broken, low TTLs are bad, or that the low TTL is the issue in the first place. At any rate, you should always start with a low TTL, zone transfer or not, and then increase when you are sure things are good. – DubStep Aug 19 '20 at 18:55
  • Also, I'm aware of times with short TTLs created problems. Memory and CPU are indeed a classical (read: old) type of tradeoff. But this is 2020 and those issues are rare now and fairly easy to resolve if they do surface. The issue that OP pointed out about signature validation periods is more applicable today IMO. – DubStep Aug 19 '20 at 19:11
  • "But this is 2020 and those issues are rare now and fairly easy to resolve if they do surface." I certainly can not agree with that, if you put yourself as recursive nameserver having to handle CNAME/DNAME records (and soon SVCB ones), and handling DNSSEC. There is still (and will never be) a one size fits all everytime, and especially `NS` records or such are not a good idea for a 10 minutes TTL as you suggest. – Patrick Mevzek Aug 19 '20 at 19:13
  • lol...you can't get 10 minutes out of your head and are just putting words in my mouth at this point. At no point did I say 10 minutes is a good fit for ALL records, nor was I ever proposing, implying or did I ever mention a one size fits all solution. I answered a question about TTL during a zone transfer, saying I personally wouldn't set them higher than 10 minutes. You applied that to every situation you could have with DNS ever apparently. And memory and CPU issues are rare these days. Mainly because both of those things are cheap and people tend to just throw money at them. – DubStep Aug 19 '20 at 19:24
  • I mean dude, YOU even say 10 minutes is fine yourself in your original comment. – DubStep Aug 19 '20 at 19:30
  • It is written in your post: "As far as zone TTLs, I wouldn't set them higher than 10 minutes personally". Also "And memory and CPU issues are rare these days. Mainly because both of those things are cheap and people tend to just throw money at them." so it really seem useless to continue discussing, I tried to explain you that the compromise still exists today and it is not just a matter putting more money. Please be happy with your 10 minutes zone TTLs then. – Patrick Mevzek Aug 19 '20 at 19:31
  • "I mean dude, YOU even say 10 minutes is fine yourself in your original comment." For a temporary transition and for some records, yes. Absolutely not always for all records. There is a subtle difference here, but I guess it is lost now, so I will stop here. – Patrick Mevzek Aug 19 '20 at 19:32
  • You are right, that is written in my post, because it is written in the question I was answering with that post "I'm working on transferring zones from DynDNS to Route53, any suggestion on what the TTLs (SOA and NS records) should be - during this transition period" So yes, I said "I wouldn't set them higher than 10 minutes personally" in response to that. You drew the parallel to always, despite me explaining it to you multiple times. You not getting that is your problem. – DubStep Aug 19 '20 at 20:19
  • But it's okay when you say 10 minutes (aka I was agreeing with you) but somehow when I say 10 minutes, I'm applying it to every DNS record, every DNS zone, and every situation ever you use TTL in DNS? There is a subtle difference and I pointed it out long ago. Again, I NEVER said it was good for all records. You are the only one spouting absolutes. I answered a question as it was asked and you made it into something else. Please do stop there because you are borderline not making any sense at this point. – DubStep Aug 19 '20 at 20:22