Hello Tony, Tony Finch writes:
> Serial numbers should ideally be managed automatically, so that you > don't have to care, but ISO 8601 style is definitely the most friendly > of the common options. > > The minimum/negative TTL should match the default TTL, and I agree 1 > hour is a good starting point. > > Regarding the refresh timer, NOTIFY should make it irrelevant, but > there are cases like stealth secondaries where it still matters. In about 50 % of all customer DNS setups that I've seen over the last years, NOTIFY was not working and zone refresh was only relying on SOA values. Of course that was because of other misconfigurations that are out of scope of this document. For us that we work with DNS for some time NOTIFY is "just working", but surprisingly there are many ways to get DNS wrong enough to break NOTIFY. > I think that batch rebuild jobs are most easy to communicate to > colleagues if they happen hourly, so the refresh time should probably > be 1 hour, to match. (The result is that routine updates propagate > within an hour if things are working properly, or two hours in awkward > cases.) Good point. > > I agree with Paul that a short retry timer also makes sense, so > recovery from failure is short. I use 15 minutes, but it is happily > not something I have had to worry about :-) 15 minutes sounds like a good value for me as well. > > Novices are not expected to be responsible for DNSSEC but they might > be looking after a zone signed by someone else. In a signed zone, the > expiry time needs to be less than the RRSIG lifetime. A broken > secondary should return an error (making resolvers try other, > hopefully working, secondaries) before it returns bogus data. The > default RRSIG lifetime (in BIND and I think other signers) is 30 days > and records are re-signed weekly, so the default expiry time should be > about 3 weeks (500 hours). good point, I've missed that. We'll adjust the EXPIRE value to take the RRSIG validity into account, and I will also add text explaining the dependency between RRSIG validity and EXPIRE. Best regards Carsten Strotmann
