>>>>>> "RB" == Richard Barnes <[email protected]> writes: > > RB> So short TTLs are the only tool you have. > > And that really ought to be sufficient. It is not at all uncommon to have TTLs as low as an hour or even a minute for some RRs without any significant impact on the dns servers.
It also has the advantage of being really simple, and thus less easy to fall prey to some weird bug. If the TTL expires often, then the management procedures are there to republish it often. If a certificate has a very long life time, then renewals happen rarely, the procedures are not well tested, and we do see silly mistakes happen. > And even if it is for a TLS server which gets so much traffic that a short DNS TTL would have a noticeable impact on the hardware or net pipes, that still will be *dwarfed* by the TLS load and traffic. The name server records are still cached, which cuts most of the impact on the DNS infrastructure. -- Christian Huitema _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
