Re: Expiration TTLs
Chris. Thanks for the correction on the term TTL instead of timer. The engineer I inherited this environment from has the refresh set to 40 minutes and the zone expiration set to 2 hours. The explanation I got was that since we are authoritative for AD we want ensure that some kind of scavenging is in place. Your explanation suggests that the refresh time is strictly survivability and will not force an update if the serial numbers do not increment enough to implement the refresh. Am I stating this correctly? Any suggestions? Thanks Paul From: Chris Buxton chris.p.bux...@gmail.com To: Paul Romano ittec...@yahoo.com Cc: bind-us...@isc.org bind-us...@isc.org Sent: Sunday, December 2, 2012 7:41 PM Subject: Re: Expiration TTLs On Dec 1, 2012, at 12:17 PM, Paul Romano wrote: What is a good compromise on zone expiration TTLs? Our DNS is authoritative for AD DNS and we want to make sure we force records to refresh but do not want to expose ourselves to the risk of zone failures. The zone expiration timer is not a TTL timer. The two are different. Zone expiration should usually be at least a week. I've set mine to 6 weeks. This timer has nothing to do with the refresh interval, which is also defined in the SOA record. Chris Buxton BlueCat Networks___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Expiration TTLs
What is a good compromise on zone expiration TTLs? Our DNS is authoritative for AD DNS and we want to make sure we force records to refresh but do not want to expose ourselves to the risk of zone failures. Thanks Paul___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Expiration TTLs
Wes, Thanks for the quick response. Are you authoritative for AD and, if yes, how many masters do you have for the AD domain? We have a single hidden master pair for our AD and core domains and are set for 2 hours. We lost a device and never got alerts for the failure until after the zones failed. I am looking for some added security to avoid a failure but still want to make sure changes are propagated efficiently. Is there another factor that I should be using to define this value? Our refresh is set for 40 minutes. Paul From: Wes Zuber w...@uia.net To: Paul Romano ittec...@yahoo.com Cc: bind-us...@isc.org bind-us...@isc.org Sent: Saturday, December 1, 2012 3:56 PM Subject: Re: Expiration TTLs We go with 1 hour. --Wes On Dec 1, 2012, at 12:17 PM, Paul Romano ittec...@yahoo.com wrote: What is a good compromise on zone expiration TTLs? Our DNS is authoritative for AD DNS and we want to make sure we force records to refresh but do not want to expose ourselves to the risk of zone failures. Thanks Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compelling Reason for Deploying DNSSEC
Does the lack of response indicate a lack of compelling reason or just lack of interest in this topic? Is there a way to tie an ROI into a DNSSEC deployment? Are any agencies planning on deying access to unsigned domains? Are there any numbers indicating a trend in DNS related attacks? From: wbr...@e1b.org wbr...@e1b.org To: Paul Romano ittec...@yahoo.com Sent: Wednesday, September 14, 2011 8:46 AM Subject: Re: Compelling Reason for Deploying DNSSEC Paul Romano wrote on 09/13/2011 10:13:36 PM: From: Paul Romano ittec...@yahoo.com I am trying to justify deploying DNSSEC to my management. We have many domains and I want to use this project as an opportunity to review and classify our many domains (legacy, defensive, current production, etc.). Since money is very tight we need a compelling reason to justify the project. I have explained the value of protecting our traffic along with our reputation. We communicate with some government agencies and I have said that there may be some concern about communicating with these agencies in the future. The project has still been declined. Can any of you give a more compelling justification for deployment? I would like to hear the justification as well. I know the gTLDs have been signed, but there are a lot of domains for large tech companies that are not signed yet. Is it a matter of reaching critical mass? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Compelling Reason for Deploying DNSSEC
I am trying to justify deploying DNSSEC to my management. We have many domains and I want to use this project as an opportunity to review and classify our many domains (legacy, defensive, current production, etc.). Since money is very tight we need a compelling reason to justify the project. I have explained the value of protecting our traffic along with our reputation. We communicate with some government agencies and I have said that there may be some concern about communicating with these agencies in the future. The project has still been declined. Can any of you give a more compelling justification for deployment? Thanks Paul___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users