Sep 6 – 7, 2023 Workshop
Meliá Danang Beach Resort
Asia/Ho_Chi_Minh timezone

March towards shorter DNSSEC outages

Sep 6, 2023, 12:00 PM
Meliá Danang Beach Resort

Meliá Danang Beach Resort

19 Trường Sa, Hoà Hải, Ngũ Hành Sơn, Đà Nẵng 550000, Vietnam
In-Person Standard Presentation Main Session OARC 41 Day 1


Petr Špaček (Internet Systems Consortium (ISC))


Time-To-Live values in DNS are a controversial topic, riddled with counter-intuitive behavior.

Recently, a desire to lower the mean time to recovery from DNSSEC-related problems reignited discussion about the TTL values of DS and DNSKEY records. Can DS TTL be lower? What if we tried just 5-minute TTL? How would it impact users (mainly response latency) and operators (query rate seen on authoritative servers)?

In this talk, we present a comparative analysis of DNS resolver performance. We use DNS Shotgun to replay real (anonymized) traffic and compare two configurations of a DNS resolver:

  • The first configuration respects TTL values as supplied by authoritative servers;
  • The second configuration artificially limits TTL values of DS and DNSKEY records to 5 minutes.

This experiment demonstrates the non-linear relationship between TTL values, response latency, and query rate.

Based on our data set, we conclude that the performance impact of 5-minute DS and DNSKEY TTL, in terms of DNS latency visible to end clients, is negligible. The number of DS and DNSKEY queries to authoritative servers is higher but well below the linear increase.

Primary author

Petr Špaček (Internet Systems Consortium (ISC))


Viktor Dukhovni (Google LLC)

Presentation materials