Time-To-Live values in DNS are a controversial topic, riddled with counter-intuitive behavior.
Recently, a desire to lower the mean time to recovery from DNSSEC-related problems reignited discussion about the TTL values of DS and DNSKEY records. Can DS TTL be lower? What if we tried just 5-minute TTL? How would it impact users (mainly response latency) and operators (query rate seen on authoritative servers)?
In this talk, we present a comparative analysis of DNS resolver performance. We use DNS Shotgun to replay real (anonymized) traffic and compare two configurations of a DNS resolver:
- The first configuration respects TTL values as supplied by authoritative servers;
- The second configuration artificially limits TTL values of DS and DNSKEY records to 5 minutes.
This experiment demonstrates the non-linear relationship between TTL values, response latency, and query rate.
Based on our data set, we conclude that the performance impact of 5-minute DS and DNSKEY TTL, in terms of DNS latency visible to end clients, is negligible. The number of DS and DNSKEY queries to authoritative servers is higher but well below the linear increase.