Hello Tony, Tony Finch writes:
Serial numbers should ideally be managed automatically, so that you don't have to care, but ISO 8601 style is definitely the most friendly of the common options.
The minimum/negative TTL should match the default TTL, and I agree 1 hour is a good starting point.
Regarding the refresh timer, NOTIFY should make it irrelevant, but there are cases like stealth secondaries where it still matters.
In about 50 % of all customer DNS setups that I've seen over the last years, NOTIFY was not working and zone refresh was only relying on SOA values. Of course that was because of other misconfigurations that are out of scope of this document. For us that we work with DNS for some time NOTIFY is "just working", but surprisingly there are many ways to get DNS wrong enough to break NOTIFY.
I think that batch rebuild jobs are most easy to communicate to colleagues if they happen hourly, so the refresh time should probably be 1 hour, to match. (The result is that routine updates propagate within an hour if things are working properly, or two hours in awkward cases.)
Good point.
I agree with Paul that a short retry timer also makes sense, so recovery from failure is short. I use 15 minutes, but it is happily not something I have had to worry about :-)
15 minutes sounds like a good value for me as well.
Novices are not expected to be responsible for DNSSEC but they might be looking after a zone signed by someone else. In a signed zone, the expiry time needs to be less than the RRSIG lifetime. A broken secondary should return an error (making resolvers try other, hopefully working, secondaries) before it returns bogus data. The default RRSIG lifetime (in BIND and I think other signers) is 30 days and records are re-signed weekly, so the default expiry time should be about 3 weeks (500 hours).
good point, I've missed that. We'll adjust the EXPIRE value to take the RRSIG validity into account, and I will also add text explaining the dependency between RRSIG validity and EXPIRE. Best regards Carsten Strotmann