On Mon, Apr 12, 2021 at 12:54:20PM +0000, Salz, Rich wrote: > > Thanks for the explanation. I don't know enough DNSSEC to know if > > that's actually deployable, but okay > > > You can tune down TTLs before the change, etc. > > The TTL is already a small number of seconds so that in the standard > DNS case, they can switch within five seconds. > > Sounds to me that, as I thought, they will have to sign a TLSA record > every five seconds. No? No. TTL != notAfter. You do not have to re-sign any RRs every N seconds just because their TTL is N seconds.
