On Mon, Apr 12, 2021 at 10:54:04AM -0500, Nico Williams wrote:
> > Sounds to me that, as I thought, they will have to sign a TLSA record
> > every five seconds. No?
>
> No. TTL != notAfter.
>
> You do not have to re-sign any RRs every N seconds just because their
> TTL is N seconds.
Indeed, RRSIGs have inception and expiration fields that typically
differ by O(30 days). My zone has 14 day RRSIG lifetimes, and 1 hour
TTLs, but with sufficient automation, it could be lower, thus IIRC Route
53 DNSSEC has 10 hour RRSIGs (!) and the hosted zones are resigned every
few hours.
Of course one might simply also sign each query on the fly, as done
by Cloudflare.
--
Viktor.
