TLSA TTL value

Viktor Dukhovni ietf-dane at
Tue Mar 28 19:36:41 CEST 2017

> On Mar 28, 2017, at 1:18 PM, John Allen <john at> wrote:
> What would be a "good" TTL for TLSA records. Because of there use in
> validating encryption certs, etc I assume that the shorter the better. I
> currently use 15min, is this too long or too short?

Set the TTL slightly shorter than the time it takes you to notice and
fix a problem with the records.  If you're unlikely to respond to any
issues in under an hour, a TTL of much less than an hour will not be
beneficial.  Very short TTLs also add latency to mail delivery.  On
the other hand, very long TTLs make prolong problem duration.


More information about the dane-users mailing list