TLSA TTL value

Peter Koch pk at DENIC.DE
Tue Mar 28 20:06:06 CEST 2017

On Tue, Mar 28, 2017 at 01:18:57PM -0400, John Allen wrote:

> What would be a "good" TTL for TLSA records. Because of there use in
> validating encryption certs, etc I assume that the shorter the better. I
> currently use 15min, is this too long or too short?

the TTL is part of the DNS control plane and not strongly related to
validity of the data (and neither is the DNSSEC signature lifetime, btw).

What threat or failure would suggest that 15 minutes was "too long"?


More information about the dane-users mailing list