TLSA TTL value

John Allen john at
Wed Mar 29 17:48:42 CEST 2017

I thought that one of the ideas behind TLSA is the ability to validate
CA certificates.
In the event that a certificate is compromised, I would have thought
that removing any information that might make the compromised cert
appear valid should be removed ASAP. In the event that the certificate
is replaced then that information should be updated to reflect the old
cert is "gone" and that new cert is in use.
As I believe there is not a particularly good mechanism for publishing
certificate revocations TLSA appears to provide a mechanism assist in
revoking certs.

On 3/28/17 2:06 PM, Peter Koch wrote:
> On Tue, Mar 28, 2017 at 01:18:57PM -0400, John Allen wrote:
>> What would be a "good" TTL for TLSA records. Because of there use in
>> validating encryption certs, etc I assume that the shorter the better. I
>> currently use 15min, is this too long or too short?
> the TTL is part of the DNS control plane and not strongly related to
> validity of the data (and neither is the DNSSEC signature lifetime, btw).
> What threat or failure would suggest that 15 minutes was "too long"?
> -Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the dane-users mailing list