New user here, trying out deSEC for the first time and excited to get started. I’m curious whether there are any future plans to widen the TTL range as I see right now it’s limited to times between 1 hour and 1 day. It would be helpful to have more flexibility in this area 1) for creating temporary or testing records that I want to be valid for only a short time, or 2) creating records for immutable services that should only be renewed infrequently, as in once in a few days.
If anyone knows anything about whether there’s a plan to add more flexibility to the TTL limit, do let me know!
The 1-day upper limit for the TTL is due to operational reasons: Every so often (rarely, but importantly), we adjust DNSSEC parameters (such as the signing algorithm). The process is complicated and usually involves two steps where we have to wait for cached records to expire from all resolvers. We would like to avoid stretching this out for several days, as adjustments sometimes may be needed more quickly. We thus put an upper limit to the TTL to limit the time we need to invest in DNSSEC changes.
Regarding TTLs lower than 1 hour: We do support that, and the default TTL used by our dynDNS update interface is indeed 60 seconds. However, if you need to set other records to TTLs < 1h, we’re happy to enable this for your account. In that case, please shoot us an email with a quick explanation on why your use case requires it.
