dynamic TTL shortening in auth after RR change
Description
TL;DR version: Withdrawing DS is a nightmare because TLDs have too long TTLs. COM with 1 day is a total nightmare and risk-averse bussinesses like google.com are not going to risk 1 day disruption of service => no prospect of deploying DNSSEC.
Long version: https://indico.dns-oarc.net/event/44/contributions/962/
Request
I'm considering an experiment, not a production-ready feature. Auth DNS is not a good place for what I'm going to propose, but I still think it is a nice experiment:
Add magic which shortens TTLs sent out in answers after RR modification. Say, in the first hour after modification shorten TTL of modified DS RR to 60 seconds. After that use the original TTL. (Of course we can invent any other schema, this is just a simple example.)
Obviously this requires knowing when RR was modified - and this is a nightmare by itself. For an experiment I think it would be good enough to look at RRSIG inception time to detect the initial window. Obviously this will have false positives after resigning, but for an experiment I think we don't need to care.
An experiment would allow us to detect if something breaks when TTL on RR and it's RRSIG do not match when sent as an answer from auth. (It should work, but you know how it is ...)