Reduce minimum TTL to 60s

[nename0]

On the Web UI you can specify a TTL down to 60s for a dyndns domain (dedyn.io).
Also in the Forum this is mentioned: https://talk.desec.io/t/more-flexible-ttl-settings/988/3

So this PR reduces the minimum TTL from 3600s to 60s.

[znkr]

What happens if we set a TTL that's larger than the minimum TTL? I am asking, because I probably had a reason to add this logic. If we change it, we need to be careful to not cause new failures. That is, if the deSEC API retuns an error if the TTL is too low, we might need a different solution than the one here. Could you add and run tests to check the behavior?

[nename0]

I tried it with this test and TTL of 59s. I got:

failed setting DNS record(s) with new IP address(es)","zone":"xxx.dedyn.io","error":"writing RRSets: unexpected status code 400: [{\"ttl\":[\"Ensure this value is greater than or equal to 60.\"]},{\"ttl\":[\"Ensure this value is greater than or equal to 60.\"]},{\"ttl\":[\"Ensure this value is greater than or equal to 60.\"]},{\"ttl\":[\"Ensure this value is greater than or equal to 60.\"]}]

xcaddy build

I used this xcaddy configuration

RUN xcaddy build \
    --with github.com/caddy-dns/desec \
    --replace github.com/libdns/desec=github.com/nename0/desec@test-1s

So yes we might break existing domains with this if they still have the 3600s limit...

I just registered a dedyn.io domain a few days ago and just got "minimum_ttl": 60. Maybe thats the new default?

We could easily query that value using the GET /api/v1/domains/xxx.dedyn.io/ endpoint:

curl 'https://desec.io/api/v1/domains/xxx.dedyn.io/' -H 'Authorization: Token REDACTED'   
{"created":"2025-08-02T07:38:55.406058Z","published":"2025-08-03T10:48:18.284485Z","name":"xxx.dedyn.io","keys":REDACTED,"minimum_ttl":60,"touched":"2025-08-03T10:48:18.284485Z"}

The reason I want this lower TTL should be obvious. When I restart my router I don't want to wait 1 hour until I can reach my dyndns server again.
Also I had some trouble with the _acme-challenge Records and having to wait 1 hour for all DNS resolvers to expire the records is painful.
So I think this project should definitely provide the lowest TTL possible to users.

[znkr]

Automatically detecting the minimum TTL sounds like a good idea alternative, we could make it configurable in the provider and expose that configuration in Caddy.

I prefer having fewer configuration options, so detecting the minimum TTL sounds like a good idea from that perspective. Unfortunately, it also increases the complexity. For example, what do we do if the minimum TTL detection fails?

Making it configurable sounds a lot simpler.

WDYT?

[peterthomassen]

Peter here, from deSEC.

I just registered a dedyn.io domain a few days ago and just got "minimum_ttl": 60. Maybe thats the new default?

It's the default for domains under .dedyn.io. That's a mistake, and we'll probably change that to 3600. - Note that dynDNS updates are not affected by that.

When I restart my router I don't want to wait 1 hour until I can reach my dyndns server again.

For dynDNS updates, please see https://desec.readthedocs.io/en/latest/dyndns/configure.html and https://desec.readthedocs.io/en/latest/dyndns/update-api.html.

For example, what do we do if the minimum TTL detection fails?

You can fall back to 3600; it's pretty much guaranteed that the minimum TTL won't ever be higher than that.