Hello,
this was followed by lots of discussion on Twitter around
https://twitter.com/BlazejKrajnak/status/1628385024318881793
I'm not aware of any hard rules for this, so there's no right or wrong
really. I agree that the current default of 10s is relatively short for
encrypted incoming connections. Big public resolvers mostly have much
longer limit (e.g. Google and CloudFlare), for non-empty DoH sessions at
least, though e.g. OpenDNS and Quad9 seem also short from my point (< 15s).
You can use config like net.tcp_in_idle(1*min) to change the limit for
all connections (both directions, all protocols). But beware that each
connection state needs some RAM. On the other hand, our TLS session
resumption needs no server state.
The limit is also exposed to clients according to RFC 7828 (by default).
--Vladimir