Hello,
this was followed by lots of discussion on Twitter around https://twitter.com/BlazejKrajnak/status/1628385024318881793

I'm not aware of any hard rules for this, so there's no right or wrong really.  I agree that the current default of 10s is relatively short for encrypted incoming connections.  Big public resolvers mostly have much longer limit (e.g. Google and CloudFlare), for non-empty DoH sessions at least, though e.g. OpenDNS and Quad9 seem also short from my point (< 15s).

You can use config like net.tcp_in_idle(1*min) to change the limit for all connections (both directions, all protocols).  But beware that each connection state needs some RAM.  On the other hand, our TLS session resumption needs no server state.

The limit is also exposed to clients according to RFC 7828 (by default).

--Vladimir