Thanks, Job -- that looks better than anything I would have come up with! -Ben
On Wed, May 19, 2021 at 01:10:27PM +0200, Job Snijders wrote: > On Wed, May 19, 2021 at 12:28:16PM +0200, Peter van Dijk wrote: > > > Section 3.1, etc. > > > > > > | The TTL of the NSEC RR that is returned MUST be the lesser of the > > > | MINIMUM field of the SOA record and the TTL of the SOA itself. > > > | This matches the definition of the TTL for negative responses in > > > | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a > > > | deviating value after the SOA record has been updated, to allow > > > | for an incremental update of the NSEC chain. > > > > > > I don't think I understand what a "deviating value" would be (and in > > > which direction it would deviate). > > > > This sentence was added because some implementations may need time to > > rework the whole NSEC/NSEC3 chain after a TTL change. The deviation > > would be 'part of the chain still has the old, wrong, value - for a > > while'. I'll ponder better words - suggestions are very welcome, of > > course. > > Perhaps: > > Because some signers incrementally update the NSEC chain, a transient > inconsistency between the observed and expected TTL MAY exist. > > Kind regards, > > Job _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
