Hello, in https://lists.dns-oarc.net/pipermail/dns-operations/2018-April/017420.html (and earlier messages in March on the same thread), people realised that aggressive NSEC caching might use a much longer TTL than the negative TTL intended by a zone operator.
The initial idea was to correct this in an erratum to RFC 8198 (aggressive use of NSEC/NSEC3), but Ralph Dolmans pointed out to me that this would not solve the wildcard case. I did a lightning talk on the topic at OARC 29 ( https://indico.dns-oarc.net/event/29/sessions/98/#20181013), where the audience feedback, as I recall it, was agreeable to my suggestion of 'issuing operational guidance'. I have since come to the conclusion that it would be better to also fix this in software. Hence, please find below my draft that updates one sentence in 4034 and the ~same sentence in 5155. As far as I can see, no correction to 8198 is necessary or useful. Any editorial comments are welcome via GitHub (link is in the draft), private email, or this WG list. Any functional comments on the content, please post them to the WG. Thank you. (Warren, if you feel the wording of my acknowledgement lays blame with you in a way that you'd rather not see immortalised in an RFC, please let me know!) Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ -------- Forwarded Message -------- From: internet-dra...@ietf.org To: Peter van Dijk <peter.van.d...@powerdns.com> Subject: [EXT] New Version Notification for draft-vandijk-dnsop-nsec- ttl-00.txt Date: Mon, 23 Nov 2020 12:03:04 -0800 A new version of I-D, draft-vandijk-dnsop-nsec-ttl-00.txt has been successfully submitted by Peter van Dijk and posted to the IETF repository. Name: draft-vandijk-dnsop-nsec-ttl Revision: 00 Title: NSEC(3) TTLs and NSEC Aggressive Use Document date: 2020-11-23 Group: Individual Submission Pages: 6 URL: https://www.ietf.org/archive/id/draft-vandijk-dnsop-nsec-ttl-00.txt Status: https://datatracker.ietf.org/doc/draft-vandijk-dnsop-nsec-ttl/ Html: https://www.ietf.org/archive/id/draft-vandijk-dnsop-nsec-ttl-00.html Htmlized: https://tools.ietf.org/html/draft-vandijk-dnsop-nsec-ttl-00 Abstract: Due to a combination of unfortunate wording in earlier documents, aggressive use of NSEC(3) records may deny names far beyond the intended lifetime of a denial. This document changes the definition of the NSEC(3) TTL to correct that situation. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
