Hello.
From resolver point of view... this implies that signed *positive*
wildcard answers will now get cached with this shorter "negative TTL",
right? These do need to deny existence of non-wildcard match, so they
need to contain NSEC*.
Maybe the final text would better explicitly note such implications, but
that certainly can wait way past WG adoption. Also it might be confusing
that just by singing a zone the effective TTL of these answers would get
lower - assuming I got your intention right (if not, perhaps the current
text wasn't clear enough anyway).
--Vladimir @ Knot Resolver
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
