Hi Matthijs, On Fri, 2020-12-18 at 18:02 +0100, Matthijs Mekking wrote: > Hi Peter, > > I reviewed the draft and it mostly looks good.
Thanks! > Some minor comments: > > 1. Perhaps instead of using ".com" as an example, use ".example" (per > RFC 2606)? Noted at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/issues/3 > 2. Shouldn't this document also update some text parts from RFC 8198? Hmm. Obviously, some of the text in 8198 is wrong, but there is no action for 8198 implementers here. Noted at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/issues/4 for more pondering. > 3. About this paragraph: > > Ralph Dolmans helpfully pointed out that fixing this in RFC8198 is > only possible for negative (NXDOMAIN/NoData NOERROR) responses, and > not for wildcard responses. > > I think it deserves a separate section or subsection within section 4, > and not be tucked away in the acknowledgements. > > Also this should be a bit more verbose, it took me three times to > understand what is exactly said here. > > Proposed text: > > > [RFC 8198] says: > > With DNSSEC and aggressive use of DNSSEC-validated cache, the TTL > of the NSEC/NSEC3 record and the SOA.MINIMUM field are the > authoritative statement of how quickly a name can start working > within a zone. > > Here, the SOA.MINIMUM field cannot be changed to "the minimum of the > SOA.MINIMUM field and the SOA TTL" because the resolver may not have > the SOA RRset in cache. However, if authoritative servers follow the > updates from this document, this should not make a difference, as the > TTL of the NSEC/NSEC3 record is already set to the minimum value. > > > Ralph can of course still be acknowledged for the helpful pointer. Yes, that makes sense, it is relevant background. I took your text plus something extra and put it at https://github.com/PowerDNS/draft-dnsop-nsec-ttl/pull/5 Thanks! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
