On Fri, 2021-01-08 at 11:33 +0100, Vladimír Čunát wrote: > Well, if the client requests the proof (+dnssec), you have to include > those NSEC*s and I'd consider it incorrect to prolong their TTL. I'd be > surprised if someone chose that lack of +dnssec could change this TTL > behavior, except for implementations without DNSSEC support. At least > that's _my_ understanding of the current RFCs (even before > DNSSEC-aggressive caching).
Ah yes, now I get it. The impact of NSEC TTL on wildcard validity is not really something that 8198 did, or that this document does. This document does, of course, change that TTL for some setups. > > > Maybe the final text would better explicitly note such implications, but > > > that certainly can wait way past WG adoption. Also it might be confusing > > > that just by singing a zone the effective TTL of these answers would get > > > lower - assuming I got your intention right (if not, perhaps the current > > > text wasn't clear enough anyway). > > Whether signing a zone lowers the TTL on an expanded wildcard depends > > entirely on the implementation - basically my previous paragraph in this > > email. I'd say the right approach is the MIN(..) from the previous > > paragraph. > > > > However, I'm unsure what text the document should have about this. As in my > > response to Matthijs, the problem flows from 8198 but the problem is not in > > 8198. That said, we can always put more explanations in this document - > > perhaps even a Background section, and then I can shorten the Introduction > > section to only explain the core of the problem. > > I had in mind adding a simple note about this (possible?) consequence, > as I don't think it's completely obvious and it wasn't happening before > implementing this RFC. It took me a while to understand the question, but now that I get it, I have found that at least one validator implementation does not currently cap the TTL of expanded wildcards to the lowest TTL in the proof. Now I wonder if that needs to be written down explicitly, and whether that should also go into this document (which we would then retitle 'NSEC(3) TTL clarifications'?). Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
