On Wed, May 19, 2021 at 12:28:16PM +0200, Peter van Dijk wrote: > > Section 3.1, etc. > > > > | The TTL of the NSEC RR that is returned MUST be the lesser of the > > | MINIMUM field of the SOA record and the TTL of the SOA itself. > > | This matches the definition of the TTL for negative responses in > > | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a > > | deviating value after the SOA record has been updated, to allow > > | for an incremental update of the NSEC chain. > > > > I don't think I understand what a "deviating value" would be (and in > > which direction it would deviate). > > This sentence was added because some implementations may need time to > rework the whole NSEC/NSEC3 chain after a TTL change. The deviation > would be 'part of the chain still has the old, wrong, value - for a > while'. I'll ponder better words - suggestions are very welcome, of > course.
Perhaps: Because some signers incrementally update the NSEC chain, a transient inconsistency between the observed and expected TTL MAY exist. Kind regards, Job _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop