On Wed, May 19, 2021 at 12:28:16PM +0200, Peter van Dijk wrote:
> > Section 3.1, etc.
> >
> > | The TTL of the NSEC RR that is returned MUST be the lesser of the
> > | MINIMUM field of the SOA record and the TTL of the SOA itself.
> > | This matches the definition of the TTL for negative responses in
> > | [RFC2308]. A signer MAY cause the TTL of the NSEC RR to have a
> > | deviating value after the SOA record has been updated, to allow
> > | for an incremental update of the NSEC chain.
> >
> > I don't think I understand what a "deviating value" would be (and in
> > which direction it would deviate).
>
> This sentence was added because some implementations may need time to
> rework the whole NSEC/NSEC3 chain after a TTL change. The deviation
> would be 'part of the chain still has the old, wrong, value - for a
> while'. I'll ponder better words - suggestions are very welcome, of
> course.
Perhaps:
Because some signers incrementally update the NSEC chain, a transient
inconsistency between the observed and expected TTL MAY exist.
Kind regards,
Job
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
