On Wed, 2021-05-19 at 12:28 +0200, Peter van Dijk wrote: > Hello Benjamin, > > On Tue, 2021-05-18 at 20:36 -0700, Benjamin Kaduk via Datatracker > wrote: > > I don't think I understand what a "deviating value" would be (and in > > which direction it would deviate). > > This sentence was added because some implementations may need time to > rework the whole NSEC/NSEC3 chain after a TTL change. The deviation > would be 'part of the chain still has the old, wrong, value - for a > while'. I'll ponder better words - suggestions are very welcome, of > course.
I took Job's text for this, thanks Job! > > Section 4 > > > > If signers & DNS servers for a zone cannot immediately be updated to > > conform to this document, zone operators are encouraged to consider > > setting their SOA record TTL and the SOA MINIMUM field to the same > > value. That way, the TTL used for aggressive NSEC and NSEC3 use > > matches the SOA TTL for negative responses. > > > > Are there any negative consequences of such a move that would need to be > > weighed against the stated benefits? > > Signers might use either value (the SOA TTL or the SOA MINIMUM) as a > default for some other value. For example, PowerDNS uses the SOA > MINIMUM value as the TTL for DNSKEYs. So, lowering the SOA MINIMUM > would also lower the DNSKEY TTL (in PowerDNS). > > A quick skim of the BIND dnssec-keygen manual page suggests that BIND > might sometimes take the SOA TTL as the DNSKEY TTL. > > So, yes, there might be consequences. I will add a note. I have now added this: > Note that some signers might use the SOA TTL or MINIMUM as a default for other values, like the TTL for DNSKEY records. Operators should consult documentation before changing values. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop