Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)

Peter van Dijk <> Wed, 06 January 2021 20:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1AEB93A124C for <>; Wed, 6 Jan 2021 12:02:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.009, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9jub8YnWNdWA for <>; Wed, 6 Jan 2021 12:02:32 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A62A33A1432 for <>; Wed, 6 Jan 2021 12:01:44 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id AC02E6A22E; Wed, 6 Jan 2021 21:01:41 +0100 (CET)
Received: from plato ([]) by with ESMTPSA id EfPTKCUX9l+QPQAA3c6Kzw (envelope-from <>); Wed, 06 Jan 2021 21:01:41 +0100
Message-ID: <>
From: Peter van Dijk <>
Date: Wed, 06 Jan 2021 21:01:41 +0100
In-Reply-To: <>
References: <> <> <>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5-1.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [DNSOP] new draft: 'NSEC(3) TTLs and NSEC Aggressive Use' (New Version Notification for draft-vandijk-dnsop-nsec-ttl-00.txt)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Jan 2021 20:02:34 -0000

Hello Vladimir,

On Sat, 2020-12-12 at 11:46 +0100, Vladimír Čunát wrote:
>  From resolver point of view... this implies that signed *positive* 
> wildcard answers will now get cached with this shorter "negative TTL", 
> right?  These do need to deny existence of non-wildcard match, so they 
> need to contain NSEC*.

That depends on whether a resolver caches wildcards with the TTL of the
wildcard RRset, or of the NSECs proving that the wildcard expansion is
valid. My suspicion is that most resolvers today do the former, and
when they grow the 'aggressive NSEC for wildcards' feature, they'll
take MIN(former, latter).

> Maybe the final text would better explicitly note such implications, but 
> that certainly can wait way past WG adoption. Also it might be confusing 
> that just by singing a zone the effective TTL of these answers would get 
> lower - assuming I got your intention right (if not, perhaps the current 
> text wasn't clear enough anyway).

Whether signing a zone lowers the TTL on an expanded wildcard depends entirely on the implementation - basically my previous paragraph in this email. I'd say the right approach is the MIN(..) from the previous paragraph.

However, I'm unsure what text the document should have about this. As in my response to Matthijs, the problem flows from 8198 but the problem is not in 8198. That said, we can always put more explanations in this document - perhaps even a Background section, and then I can shorten the Introduction section to only explain the core of the problem.
Kind regards,
Peter van Dijk