On Thu, Jul 09, 2015 at 11:29:11AM -0400, Olafur Gudmundsson wrote: > Strictly speaking the minimum time needed for a Negative Trust anchor is > something like > Domain_Operator_reaction_time + Parent_reaction_time + Parent DS TTL + > DNSKEY TTL
Valid point. When the NTA for a name expires, the cached data at and below that name can also be discarded, so TTLs aren't a major concern when the cache and the validator are coresident, and it hasn't been a factor with BIND. But if validating forwarders and stubs support NTAs they may have a different experience. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
