works for me, thanks! Paul
On Wed, Sep 20, 2023 at 7:47 PM Wessels, Duane <dwess...@verisign.com> wrote: > > > > On Sep 20, 2023, at 2:23 PM, Paul Wouters <p...@nohats.ca> wrote: > > > > > >>> To prevent such unnecessary DNS traffic, security-aware resolvers > >>> MUST cache DNSSEC validation failures, with some restrictions. > >>> > >>> What are these "some restrictions" ? > >> > >> Here our intention is to update this statement from RFC 4035 so that MAY > >> becomes MUST and "invalid signatures" becomes "validation failures while > >> leaving the "some restrictions" in place. AFAICT the restrictions that > 4035 > >> talks about are using short TTLs (as above) and (I think) to have some > >> query threshold for caching validation failures. i.e., retry before > >> caching. > > > > Should some of this make it into the document so the reader understands > > the "some restrictions" ? > > > > > Sure, how about this: > > One of the restrictions mentioned in [RFC4035] is to use a small TTL > when caching data that fails DNSSEC validation. This is, in part, > because the provided TTL cannot be trusted. The advice from > Section 3.2 herein can be used as guidance on TTLs for caching DNSSEC > validation failures. > > DW > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
