From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Thu, 27 Mar 2025 14:51:57 +0000 (-0400)
Subject: docs: rewrite TTL usage NSEC note
X-Git-Tag: dnsdist-2.0.0-alpha2~110^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07a8f77d86d0db6ccdaca35b03ba9e884dfb7b1d;p=thirdparty%2Fpdns.git

docs: rewrite TTL usage NSEC note

Write note based on current behaviour, not behaviour prior to 4.3.0.

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
---

diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst
index c349aaba37..2998bcd492 100644
--- a/docs/dnssec/operational.rst
+++ b/docs/dnssec/operational.rst
@@ -217,10 +217,7 @@ Note that the NSEC/NSEC3 records proving those negatives will get the high TTL i
 
 .. note::
 
-  This behaviour was changed in version 4.3.0.
-  We believe the language in RFC 4034 and 5155 about the NSEC/NSEC3 TTL is a mistake, and we have chosen to honour its spirit instead of its words.
+  NSEC/NSEC3 records get the negative TTL (which is the lowest of the SOA TTL and the SOA minimum), which means their TTL matches that of a response such as NXDOMAIN.
+  This conforms to :rfc:`RFC 9077 <9077#section-3>`.
 
-  This unfortunate wording was eventually corrected in :rfc:`RFC 9077 <9077#section-3>`.
-
-  NSEC/NSEC3 records now get the negative TTL (which is the lowest of the SOA TTL and the SOA minimum), which means their TTL matches that of an error such as NXDOMAIN.
-  This conforms to RFC9077.
+  Prior to version 4.3.0, the behaviour was based on language in :rfc:`RFC 4034 <4034>` and :rfc:`RFC 5155 <5155>` about the NSEC/NSEC3 TTL.