As described in Usar NSEC3 en vez de NSEC en un dominio DNSSEC con gestión de DNS dinámico, the common TTL (Time To Live (TTL)) used in NSEC3PARAMS record is Zero. This record is used in DNSSEC to provide a secure "proof of non existence" without leaking details about what names actually exist. I never fully understood why a TTL of zero is so common, but knowing in this case is not really important.
So good so far.
The problem was listening to The Ask Mr. DNS Podcast: Episode 57 . There, Matt Larson and Cricket Liu talk long and deep about why using a TTL of Zero for DNS records is (almost) always a bad idea. I agree with the comments in the podcast, but the comments hit a nerve inside of me. I have always been unconfortable about not knowing WHY a TTL of Zero is used with NSEC3PARAMS and now real DNS experts  were saying that a TTL of Zero is bad.
|||(1, 2, 3)|