may be EDNS OPT DNSSEC casting as TTL (claude suggestion)

I don't get the intention.  The auth server is obliged to send a SOA with TTL controlling this in that case.  The thing is... what should Knot Resolver do exactly when the server breaks this obligation.