diff --git a/doc/Changelog b/doc/Changelog
index de87d18f3..2577d6ff2 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -12,6 +12,7 @@
 	  libunbound/python/examples) are not installed.
 	- python invalidate routine respects packed rrset ids and locks.
 	- clock skew checks in unbound, config statements.
+	- nxdomain ttl considerations in requirements.txt
 
 3 April 2009: Wouter
 	- Fixed a bug that caused messages to be stored in the cache too 
diff --git a/doc/requirements.txt b/doc/requirements.txt
index 81418213d..165527dae 100644
--- a/doc/requirements.txt
+++ b/doc/requirements.txt
@@ -243,3 +243,17 @@ o 0x20 backoff.
   They are sent to a random server, but no one address more than 4 times.
   It succeeds if one has 0x20 intact, or else all are equal.
   Otherwise, servfail is returned to the client.
+
+o NXDOMAIN and SOA serial numbers.
+  Unbound keeps TTL values for message formats, and thus rcodes, such
+  as NXDOMAIN.  Also it keeps the latest rrsets in the rrset cache.
+  So it will faithfully negative cache for the exact TTL as originally
+  specified for an NXDOMAIN message, but send a newer SOA record if
+  this has been found in the mean time.  In point, this could lead to a
+  negative cached NXDOMAIN reply with a SOA RR where the serial number
+  indicates a zone version where this domain is not any longer NXDOMAIN.
+  These situations become consistent once the original TTL expires.
+  If the domain is DNSSEC signed, by the way, then NSEC records are
+  updated more carefully.  If one of the NSEC records in an NXDOMAIN is
+  updated from another query, the NXDOMAIN is dropped from the cache,
+  and queried for again, so that its proof can be checked again.