If nextUpdate is not set, the responder is indicating that newer
revocation information is available all the time.
mod_md should not reject these responses. Instead, when !bnextup it should set valid.end to valid.start plus some fixed interval. I would suggest a value between 8 hours and 1 day would be fine. It could be made configurable, but that might be overkill.
For a point of reference, the CA/B Forum Baseline Requirements - the requirements for publicly trusted CAs - require an OCSP response validity period >= 8 hours and <= 10 days.
https://github.com/icing/mod_md/blob/bafab7573c840e3a51a438330a4328071d54507d/src/md_ocsp.c#L686-L691
mod_md rejects OCSP response when nextUpdate field is not set. However, per RFC 6960 this is valid. Per https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.1:
mod_md should not reject these responses. Instead, when
!bnextupit should setvalid.endtovalid.startplus some fixed interval. I would suggest a value between 8 hours and 1 day would be fine. It could be made configurable, but that might be overkill.For a point of reference, the CA/B Forum Baseline Requirements - the requirements for publicly trusted CAs - require an OCSP response validity period >= 8 hours and <= 10 days.