diff --git a/doc/Changelog b/doc/Changelog
index 2da0c8694..eb95e8bbb 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+11 September 2024: Yorgos
+	- Fix and add comments in testdata/val_negcache_ttl.rpl.
+
 10 September 2024: Wouter
 	- Fix to limit NSEC and NSEC3 TTL when aggressive nsec is
 	  enabled (RFC9077).
diff --git a/testdata/val_negcache_ttl.rpl b/testdata/val_negcache_ttl.rpl
index ef396cca1..328b9b6ec 100644
--- a/testdata/val_negcache_ttl.rpl
+++ b/testdata/val_negcache_ttl.rpl
@@ -14,6 +14,14 @@ stub-zone:
 CONFIG_END
 
 SCENARIO_BEGIN Test validator with negative cache TTL (aggressive NSEC)
+; Scenario overview:
+; - query for antelope.testzone.nlnetlabs.nl. IN TXT (NXDOMAIN)
+; - answer from upstream is NXDOMAIN with NSEC records that cover ant.testzone.nlnetlabs.nl
+; - the NSEC records should be cached for 900 seconds only (minimum of SOA)
+; - check that ant.testzone.nlnetlabs.nl gets the synthesized NXDOMAIN from aggressive-nsec
+; - let NSEC records expire
+; - query for ant.testzone.nlnetlabs.nl. IN TXT which is now available on the nameserver
+; - check that aggressive-nsec cannot synthesize NXDOMAIN (expired NSECs) and the query is resolved
 
 ; testzone.nlnetlabs.nl nameserver
 RANGE_BEGIN 0 100
@@ -32,6 +40,7 @@ testzone.nlnetlabs.nl.	3600	IN	RRSIG	DNSKEY 8 3 3600 20180313101254 201802131012
 ENTRY_END
 
 ; response for antelope.testzone.nlnetlabs.nl.
+; NSECs cover ant.testzone.nlnetlabs.nl as non-existent.
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@@ -49,7 +58,7 @@ testzone.nlnetlabs.nl.	900	IN	RRSIG	SOA 8 3 900 20180313101254 20180213101254 14
 SECTION ADDITIONAL
 ENTRY_END
 
-; No answer for ant.testzone.nlnetlabs.nl
+; No answer for ant.testzone.nlnetlabs.nl in this range
 
 ; response for peanut.testzone.nlnetlabs.nl. AAAA
 ENTRY_BEGIN
@@ -70,6 +79,7 @@ RANGE_END
 ; testzone.nlnetlabs.nl nameserver
 RANGE_BEGIN 100 200
 	ADDRESS 185.49.140.60
+; response for ant.testzone.nlnetlabs.nl
 ENTRY_BEGIN
 REPLY QR AA NOERROR
 SECTION QUESTION
@@ -87,7 +97,7 @@ SECTION QUESTION
 antelope.testzone.nlnetlabs.nl. IN TXT
 ENTRY_END
 
-; recursion happens here.
+; recursion happens here. Expect NXDOMAIN.
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
@@ -105,7 +115,32 @@ testzone.nlnetlabs.nl.	900	IN	RRSIG	SOA 8 3 900 20180313101254 20180213101254 14
 SECTION ADDITIONAL
 ENTRY_END
 
-; Time passes that should have removed the entry.
+; query for ant.testzone.nlnetlabs.nl (non-existent)
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN TXT
+ENTRY_END
+
+; this is the synthesized NXDOMAIN from aggressive-nsec
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+SECTION AUTHORITY
+testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY 
+testzone.nlnetlabs.nl.	3600	IN	RRSIG	NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E=
+alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC 
+alligator.testzone.nlnetlabs.nl.	3600	IN	RRSIG	NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA=
+testzone.nlnetlabs.nl.  900    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+testzone.nlnetlabs.nl.	900	IN	RRSIG	SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0=
+ENTRY_END
+
+; Time passes and NSECs should be expired.
 STEP 20 TIME_PASSES ELAPSE 910
 
 ; query something that gets the SOA record for the testzone in cache.
@@ -129,7 +164,7 @@ testzone.nlnetlabs.nl.  900    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.
 testzone.nlnetlabs.nl.	900	IN	RRSIG	SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0=
 ENTRY_END
 
-; query for ant.testzone.nlnetlabs.nl, which isn't on the testzone nameserver
+; query for ant.testzone.nlnetlabs.nl. In this range it is on the nameserver.
 STEP 110 QUERY
 ENTRY_BEGIN
 REPLY RD DO
@@ -137,6 +172,8 @@ SECTION QUESTION
 ant.testzone.nlnetlabs.nl. IN TXT
 ENTRY_END
 
+; Expect an answer since the 3600 TTL NSECs from STEP 10 should have been
+; limited to 900 and be expired by now.
 STEP 120 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
@@ -146,14 +183,6 @@ ant.testzone.nlnetlabs.nl. IN TXT
 SECTION ANSWER
 ant.testzone.nlnetlabs.nl. TXT "heap"
 ant.testzone.nlnetlabs.nl.	3600	IN	RRSIG	TXT 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Sn8dBGMSYGGKs7yGWO0CShxbm3ba5Y6ysHyE/HJyFnS8NmsKIx/KVdFPRQx/Jm7a3hektRXrjxetfhfJm0SzJ2UFeKlkE+VJ/Lj2oAETqN1oqqkNr+RDdbKLMzLApMRgrhStSAO1Yb8/8oUIflyrjNbuDbAHSMbkOE+Z49LIais=
-SECTION AUTHORITY
-; This response is not returned, with NXDOMAIN
-;testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY 
-;testzone.nlnetlabs.nl.	3600	IN	RRSIG	NSEC 8 3 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. tcW20hZu5Ao+ikM+qjqAlRt3ujNxTKi6kZF3waWJGY7Ldyp9XyWzB1DeoQzaNJ6zflPYFO32RUhj7jWhEIUphG4+lEvm7VGJAdSteUZ2yOppN6eZvOk0Nc0nAGPFGBjLO6ul1Wh1X+jL61q7mWt3nY+IFBZHWmhsi2Qi7vM/W4E=
-;alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC 
-;alligator.testzone.nlnetlabs.nl.	3600	IN	RRSIG	NSEC 8 4 3600 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. Zfkp3kmN8heAuIF/apf6RHhZAoGyXnvZLALRYTKIH7E9XC2wtvG9dZla4WLSr3ndA4d0CFgnKOt8mSVSLyNn232D0ahx4DFAnOJitnt9odT2+2sYhJbwCx38tPKhAUWmIn2jGZGMVjbVbEVi7WyQBrJYQqyhE/lADEDSdQZBNyA=
-;testzone.nlnetlabs.nl.  900    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
-;testzone.nlnetlabs.nl.	900	IN	RRSIG	SOA 8 3 900 20180313101254 20180213101254 1444 testzone.nlnetlabs.nl. abG0cByo/q5NaDNMz6FPvNvehHqUDhQRwLdvG72315hMGzCavLRWuAB5gieibMCrICH2WVHVj7fisjSuY0iPwf9xZlCGts3Z+xD9D72VRiTz7QXF+JjRWKl+3Uk6c29+pvIRKXC1Ht0r9uBXGmDTaHdV7cZCveoDwIVSngY+mQ0=
 ENTRY_END
 
 SCENARIO_END