Negative UNL
The Negative UNL is a feature of the XRP Ledger consensus protocol that improves liveness, the network's ability to make forward progress during a partial outage. Using the Negative UNL, servers adjust their effective UNLs based on which validators are currently online and operational, so that a new ledger version can be declared validated even if several trusted validators are offline.
The Negative UNL has no impact on how the network processes transactions or what transactions' outcomes are, except that it improves the network's ability to declare outcomes final during some types of partial outages.
Background
Each server in the XRP Ledger protocol independently decides a ledger version is validated when a quorum of its trusted validators agree. A server's trusted validators are defined by that server's UNL (Unique Node List), a list of validators it trusts not to collude. By default, servers are configured to trust any validator on at least one of two lists, one UNL published by the XRP Ledger Foundation and one UNL published by Ripple.
The standard quorum requirement is 80% of trusted validators. If more than 20% of trusted validators go offline or become unable to communicate with the rest of the network, servers stop validating new ledgers because they cannot reach a quorum. This is a design choice to ensure that no transactions' outcomes can be changed after they are declared final. During such a situation, the remaining servers would still be online and could provide past and tentative transaction data, but could not confirm the final, immutable outcome of new transactions.
However, this means that the network could stop making forward progress if a few widely trusted validators went offline. As of 2024-06-25, there are a total of 35 validators on the default UNLs, so the network would stop making forward progress if 8 or more of them were offline. Furthermore, if one or two validators are out for an extended period of time, the network has less room for disagreement between the remaining validators, which can make it take longer to achieve a consensus.
Summary
It is not reasonable to expect a diverse set of validators to maintain 100% uptime: many things can cause a validator to become temporarily unavailable, such as: hardware maintenance, software upgrades, internet connectivity problems, targeted attacks, human error, hardware failures, and outside circumstances like natural disasters.
The "Negative UNL" is a list of trusted validators which are believed to be offline or malfunctioning, as declared by a consensus of the remaining validators. Validators in the Negative UNL are ignored for determining if a new ledger version has attained a consensus.
When a validator that is on the Negative UNL comes back online and sends consistent validation votes, the remaining validators remove it from the Negative UNL after a short time.
In cases where validators go offline one or two at a time, the remaining validators can use the Negative UNL to gradually adjust their effective UNLs, so that the network only ever needs 80% of the online validators to achieve a quorum. To prevent the network from fragmenting, the quorum has a hard minimum of 60% of total validators.
If more than 20% of validators suddenly go offline all at once, the remaining servers cannot achieve the quorum necessary to validate a new ledger, so no new ledgers could be validated. However, those servers can still make tentative forward progress through successive consensus rounds. Over time, the remaining validators would continue to apply changes to the Negative UNL to the tentative ledgers and adjust their effective UNLs; eventually, if the situation persists, the network could resume fully validating ledgers by using the adjusted Negative UNL from the tentative ledger versions.
Negative UNL has no effect on stand-alone mode since the server does not use consensus in stand-alone mode.