Search RFCs
RFC 8198
Aggressive Use of DNSSEC-Validated Cache,July 2017
- File formats:
- Status:
- PROPOSED STANDARD
- Updates:
- RFC 4035
- Updated by:
- RFC 9077
- Authors:
- K. Fujiwara
A. Kato
W. Kumari - Stream:
- IETF
- Source:
- dnsop (ops)
Cite this RFC:TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC8198
Discuss this RFC: Send questions or comments to the mailing listdnsop@ietf.org
Other actions:Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 8198
Abstract
The DNS relies upon caching to scale; however, the cache lookupgenerally requires an exact match. This document specifies the useof NSEC/NSEC3 resource records to allow DNSSEC-validating resolversto generate negative answers within a range and positive answers fromwildcards. This increases performance, decreases latency, decreasesresource utilization on both authoritative and recursive servers, andincreases privacy. Also, it may help increase resilience to certainDoS attacks in some circumstances.
This document updates RFC 4035 by allowing validating resolvers togenerate negative answers based upon NSEC/NSEC3 records and positiveanswers in the presence of wildcards.
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.