UNLIMITED FREE
ACCESS TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Select Your Free Newsletters

Industry Newsletters

Select Your Free Product Alerts

Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

IETF RFC 8198

Aggressive Use of DNSSEC-Validated Cache

active, Most Current
Buy Now
Organization: IETF
Publication Date: 1 July 2017
Status: active
Page Count: 13
scope:

The DNS relies upon caching to scale; however, the cache lookup generally requires an exact match. This document specifies the use of NSEC/NSEC3 resource records to allow DNSSEC-validating resolvers to generate negative answers within a range and positive answers from wildcards. This increases performance, decreases latency, decreases resource utilization on both authoritative and recursive servers, and increases privacy. Also, it may help increase resilience to certain DoS attacks in some circumstances.

This document updates RFC 4035 by allowing validating resolvers to generate negative answers based upon NSEC/NSEC3 records and positive answers in the presence of wildcards.

Document History

IETF RFC 8198
July 1, 2017
Aggressive Use of DNSSEC-Validated Cache
The DNS relies upon caching to scale; however, the cache lookup generally requires an exact match. This document specifies the use of NSEC/NSEC3 resource records to allow DNSSEC-validating resolvers...

References

This document references:
IETF RFC 4592 - The Role of Wildcards in the Domain Name System
Published by IETF on July 1, 2006
This is an update to the wildcard definition of RFC 1034. The interaction with wildcards and CNAME is changed, an error condition is removed, and the words defining some concepts central to wildcards...
This document references:
IETF RFC 8020 - NXDOMAIN: There Really Is Nothing Underneath
Published by IETF on November 1, 2016
This document states clearly that when a DNS resolver receives a response with a response code of NXDOMAIN, it means that the domain name which is thus denied AND ALL THE NAMES UNDER IT do not exist....
This document is referenced by:
IETF RFC 8749 - Moving DNSSEC Lookaside Validation (DLV) to Historic Status
Published by IETF on March 1, 2020
Abstract This document retires DNSSEC Lookaside Validation (DLV) and reclassifies RFCs 4431 and 5074 as Historic. Furthermore, this document updates RFC 6698 by excluding the DLV resource record from...
This document is referenced by:
RFC 9156 - DNS Query Name Minimisation to Improve Privacy
Published by IETF on November 1, 2021
Abstract This document describes a technique called "QNAME minimisation" to improve DNS privacy, where the DNS resolver no longer always sends the full original QNAME and original QTYPE to the...
This document is referenced by:
RFC 9476 - The .alt Special-Use Top-Level Domain
Published by IETF on September 1, 2023
This document reserves a Top-Level Domain (TLD) label "alt" to be used in non-DNS contexts. It also provides advice and guidance to developers creating alternative namespaces.
This document is superseded by:
RFC 9077 - NSEC and NSEC3: TTLs and Aggressive Use
Published by IETF on July 1, 2021
Abstract Due to a combination of unfortunate wording in earlier documents, aggressive use of NSEC and NSEC3 records may deny the existence of names far beyond the intended lifetime of a denial. This...
This document is superseded by:
RFC 9077 - NSEC and NSEC3: TTLs and Aggressive Use
Published by IETF on July 1, 2021
Abstract Due to a combination of unfortunate wording in earlier documents, aggressive use of NSEC and NSEC3 records may deny the existence of names far beyond the intended lifetime of a denial. This...
View Less
View All
Advertisement