RFC 5452

Measures for Making DNS More Resilient against Forged Answers, January 2009

File formats:
icon for text file icon for PDF icon for HTML
Status:
PROPOSED STANDARD
Updates:
RFC 2181
Authors:
A. Hubert
R. van Mook
Stream:
IETF
Source:
dnsext (int)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC5452

Discuss this RFC: Send questions or comments to the mailing list dnsext@ietf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 5452


Abstract

The current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder.

Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation.

By describing certain behavior that has previously not been standardized, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181. [STANDARDS-TRACK]


For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.




Advanced Search