RFC 8198

Aggressive Use of DNSSEC-Validated Cache, July 2017

File formats:
icon for text file icon for PDF icon for HTML
RFC 4035
Updated by:
RFC 9077
K. Fujiwara
A. Kato
W. Kumari
dnsop (ops)

Cite this RFC: TXT  |  XML  |   BibTeX

DOI:  https://doi.org/10.17487/RFC8198

Discuss this RFC: Send questions or comments to the mailing list dnsop@ietf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 8198


The DNS relies upon caching to scale; however, the cache lookup generally requires an exact match. This document specifies the use of NSEC/NSEC3 resource records to allow DNSSEC-validating resolvers to generate negative answers within a range and positive answers from wildcards. This increases performance, decreases latency, decreases resource utilization on both authoritative and recursive servers, and increases privacy. Also, it may help increase resilience to certain DoS attacks in some circumstances.

This document updates RFC 4035 by allowing validating resolvers to generate negative answers based upon NSEC/NSEC3 records and positive answers in the presence of wildcards.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search