{"draft":"draft-ietf-dnsop-nsec-aggressiveuse-10","doc_id":"RFC8198","title":"Aggressive Use of DNSSEC-Validated Cache","authors":["K. Fujiwara","A. Kato","W. Kumari"],"format":["ASCII","HTML"],"page_count":"13","pub_status":"PROPOSED STANDARD","status":"PROPOSED STANDARD","source":"Domain Name System Operations","abstract":"The DNS relies upon caching to scale; however, the cache lookup\r\ngenerally requires an exact match.  This document specifies the use\r\nof NSEC\/NSEC3 resource records to allow DNSSEC-validating resolvers\r\nto generate negative answers within a range and positive answers from\r\nwildcards.  This increases performance, decreases latency, decreases\r\nresource utilization on both authoritative and recursive servers, and\r\nincreases privacy.  Also, it may help increase resilience to certain\r\nDoS attacks in some circumstances.\r\n\r\nThis document updates RFC 4035 by allowing validating resolvers to\r\ngenerate negative answers based upon NSEC\/NSEC3 records and positive\r\nanswers in the presence of wildcards.","pub_date":"July 2017","keywords":["Negative cache","NCACHE","NSEC","NSEC3"],"obsoletes":[],"obsoleted_by":[],"updates":["RFC4035"],"updated_by":["RFC9077"],"see_also":[],"doi":"10.17487\/RFC8198","errata_url":null}