The IESG has received a request from the Domain Name System Operations WG (dnsop) to consider the following document: - 'Aggressive use of DNSSEC-validated Cache' <draft-ietf-dnsop-nsec-aggressiveuse-08.txt> as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-03-27. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The DNS relies upon caching to scale; however, the cache lookup generally requires an exact match. This document specifies the use of NSEC/NSEC3 resource records to allow DNSSEC validating resolvers to generate negative answers within a range, and positive answers from wildcards. This increases performance / decreases latency, decreases resource utilization on both authoritative and recursive servers, and also increases privacy. It may also help increase resilience to certain DoS attacks in some circumstances. This document updates RFC4035 by allowing validating resolvers to generate negative answers based upon NSEC/NSEC3 records (and positive answers in the presence of wildcards). [ Ed note: Text inside square brackets ([]) is additional background information, answers to frequently asked questions, general musings, etc. They will be removed before publication.This document is being collaborated on in Github at: https://github.com/wkumari/draft-ietf- dnsop-nsec-aggressiveuse. The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests.] The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-aggressiveuse/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-aggressiveuse/ballot/ No IPR declarations have been submitted directly on this I-D. The document contains these normative downward references. See RFC 3967 for additional information: rfc6982: Improving Awareness of Running Code: The Implementation Status Section (Experimental - IETF stream) draft-fujiwara-dnsop-nsec-aggressiveuse: Aggressive use of NSEC/NSEC3 (None - IETF stream) rfc7129: Authenticated Denial of Existence in the DNS (Informational - Independent Submission Editor stream) rfc7719: DNS Terminology (Informational - IETF stream) Note that some of these references may already be listed in the acceptable Downref Registry.
