rfc-9077

NSEC and NSEC3: TTLs and Aggressive Use

P. van Dijk

date2021-07 streamIETF areaops wgdnsop statusPROPOSED STANDARD pages8 canonicalhttps://www.rfc-editor.org/rfc/rfc9077 doi10.17487/RFC9077

Due to a combination of unfortunate wording in earlier documents, aggressive use of NSEC and NSEC3 records may deny the existence of names far beyond the intended lifetime of a denial. This document changes the definition of the NSEC and NSEC3 TTL to correct that situation. This document updates RFCs 4034, 4035, 5155, and 8198.

updates

rfc-4034 — Resource Records for the DNS Security Extensions
rfc-4035 — Protocol Modifications for the DNS Security Extensions
rfc-5155 — DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
rfc-8198 — Aggressive Use of DNSSEC-Validated Cache