> On Sep 20, 2023, at 2:23 PM, Paul Wouters <p...@nohats.ca> wrote:
>
>
>>> To prevent such unnecessary DNS traffic, security-aware resolvers
>>> MUST cache DNSSEC validation failures, with some restrictions.
>>>
>>> What are these "some restrictions" ?
>>
>> Here our intention is to update this statement from RFC 4035 so that MAY
>> becomes MUST and "invalid signatures" becomes "validation failures while
>> leaving the "some restrictions" in place. AFAICT the restrictions that 4035
>> talks about are using short TTLs (as above) and (I think) to have some
>> query threshold for caching validation failures. i.e., retry before
>> caching.
>
> Should some of this make it into the document so the reader understands
> the "some restrictions" ?
>
Sure, how about this:
One of the restrictions mentioned in [RFC4035] is to use a small TTL
when caching data that fails DNSSEC validation. This is, in part,
because the provided TTL cannot be trusted. The advice from
Section 3.2 herein can be used as guidance on TTLs for caching DNSSEC
validation failures.
DW
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
