On Thu, 20 Nov 2025, Duane Powers wrote: [ speaking only as DNS enthousiast ]
I have submitted a new individual draft proposing the EXPIRE opcode, which allows an authenticated authoritative operator to request immediate deletion of a specific RRset from a resolver cache.
I had a quick look. My first concern is more centralization of the internet by this standard due to resolvers on public IP becoming more reliable than those behind NAT as those well known centralized DNS servers are the only ones you can reach. The dnssec based variant requires the sender to have the ZSK private key - eg online signer (or a dedicated machine for issuing EXPIREs that shares the ZSK) It seems there are existing methods already, like https://developers.google.com/speed/public-dns/cache These have the benefits that anyone can request a cache expire and so this is potentially faster than the domain owner taking action. Perhaps some _expire-api prefix record towards a rest api makes more sense than shoehorning this into DNS ? Paul _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
