Hi Duane,
I understand that this describes and automated way for authoritatives to
dictate cache eviction to caching resolvers.
But I fail to find in the document how an authoritative knows which
resolvers to contact and how.
Unless it is only intended for standardizing the mix of vendor-specific
mechanisms that you mention on your latest email.
Best regards,
-- Yorgos
On 20/11/2025 17:30, Duane Powers wrote:
Hi all,
I have submitted a new individual draft proposing the EXPIRE opcode,
which allows an authenticated authoritative operator to request
immediate deletion of a specific RRset from a resolver cache.
The draft defines two authentication profiles:
• DNSSEC (in-band authority proof)
• Control-channel authenticated (TSIG, mTLS, IPsec, local trust policy)
It also specifies replay protection, resolver behavior, and safe
operational deployment in both signed and unsigned DNS environments.
URL: https://datatracker.ietf.org/doc/draft-powers-dnsop-expire/
I would appreciate comments and discussion from the working group.
Thanks,
Duane
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
