Hi all, I have submitted a new individual draft proposing the EXPIRE opcode, which allows an authenticated authoritative operator to request immediate deletion of a specific RRset from a resolver cache.
The draft defines two authentication profiles: • DNSSEC (in-band authority proof) • Control-channel authenticated (TSIG, mTLS, IPsec, local trust policy) It also specifies replay protection, resolver behavior, and safe operational deployment in both signed and unsigned DNS environments. URL: https://datatracker.ietf.org/doc/draft-powers-dnsop-expire/ I would appreciate comments and discussion from the working group. Thanks, Duane _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
