datatracker.ietf.org
Sign in
Version 5.6.3, 2014-09-19
Report a bug

DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
RFC 5155

Document type: RFC - Proposed Standard (March 2008; Errata)
Updated by RFC 6944, RFC 6840
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5155 (Proposed Standard)
Responsible AD: Mark Townsley
Send notices to: dnsext-chairs@tools.ietf.org

Network Working Group                                          B. Laurie
Request for Comments: 5155                                     G. Sisson
Category: Standards Track                                      R. Arends
                                                                 Nominet
                                                               D. Blacka
                                                          VeriSign, Inc.
                                                              March 2008

     DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The Domain Name System Security (DNSSEC) Extensions introduced the
   NSEC resource record (RR) for authenticated denial of existence.
   This document introduces an alternative resource record, NSEC3, which
   similarly provides authenticated denial of existence.  However, it
   also provides measures against zone enumeration and permits gradual
   expansion of delegation-centric zones.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.2.  Requirements . . . . . . . . . . . . . . . . . . . . . . .  4
     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Backwards Compatibility  . . . . . . . . . . . . . . . . . . .  6
   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  7
     3.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . .  8
       3.1.2.  Flags  . . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . .  8
       3.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.6.  Hash Length  . . . . . . . . . . . . . . . . . . . . .  9
       3.1.7.  Next Hashed Owner Name . . . . . . . . . . . . . . . .  9
       3.1.8.  Type Bit Maps  . . . . . . . . . . . . . . . . . . . .  9
     3.2.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  9
       3.2.1.  Type Bit Maps Encoding . . . . . . . . . . . . . . . . 10
     3.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 11

Laurie, et al.              Standards Track                     [Page 1]
RFC 5155                         NSEC3                        March 2008

   4.  The NSEC3PARAM Resource Record . . . . . . . . . . . . . . . . 12
     4.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 12
       4.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . . 12
       4.1.2.  Flag Fields  . . . . . . . . . . . . . . . . . . . . . 12
       4.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . 13
       4.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . . 13
       4.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . . 13
     4.2.  NSEC3PARAM RDATA Wire Format . . . . . . . . . . . . . . . 13
     4.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 14
   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 14
   6.  Opt-Out  . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
   7.  Authoritative Server Considerations  . . . . . . . . . . . . . 16
     7.1.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . 16
     7.2.  Zone Serving . . . . . . . . . . . . . . . . . . . . . . . 17
       7.2.1.  Closest Encloser Proof . . . . . . . . . . . . . . . . 18
       7.2.2.  Name Error Responses . . . . . . . . . . . . . . . . . 19
       7.2.3.  No Data Responses, QTYPE is not DS . . . . . . . . . . 19
       7.2.4.  No Data Responses, QTYPE is DS . . . . . . . . . . . . 19
       7.2.5.  Wildcard No Data Responses . . . . . . . . . . . . . . 19
       7.2.6.  Wildcard Answer Responses  . . . . . . . . . . . . . . 20
       7.2.7.  Referrals to Unsigned Subzones . . . . . . . . . . . . 20
       7.2.8.  Responding to Queries for NSEC3 Owner Names  . . . . . 20
       7.2.9.  Server Response to a Run-Time Collision  . . . . . . . 21
     7.3.  Secondary Servers  . . . . . . . . . . . . . . . . . . . . 21
     7.4.  Zones Using Unknown Hash Algorithms  . . . . . . . . . . . 21
     7.5.  Dynamic Update . . . . . . . . . . . . . . . . . . . . . . 21
   8.  Validator Considerations . . . . . . . . . . . . . . . . . . . 23
     8.1.  Responses with Unknown Hash Types  . . . . . . . . . . . . 23

[include full document text]