%% You should probably cite rfc7129 instead of this I-D. @techreport{gieben-auth-denial-of-existence-dns-00, number = {draft-gieben-auth-denial-of-existence-dns-00}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns/00/}, author = {R. (Miek) Gieben and Matthijs Mekking}, title = {{Authenticated Denial of Existence in the DNS}}, pagetotal = 21, year = 2012, month = aug, day = 1, abstract = {Authenticated denial of existence allows a resolver to validate that a certain domain name does not exist. It is also used to signal that a domain name exists, but does not have the specific RR type you were asking for. This document attempts to answer two simple questions. When returning a negative DNSSEC response, a name server sometimes includes up to two NSEC records. With NSEC3 the maximum amount is three. o Why do you need up to two NSEC records? o And why does NSEC3 sometimes require an extra record? The answer to the questions hinges on the concept of wildcards and the "closest encloser". With NSEC, the name that is the "closest encloser" is implicitly given in the record that also denies the existence of the domain name. With NSEC3, due to its hashing, this information has to be given explicitly to a resolver. It needs one record to tell the resolver the closest encloser and then another to deny the existence of the domain name. Both NSEC and NSEC3 may need yet another record to deny or assert a wildcard presence. This results in a maximum of two NSEC and three NSEC3 records, respectively.}, }