Skip to main content

DNS Security (DNSSEC) Authenticated Denial of Existence

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors R. (Miek) Gieben , Matthijs Mekking
Last updated 2013-01-05 (Latest revision 2012-07-04)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record for authenticated denial of existence, and the NSEC3 resource record for hashed authenticated denial of existence. This document introduces an alternative resource record, NSEC4, which similarly provides authenticated denial of existence. It permits gradual expansion of delegation-centric zones, just like NSEC3 does. With NSEC4 it is possible, but not required, to provide measures against zone enumeration. NSEC4 reduces the size of the denial of existence response and adds Opt-Out to unhashed names.


R. (Miek) Gieben
Matthijs Mekking

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)