Skip to main content

Compact Denial of Existence in DNSSEC

Document Type Replaced Internet-Draft (dnsop WG)
Expired & archived
Authors Shumon Huque , Christian Elmerot
Last updated 2023-04-27 (Latest revision 2023-03-03)
Replaced by draft-ietf-dnsop-compact-denial-of-existence
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Adopted by a WG
Document shepherd (None)
IESG IESG state Replaced by draft-ietf-dnsop-compact-denial-of-existence
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes a technique to generate a signed DNS response on demand for a non-existent name by claiming that the name exists but doesn't have any data for the queried record type. Such answers require only one minimal NSEC record, allow online signing servers to minimize signing operations and response sizes, and prevent zone content disclosure.


Shumon Huque
Christian Elmerot

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)