Skip to main content

Requirements related to DNSSEC Signed Proof of Non-Existence

Document Type Expired Internet-Draft (dnsext WG)
Expired & archived
Authors Rip Loomis , Ben Laurie
Last updated 2006-06-19
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


DNSSEC-bis uses the NSEC record to provide authenticated denial of existence of RRsets. NSEC also has the side-effect of permitting zone enumeration, even if zone transfers have been forbidden. Because some see this as a problem, this document has been assembled to detail the possible requirements for denial of existence A/K/A signed proof of non-existence.


Rip Loomis
Ben Laurie

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)