Skip to main content

Compact Denial of Existence in DNSSEC
draft-ietf-dnsop-compact-denial-of-existence-05

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: The IESG <iesg@ietf.org>, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-compact-denial-of-existence@ietf.org, rfc-editor@rfc-editor.org, suzworldwide@gmail.com, warren@kumari.net
Subject: Protocol Action: 'Compact Denial of Existence in DNSSEC' to Proposed Standard (draft-ietf-dnsop-compact-denial-of-existence-05.txt)

The IESG has approved the following document:
- 'Compact Denial of Existence in DNSSEC'
  (draft-ietf-dnsop-compact-denial-of-existence-05.txt) as Proposed Standard

This document is the product of the Domain Name System Operations Working
Group.

The IESG contact persons are Warren Kumari and Mahesh Jethanandani.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/


Ballot Text

Technical Summary

   This document describes a technique to generate a signed DNS response
   on demand for a non-existent name by claiming that the name exists
   but doesn't have any data for the queried record type.  Such answers
   require only one minimal NSEC record, allow online signing servers to
   minimize signing operations and response sizes, and prevent zone
   content disclosure.

   This document updates RFC 4034 and 4035.

Working Group Summary

   This draft had broad support in the WG. It optimizes for a specific but common
situation in the use of DNSSEC, and has clearly defined benefits (reduced
answer sizes and reduced cryptographic overhead). While there was some concern that
it offers yet another tweak to DNS this one was judged acceptable because it’s based on clear
specification, is already in production use in the DNS, and shows clear
benefits.

Document Quality

   Cloudflare, NS1, and Amazon Route53 currently implement the Compact
   Denial of Existence method.  From early 2021 until November 2023, NS1
   had deployed the Empty Non-Terminal distinguisher [ENT-SENTINEL]
   using the private RR type code 65281.  A version of the NXNAME
   distinguisher using the private RR type code 65238 was deployed by
   both Cloudflare (from July 2023) and NS1 (from November 2023) until
   roughly September 2024.  Since September 2024 both Cloudflare and NS1
   have deployed NXNAME using the officially allocated code point of
   128.  At the current time, there are only prototype implementations
   of the signaled rcode restoration scheme.

Personnel

   Suzanne Woolf is DS.
   Warren "Ace" Kumari is RAD!!!!!! RAD I tell you!!!!

IANA Note

  (Insert IANA Note here or remove section)

RFC Editor Note