Technical Summary
This document describes a technique to generate a signed DNS response
on demand for a non-existent name by claiming that the name exists
but doesn't have any data for the queried record type. Such answers
require only one minimal NSEC record, allow online signing servers to
minimize signing operations and response sizes, and prevent zone
content disclosure.
This document updates RFC 4034 and 4035.
Working Group Summary
This draft had broad support in the WG. It optimizes for a specific but common
situation in the use of DNSSEC, and has clearly defined benefits (reduced
answer sizes and reduced cryptographic overhead). While there was some concern that
it offers yet another tweak to DNS this one was judged acceptable because it’s based on clear
specification, is already in production use in the DNS, and shows clear
benefits.
Document Quality
Cloudflare, NS1, and Amazon Route53 currently implement the Compact
Denial of Existence method. From early 2021 until November 2023, NS1
had deployed the Empty Non-Terminal distinguisher [ENT-SENTINEL]
using the private RR type code 65281. A version of the NXNAME
distinguisher using the private RR type code 65238 was deployed by
both Cloudflare (from July 2023) and NS1 (from November 2023) until
roughly September 2024. Since September 2024 both Cloudflare and NS1
have deployed NXNAME using the officially allocated code point of
128. At the current time, there are only prototype implementations
of the signaled rcode restoration scheme.
Personnel
Suzanne Woolf is DS.
Warren "Ace" Kumari is RAD!!!!!! RAD I tell you!!!!
IANA Note
(Insert IANA Note here or remove section)