%% You should probably cite draft-vcelak-nsec5-08 instead of this revision.
@techreport{vcelak-nsec5-00,
    number =    {draft-vcelak-nsec5-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-vcelak-nsec5/00/},
    author =    {Jan Včelák and Sharon Goldberg},
    title =     {{NSEC5, DNSSEC Authenticated Denial of Existence}},
    pagetotal = 26,
    year =      2015,
    month =     mar,
    day =       23,
    abstract =  {The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence and the NSEC3 for hashed authenticated denial of existence. The NSEC RR allows for the entire zone contents to be enumerated if a server is queried for carefully chosen domain names; N queries suffice to enumerate a zone containing N names. The NSEC3 RR adds domain-name hashing, which makes the zone enumeration harder, but not impossible. This document introduces NSEC5, which provides an cryptographically- proven mechanism that prevents zone enumeration. NSEC5 has the additional advantage of not requiring private zone-signing keys to be present on all authoritative servers for the zone.},
}