Believing NSEC records in the DNS root.

Document Type Expired Internet-Draft (individual)
Authors Warren Kumari  , Geoff Huston 
Last updated 2016-08-26 (latest revision 2016-02-23)
Stream (None)
Expired & archived
plain text pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document describes a method to generate negative answers from NSEC records for the special case of the DNS root. This improves performance; the resolver can answer immediatly, and does not need to query the root. It also cuts down on the so-called "junk" queries. [ Ed note: Text inside square brackets ([]) is additional background information, answers to frequently asked questions, general musings, etc. They will be removed before publication.] [ This document is being collaborated on in Github at: The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests ]


Warren Kumari (
Geoff Huston (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)