Skip to main content

Believing NSEC records in the DNS root.

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Warren "Ace" Kumari , Geoff Huston
Last updated 2016-08-26 (Latest revision 2016-02-23)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This document describes a method to generate negative answers from NSEC records for the special case of the DNS root. This improves performance; the resolver can answer immediatly, and does not need to query the root. It also cuts down on the so-called "junk" queries. [ Ed note: Text inside square brackets ([]) is additional background information, answers to frequently asked questions, general musings, etc. They will be removed before publication.] [ This document is being collaborated on in Github at: The most recent version of the document, open issues, etc should all be available here. The authors (gratefully) accept pull requests ]


Warren "Ace" Kumari
Geoff Huston

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)