DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
RFC 5155
Document Type RFC - Proposed Standard (March 2008; Errata)
Updated by RFC 6840, RFC 6944
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5155 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Mark Townsley
Send notices to (None)
Email authors Email WG IPR 2 References Referenced by Nits 
Network Working Group                                          B. Laurie
Request for Comments: 5155                                     G. Sisson
Category: Standards Track                                      R. Arends
                                                                 Nominet
                                                               D. Blacka
                                                          VeriSign, Inc.
                                                              March 2008

     DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   The Domain Name System Security (DNSSEC) Extensions introduced the
   NSEC resource record (RR) for authenticated denial of existence.
   This document introduces an alternative resource record, NSEC3, which
   similarly provides authenticated denial of existence.  However, it
   also provides measures against zone enumeration and permits gradual
   expansion of delegation-centric zones.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.2.  Requirements . . . . . . . . . . . . . . . . . . . . . . .  4
     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Backwards Compatibility  . . . . . . . . . . . . . . . . . . .  6
   3.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  7
     3.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . .  8
       3.1.2.  Flags  . . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . .  8
       3.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . .  8
       3.1.6.  Hash Length  . . . . . . . . . . . . . . . . . . . . .  9
       3.1.7.  Next Hashed Owner Name . . . . . . . . . . . . . . . .  9
       3.1.8.  Type Bit Maps  . . . . . . . . . . . . . . . . . . . .  9
     3.2.  NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  9
       3.2.1.  Type Bit Maps Encoding . . . . . . . . . . . . . . . . 10
     3.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 11

Laurie, et al.              Standards Track                     [Page 1]
RFC 5155                         NSEC3                        March 2008

   4.  The NSEC3PARAM Resource Record . . . . . . . . . . . . . . . . 12
     4.1.  RDATA Fields . . . . . . . . . . . . . . . . . . . . . . . 12
       4.1.1.  Hash Algorithm . . . . . . . . . . . . . . . . . . . . 12
       4.1.2.  Flag Fields  . . . . . . . . . . . . . . . . . . . . . 12
       4.1.3.  Iterations . . . . . . . . . . . . . . . . . . . . . . 13
       4.1.4.  Salt Length  . . . . . . . . . . . . . . . . . . . . . 13
       4.1.5.  Salt . . . . . . . . . . . . . . . . . . . . . . . . . 13
     4.2.  NSEC3PARAM RDATA Wire Format . . . . . . . . . . . . . . . 13
     4.3.  Presentation Format  . . . . . . . . . . . . . . . . . . . 14
   5.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 14
   6.  Opt-Out  . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
   7.  Authoritative Server Considerations  . . . . . . . . . . . . . 16
     7.1.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . 16
     7.2.  Zone Serving . . . . . . . . . . . . . . . . . . . . . . . 17
       7.2.1.  Closest Encloser Proof . . . . . . . . . . . . . . . . 18
       7.2.2.  Name Error Responses . . . . . . . . . . . . . . . . . 19
       7.2.3.  No Data Responses, QTYPE is not DS . . . . . . . . . . 19
       7.2.4.  No Data Responses, QTYPE is DS . . . . . . . . . . . . 19
       7.2.5.  Wildcard No Data Responses . . . . . . . . . . . . . . 19
       7.2.6.  Wildcard Answer Responses  . . . . . . . . . . . . . . 20
       7.2.7.  Referrals to Unsigned Subzones . . . . . . . . . . . . 20
       7.2.8.  Responding to Queries for NSEC3 Owner Names  . . . . . 20
       7.2.9.  Server Response to a Run-Time Collision  . . . . . . . 21
     7.3.  Secondary Servers  . . . . . . . . . . . . . . . . . . . . 21
     7.4.  Zones Using Unknown Hash Algorithms  . . . . . . . . . . . 21
     7.5.  Dynamic Update . . . . . . . . . . . . . . . . . . . . . . 21
   8.  Validator Considerations . . . . . . . . . . . . . . . . . . . 23
     8.1.  Responses with Unknown Hash Types  . . . . . . . . . . . . 23
     8.2.  Verifying NSEC3 RRs  . . . . . . . . . . . . . . . . . . . 23
     8.3.  Closest Encloser Proof . . . . . . . . . . . . . . . . . . 23
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools