Authenticated Denial of Existence in the DNS
RFC 7129
Document Type RFC - Informational (February 2014; No errata)
Last updated 2018-12-20
Stream ISE
Formats plain text pdf htmlized bibtex
IETF conflict review conflict-review-gieben-auth-denial-of-existence-dns
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 7129 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IANA Actions
Email authors IPR References Referenced by Nits 
Independent Submission                                         R. Gieben
Request for Comments: 7129                                        Google
Category: Informational                                       W. Mekking
ISSN: 2070-1721                                               NLnet Labs
                                                           February 2014

              Authenticated Denial of Existence in the DNS

Abstract

   Authenticated denial of existence allows a resolver to validate that
   a certain domain name does not exist.  It is also used to signal that
   a domain name exists but does not have the specific resource record
   (RR) type you were asking for.  When returning a negative DNS
   Security Extensions (DNSSEC) response, a name server usually includes
   up to two NSEC records.  With NSEC version 3 (NSEC3), this amount is
   three.

   This document provides additional background commentary and some
   context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide
   authenticated denial-of-existence responses.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7129.

Gieben & Mekking              Informational                     [Page 1]
RFC 7129               Authenticated Denial in DNS         February 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1. Introduction ....................................................3
   2. Denial of Existence .............................................4
      2.1. NXDOMAIN Responses .........................................4
      2.2. NODATA Responses ...........................................5
   3. Secure Denial of Existence ......................................6
      3.1. NXT ........................................................7
      3.2. NSEC .......................................................7
      3.3. NODATA Responses ...........................................9
      3.4. Drawbacks of NSEC .........................................10
   4. Experimental and Deprecated Mechanisms: NO, NSEC2, and DNSNR ...11
   5. NSEC3 ..........................................................12
      5.1. Opt-Out ...................................................14
      5.2. Loading an NSEC3 Zone .....................................15
      5.3. Wildcards in the DNS ......................................15
      5.4. CNAME Records .............................................18
      5.5. The Closest Encloser NSEC3 Record .........................19
      5.6. Three to Tango ............................................24
   6. Security Considerations ........................................25
   7. Acknowledgments ................................................25
   8. References .....................................................26
      8.1. Normative References ......................................26
      8.2. Informative References ....................................26
   Appendix A. Online Signing: Minimally Covering NSEC Records .......28
   Appendix B. Online Signing: NSEC3 White Lies ......................29
   Appendix C. List of Hashed Owner Names ............................29

Gieben & Mekking              Informational                     [Page 2]
RFC 7129               Authenticated Denial in DNS         February 2014

1.  Introduction

   DNSSEC can be somewhat of a complicated matter, and there are certain
   areas of the specification that are more difficult to comprehend than
   others.  One such area is "authenticated denial of existence".

   Denial of existence is a mechanism that informs a resolver that a
   certain domain name does not exist.  It is also used to signal that a
   domain name exists but does not have the specific RR type you were
   asking for.

   The first is referred to as a nonexistent domain (NXDOMAIN)
   ([RFC2308], Section 2.1) and the latter as a NODATA ([RFC2308],
   Section 2.2) response.  Both are also known as negative responses.
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools