Authenticated Denial of Existence in the DNS
RFC 7129
| Document | Type |
RFC - Informational
(February 2014; No errata)
Was draft-gieben-auth-denial-of-existence-dns (individual)
|
|
|---|---|---|---|
| Last updated | 2014-02-12 | ||
| Stream | ISE | ||
| Formats | plain text pdf html bibtex | ||
| IETF conflict review | conflict-review-gieben-auth-denial-of-existence-dns | ||
| Stream | ISE state | Published RFC | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 7129 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | No IC | ||
Independent Submission R. Gieben
Request for Comments: 7129 Google
Category: Informational W. Mekking
ISSN: 2070-1721 NLnet Labs
February 2014
Authenticated Denial of Existence in the DNS
Abstract
Authenticated denial of existence allows a resolver to validate that
a certain domain name does not exist. It is also used to signal that
a domain name exists but does not have the specific resource record
(RR) type you were asking for. When returning a negative DNS
Security Extensions (DNSSEC) response, a name server usually includes
up to two NSEC records. With NSEC version 3 (NSEC3), this amount is
three.
This document provides additional background commentary and some
context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide
authenticated denial-of-existence responses.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7129.
Gieben & Mekking Informational [Page 1]
RFC 7129 Authenticated Denial in DNS February 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction ....................................................3
2. Denial of Existence .............................................4
2.1. NXDOMAIN Responses .........................................4
2.2. NODATA Responses ...........................................5
3. Secure Denial of Existence ......................................6
3.1. NXT ........................................................7
3.2. NSEC .......................................................7
3.3. NODATA Responses ...........................................9
3.4. Drawbacks of NSEC .........................................10
4. Experimental and Deprecated Mechanisms: NO, NSEC2, and DNSNR ...11
5. NSEC3 ..........................................................12
5.1. Opt-Out ...................................................14
5.2. Loading an NSEC3 Zone .....................................15
5.3. Wildcards in the DNS ......................................15
5.4. CNAME Records .............................................18
5.5. The Closest Encloser NSEC3 Record .........................19
5.6. Three to Tango ............................................24
6. Security Considerations ........................................25
7. Acknowledgments ................................................25
8. References .....................................................26
8.1. Normative References ......................................26
8.2. Informative References ....................................26
Appendix A. Online Signing: Minimally Covering NSEC Records .......28
Appendix B. Online Signing: NSEC3 White Lies ......................29
Appendix C. List of Hashed Owner Names ............................29
Gieben & Mekking Informational [Page 2]
RFC 7129 Authenticated Denial in DNS February 2014
1. Introduction
DNSSEC can be somewhat of a complicated matter, and there are certain
areas of the specification that are more difficult to comprehend than
others. One such area is "authenticated denial of existence".
Denial of existence is a mechanism that informs a resolver that a
certain domain name does not exist. It is also used to signal that a
domain name exists but does not have the specific RR type you were
asking for.
The first is referred to as a nonexistent domain (NXDOMAIN)
([RFC2308], Section 2.1) and the latter as a NODATA ([RFC2308],
Section 2.2) response. Both are also known as negative responses.
Show full document text