Authenticated Denial of Existence in the DNS
RFC 7129
Document | Type |
RFC - Informational
(February 2014; No errata)
Was draft-gieben-auth-denial-of-existence-dns (individual)
|
|
---|---|---|---|
Authors | R. Gieben , Matthijs Mekking | ||
Last updated | 2018-12-20 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
IETF conflict review | conflict-review-gieben-auth-denial-of-existence-dns | ||
Stream | ISE state | Published RFC | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 7129 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | No IANA Actions |
Independent Submission R. Gieben Request for Comments: 7129 Google Category: Informational W. Mekking ISSN: 2070-1721 NLnet Labs February 2014 Authenticated Denial of Existence in the DNS Abstract Authenticated denial of existence allows a resolver to validate that a certain domain name does not exist. It is also used to signal that a domain name exists but does not have the specific resource record (RR) type you were asking for. When returning a negative DNS Security Extensions (DNSSEC) response, a name server usually includes up to two NSEC records. With NSEC version 3 (NSEC3), this amount is three. This document provides additional background commentary and some context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence responses. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7129. Gieben & Mekking Informational [Page 1] RFC 7129 Authenticated Denial in DNS February 2014 Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction ....................................................3 2. Denial of Existence .............................................4 2.1. NXDOMAIN Responses .........................................4 2.2. NODATA Responses ...........................................5 3. Secure Denial of Existence ......................................6 3.1. NXT ........................................................7 3.2. NSEC .......................................................7 3.3. NODATA Responses ...........................................9 3.4. Drawbacks of NSEC .........................................10 4. Experimental and Deprecated Mechanisms: NO, NSEC2, and DNSNR ...11 5. NSEC3 ..........................................................12 5.1. Opt-Out ...................................................14 5.2. Loading an NSEC3 Zone .....................................15 5.3. Wildcards in the DNS ......................................15 5.4. CNAME Records .............................................18 5.5. The Closest Encloser NSEC3 Record .........................19 5.6. Three to Tango ............................................24 6. Security Considerations ........................................25 7. Acknowledgments ................................................25 8. References .....................................................26 8.1. Normative References ......................................26 8.2. Informative References ....................................26 Appendix A. Online Signing: Minimally Covering NSEC Records .......28 Appendix B. Online Signing: NSEC3 White Lies ......................29 Appendix C. List of Hashed Owner Names ............................29 Gieben & Mekking Informational [Page 2] RFC 7129 Authenticated Denial in DNS February 2014 1. Introduction DNSSEC can be somewhat of a complicated matter, and there are certain areas of the specification that are more difficult to comprehend than others. One such area is "authenticated denial of existence". Denial of existence is a mechanism that informs a resolver that a certain domain name does not exist. It is also used to signal that a domain name exists but does not have the specific RR type you were asking for. The first is referred to as a nonexistent domain (NXDOMAIN) ([RFC2308], Section 2.1) and the latter as a NODATA ([RFC2308], Section 2.2) response. Both are also known as negative responses.Show full document text