Authenticated Denial of Existence in the DNS
RFC 7129, “Authenticated Denial of Existence in the DNS”, is an Informational document published in February 2014 by R. Gieben, W. Mekking. The canonical text is published by the RFC Editor.
Abstract
Authenticated denial of existence allows a resolver to validate that a certain domain name does not exist. It is also used to signal that a domain name exists but does not have the specific resource record (RR) type you were asking for. When returning a negative DNS Security Extensions (DNSSEC) response, a name server usually includes up to two NSEC records. With NSEC version 3 (NSEC3), this amount is three.
This document provides additional background commentary and some context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence responses.
What “Informational” means
Published for the general information of the community. It does not define an IETF standard and carries no standards-track status.
The canonical text of RFC 7129 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 7128 Resource Public Key Infrastructure Router Implementation Report
- RFC 7130 Bidirectional Forwarding Detection on Link Aggregation Group Interfaces
- RFC 7127 Characterization of Proposed Standards
- RFC 7131 Session Initiation Protocol History-Info Header Call Flow Examples
- RFC 7126 Recommendations on Filtering of IPv4 Packets Containing IPv4 Options
- RFC 7132 Threat Model for BGP Path Security
- RFC 7125 Revision of the tcpControlBits IP Flow Information Export Information Element
- RFC 7133 Information Elements for Data Link Layer Traffic Measurement