RFC 7129
Authenticated Denial of Existence in the DNS, February 2014
- File formats:
- Status:
- INFORMATIONAL
- Authors:
- R. Gieben
W. Mekking - Stream:
- INDEPENDENT
Cite this RFC: TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC7129
Discuss this RFC: Send questions or comments to the mailing list rfc-ise@rfc-editor.org
Other actions: Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 7129
Abstract
Authenticated denial of existence allows a resolver to validate that a certain domain name does not exist. It is also used to signal that a domain name exists but does not have the specific resource record (RR) type you were asking for. When returning a negative DNS Security Extensions (DNSSEC) response, a name server usually includes up to two NSEC records. With NSEC version 3 (NSEC3), this amount is three.
This document provides additional background commentary and some context for the NSEC and NSEC3 mechanisms used by DNSSEC to provide authenticated denial-of-existence responses.
For the definition of Status, see RFC 2026.
For the definition of Stream, see RFC 8729.