A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Authenticated Denial of Existence in the DNS Author(s) : R. (Miek) Gieben W. (Matthijs) Mekking Filename : draft-gieben-auth-denial-of-existence-dns-00.txt Pages : 21 Date : 2012-08-01 Abstract: Authenticated denial of existence allows a resolver to validate that a certain domain name does not exist. It is also used to signal that a domain name exists, but does not have the specific RR type you were asking for. This document attempts to answer two simple questions. When returning a negative DNSSEC response, a name server sometimes includes up to two NSEC records. With NSEC3 the maximum amount is three. o Why do you need up to two NSEC records? o And why does NSEC3 sometimes require an extra record? The answer to the questions hinges on the concept of wildcards and the "closest encloser". With NSEC, the name that is the "closest encloser" is implicitly given in the record that also denies the existence of the domain name. With NSEC3, due to its hashing, this information has to be given explicitly to a resolver. It needs one record to tell the resolver the closest encloser and then another to deny the existence of the domain name. Both NSEC and NSEC3 may need yet another record to deny or assert a wildcard presence. This results in a maximum of two NSEC and three NSEC3 records, respectively. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns There's also a htmlized version available at: http://tools.ietf.org/html/draft-gieben-auth-denial-of-existence-dns-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt