I-D Action: draft-gieben-auth-denial-of-existence-dns-00.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



A New Internet-Draft is available from the on-line Internet-Drafts directories.


	Title           : Authenticated Denial of Existence in the DNS
	Author(s)       : R. (Miek) Gieben
                          W. (Matthijs) Mekking
	Filename        : draft-gieben-auth-denial-of-existence-dns-00.txt
	Pages           : 21
	Date            : 2012-08-01

Abstract:
   Authenticated denial of existence allows a resolver to validate that
   a certain domain name does not exist.  It is also used to signal that
   a domain name exists, but does not have the specific RR type you were
   asking for.  This document attempts to answer two simple questions.

   When returning a negative DNSSEC response, a name server sometimes
   includes up to two NSEC records.  With NSEC3 the maximum amount is
   three.

   o  Why do you need up to two NSEC records?

   o  And why does NSEC3 sometimes require an extra record?

   The answer to the questions hinges on the concept of wildcards and
   the "closest encloser".  With NSEC, the name that is the "closest
   encloser" is implicitly given in the record that also denies the
   existence of the domain name.  With NSEC3, due to its hashing, this
   information has to be given explicitly to a resolver.  It needs one
   record to tell the resolver the closest encloser and then another to
   deny the existence of the domain name.  Both NSEC and NSEC3 may need
   yet another record to deny or assert a wildcard presence.  This
   results in a maximum of two NSEC and three NSEC3 records,
   respectively.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-gieben-auth-denial-of-existence-dns-00


Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt


[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux