A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Authenticated Denial of Existence in the DNS
Author(s) : R. (Miek) Gieben
W. (Matthijs) Mekking
Filename : draft-gieben-auth-denial-of-existence-dns-00.txt
Pages : 21
Date : 2012-08-01
Abstract:
Authenticated denial of existence allows a resolver to validate that
a certain domain name does not exist. It is also used to signal that
a domain name exists, but does not have the specific RR type you were
asking for. This document attempts to answer two simple questions.
When returning a negative DNSSEC response, a name server sometimes
includes up to two NSEC records. With NSEC3 the maximum amount is
three.
o Why do you need up to two NSEC records?
o And why does NSEC3 sometimes require an extra record?
The answer to the questions hinges on the concept of wildcards and
the "closest encloser". With NSEC, the name that is the "closest
encloser" is implicitly given in the record that also denies the
existence of the domain name. With NSEC3, due to its hashing, this
information has to be given explicitly to a resolver. It needs one
record to tell the resolver the closest encloser and then another to
deny the existence of the domain name. Both NSEC and NSEC3 may need
yet another record to deny or assert a wildcard presence. This
results in a maximum of two NSEC and three NSEC3 records,
respectively.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-gieben-auth-denial-of-existence-dns
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-gieben-auth-denial-of-existence-dns-00
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
