DNS Security (DNSSEC) Authenticated Denial of Existence
draft-gieben-nsec4-01
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Authors | R. (Miek) Gieben , Matthijs Mekking | ||
Last updated | 2013-01-05 (Latest revision 2012-07-04) | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record for authenticated denial of existence, and the NSEC3 resource record for hashed authenticated denial of existence. This document introduces an alternative resource record, NSEC4, which similarly provides authenticated denial of existence. It permits gradual expansion of delegation-centric zones, just like NSEC3 does. With NSEC4 it is possible, but not required, to provide measures against zone enumeration. NSEC4 reduces the size of the denial of existence response and adds Opt-Out to unhashed names.
Authors
R. (Miek) Gieben
Matthijs Mekking
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)