DNS Security (DNSSEC) Authenticated Denial of Existence

Document Type Expired Internet-Draft (individual)
Authors R. Gieben  , Matthijs Mekking 
Last updated 2013-01-05 (latest revision 2012-07-04)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record for authenticated denial of existence, and the NSEC3 resource record for hashed authenticated denial of existence. This document introduces an alternative resource record, NSEC4, which similarly provides authenticated denial of existence. It permits gradual expansion of delegation-centric zones, just like NSEC3 does. With NSEC4 it is possible, but not required, to provide measures against zone enumeration. NSEC4 reduces the size of the denial of existence response and adds Opt-Out to unhashed names.


R. Gieben (miek.gieben@sidn.nl)
Matthijs Mekking (matthijs@nlnetlabs.nl)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)