Search RFCs
RFC 7129
Authenticated Denial of Existence in the DNS,February 2014
- File formats:
- Status:
- INFORMATIONAL
- Authors:
- R. Gieben
W. Mekking - Stream:
- INDEPENDENT
Cite this RFC:TXT | XML | BibTeX
DOI: https://doi.org/10.17487/RFC7129
Discuss this RFC: Send questions or comments to the mailing listrfc-ise@rfc-editor.org
Other actions:Submit Errata | Find IPR Disclosures from the IETF | View History of RFC 7129
Abstract
Authenticated denial of existence allows a resolver to validate thata certain domain name does not exist. It is also used to signal thata domain name exists but does not have the specific resource record(RR) type you were asking for. When returning a negative DNSSecurity Extensions (DNSSEC) response, a name server usually includesup to two NSEC records. With NSEC version 3 (NSEC3), this amount isthree.
This document provides additional background commentary and somecontext for the NSEC and NSEC3 mechanisms used by DNSSEC to provideauthenticated denial-of-existence responses.
For the definition ofStatus,seeRFC 2026.
For the definition ofStream, seeRFC 8729.