rfc-5155

DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

B. Laurie, G. Sisson, R. Arends, D. Blacka

date2008-03 streamIETF areaint wgdnsext statusPROPOSED STANDARD pages52 canonicalhttps://www.rfc-editor.org/rfc/rfc5155 doi10.17487/RFC5155 errataview

The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones. [STANDARDS-TRACK]

updated by

rfc-6840 — Clarifications and Implementation Notes for DNS Security (DNSSEC)
rfc-6944 — Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status
rfc-9077 — NSEC and NSEC3: TTLs and Aggressive Use
rfc-9157 — Revised IANA Considerations for DNSSEC
rfc-9276 — Guidance for NSEC3 Parameter Settings
rfc-9905 — Deprecating the Use of SHA-1 in DNSSEC Signature Algorithms