RFC 5155 - DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

Published: March 2008
Category: Standards Track
Authors: B. Laurie, G. Sisson, R. Arends (Nominet), D. Blacka (VeriSign, Inc.)

---

Status of This Memo

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

---

Abstract

The Domain Name System Security (DNSSEC) Extensions introduced the NSEC resource record (RR) for authenticated denial of existence. This document introduces an alternative resource record, NSEC3, which similarly provides authenticated denial of existence. However, it also provides measures against zone enumeration and permits gradual expansion of delegation-centric zones.

---

Contents

• 1. Introduction
  • 1.1. Rationale
  • 1.2. Requirements
  • 1.3. Terminology
• 2. Backwards Compatibility
• 3. The NSEC3 Resource Record
  • 3.1. RDATA Fields
    • 3.1.1. Hash Algorithm
    • 3.1.2. Flags
    • 3.1.2.1. Opt-Out Flag
    • 3.1.3. Iterations
    • 3.1.4. Salt Length
    • 3.1.5. Salt
    • 3.1.6. Hash Length
    • 3.1.7. Next Hashed Owner Name
    • 3.1.8. Type Bit Maps
  • 3.2. NSEC3 RDATA Wire Format
    • 3.2.1. Type Bit Maps Encoding
  • 3.3. Presentation Format
• 4. The NSEC3PARAM Resource Record
  • 4.1. RDATA Fields
    • 4.1.1. Hash Algorithm
    • 4.1.2. Flag Fields
    • 4.1.3. Iterations
    • 4.1.4. Salt Length
    • 4.1.5. Salt
  • 4.2. NSEC3PARAM RDATA Wire Format
  • 4.3. Presentation Format
• 5. Calculation of the Hash
• 6. Opt-Out
• 7. Authoritative Server Considerations
  • 7.1. Zone Signing
  • 7.2. Zone Serving
    • 7.2.1. Closest Encloser Proof
    • 7.2.2. Name Error Responses
    • 7.2.3. No Data Responses, QTYPE is not DS
    • 7.2.4. No Data Responses, QTYPE is DS
    • 7.2.5. Wildcard No Data Responses
    • 7.2.6. Wildcard Answer Responses
    • 7.2.7. Referrals to Unsigned Subzones
    • 7.2.8. Responding to Queries for NSEC3 Owner Names
    • 7.2.9. Server Response to a Run-Time Collision
  • 7.3. Secondary Servers
  • 7.4. Zones Using Unknown Hash Algorithms
  • 7.5. Dynamic Update
• 8. Validator Considerations
  • 8.1. Responses with Unknown Hash Types
  • 8.2. Verifying NSEC3 RRs
  • 8.3. Closest Encloser Proof
  • 8.4. Validating Name Error Responses
  • 8.5. Validating No Data Responses, QTYPE is not DS
  • 8.6. Validating No Data Responses, QTYPE is DS
  • 8.7. Validating Wildcard No Data Responses
  • 8.8. Validating Wildcard Answer Responses
  • 8.9. Validating Referrals to Unsigned Subzones
• 9. Resolver Considerations
  • 9.1. NSEC3 Resource Record Caching
  • 9.2. Use of the AD Bit
• 10. Special Considerations
  • 10.1. Domain Name Length Restrictions
  • 10.2. DNAME at the Zone Apex
  • 10.3. Iterations
  • 10.4. Transitioning a Signed Zone from NSEC to NSEC3
  • 10.5. Transitioning a Signed Zone from NSEC3 to NSEC
• 11. IANA Considerations
• 12. Security Considerations
  • 12.1. Hashing Considerations
    • 12.1.1. Dictionary Attacks
    • 12.1.2. Collisions
    • 12.1.3. Transitioning to a New Hash Algorithm
    • 12.1.4. Using High Iteration Values
  • 12.2. Opt-Out Considerations
  • 12.3. Other Considerations
• 13. References
  • 13.1. Normative References
  • 13.2. Informative References
• Appendix A. Example Zone
• Appendix B. Example Responses
  • B.1. Name Error
  • B.2. No Data Error
  • B.2.1. No Data Error, Empty Non-Terminal
  • B.3. Referral to an Opt-Out Unsigned Zone
  • B.4. Wildcard Expansion
  • B.5. Wildcard No Data Error
  • B.6. DS Child Zone No Data Error
• Appendix C. Special Considerations
  • C.1. Salting
  • C.2. Hash Collision
    • C.2.1. Avoiding Hash Collisions During Generation
    • C.2.2. Second Preimage Requirement Analysis
• Authors' Addresses

---

Related Resources

• Official RFC: https://www.rfc-editor.org/rfc/rfc5155.txt
• RFC DataTracker: https://datatracker.ietf.org/doc/html/rfc5155