With NSEC (RFC 4035), one NSEC record actually proves that the name doesn’t exist and proves what the “closest encloser” is as well. The other NSEC record is there to prove that some wildcard record that could have covered the QNAME also did not exist, and thus, NXDOMAIN was the correct answer. Whew!

In NSEC3 (RFC 5155, yay!), you need three records: one to prove that the QNAME did not exist, one to prove what the “closest encloser” is, and one to prove that the wildcard did not exist. Basically, the first NSEC record is replaced by two NSEC3 records and the second is replaced by one. Of course, we always had to say “up to three” because sometimes the same NSEC3 record would apply for more than one role — this would happen a lot for a very small zone using NSEC3.

But, all this is pretty hard to keep straight in your head, so I forgive Ben for not getting it quite right. And I apologize in advance if I haven’t gotten it quite right either.

]]>Ben Laurie celebrates the publication of RFC 5155. I hadn’t gotten around to blogging about it, but I’m also pretty happy that this RFC finally made it out.

Ben says:

It turns out that in general, to prove the nonexistence of a name usin…