Revision as of 22:27, 4 October 2023 edit Beland (talk \| contribs) Autopatrolled, Administrators 259,155 edits →Planning: Tense Tags: Mobile edit Mobile web edit Advanced mobile edit ← Previous edit		Revision as of 14:21, 26 October 2023 edit undo 2400:ac40:61c:6ca3:7c43:bb56:93c3:fb93 (talk) →##SQSGOOGLEONE##*. Tags: Reverted Mobile edit Mobile web edit Next edit →
Line 184: ==Authenticating NXDOMAIN responses and NSEC== Cryptographically proving the absence of a ___domain requires signing the response to every query for a non-existent ___domain. This is not a problem for ~~online~~onėline signing servers, which keep their keys available online. However, DNSSEC was designed around using offline computers to sign records so that zone-signing-keys could be kept in cold storage. This represents a problem when trying to authenticate responses to queries for non-existent domains since it is impossible to pre-generate a response to every possible hostname query. The initial solution was to create NSEC records for every pair of domains in a zone. Thus if a client queried for a record at the non-existent <code>k.example.com</code>, the server would respond with an NSEC record stating that nothing exists between <code>a.example.com</code> and <code>z.example.com</code>. However, this leaks more information about the zone than traditional unauthenticated NXDOMAIN errors because it exposes the existence of real domains.

Domain Name System Security Extensions: Difference between revisions