Revision as of 14:21, 26 October 2023 edit 2400:ac40:61c:6ca3:7c43:bb56:93c3:fb93 (talk) →##SQSGOOGLEONE##*. Tags: Reverted Mobile edit Mobile web edit ← Previous edit		Revision as of 14:21, 26 October 2023 edit undo Asparagusus (talk \| contribs) Extended confirmed users, Pending changes reviewers, Rollbackers 7,035 edits Reverting edit(s) by 2400:AC40:61C:6CA3:7C43:BB56:93C3:FB93 (talk) to rev. 1178634152 by Beland: Vandalism (RW 16.1) Tags: RW Undo Next edit →
Line 184: ==Authenticating NXDOMAIN responses and NSEC== Cryptographically proving the absence of a ___domain requires signing the response to every query for a non-existent ___domain. This is not a problem for ~~onėline~~online signing servers, which keep their keys available online. However, DNSSEC was designed around using offline computers to sign records so that zone-signing-keys could be kept in cold storage. This represents a problem when trying to authenticate responses to queries for non-existent domains since it is impossible to pre-generate a response to every possible hostname query. The initial solution was to create NSEC records for every pair of domains in a zone. Thus if a client queried for a record at the non-existent <code>k.example.com</code>, the server would respond with an NSEC record stating that nothing exists between <code>a.example.com</code> and <code>z.example.com</code>. However, this leaks more information about the zone than traditional unauthenticated NXDOMAIN errors because it exposes the existence of real domains.

Domain Name System Security Extensions: Difference between revisions