[dns-operations] negative dnssec replies

Paul Vixie paul at redbarn.org
Sat Nov 26 18:51:11 UTC 2016

Router Log (peter.davies at esc.co.uk) wrote:
> The signing of negative replies from dnssec enabled zones increase the
> size of the zone data an the complexity dns. For the ease of use and
> implementaion would it be a good idea that a dnssec enabled zone could
> signal to a querier that it intends to send unsigned nxdomain replies?
> This mechanism would have to be signed of course. 

while no "roads not taken" rfc was published about the first 19 years of
DNSSEC design and discussion, those of us who lived through those years
remember why certain things weren't done. sadly, you're not asking for
that, you just want what you want, without regard to whether it was ever
discussed, or why it was dismissed.

security is either a form of economics or a form of risk management or a
hybrid of the two, depending on your point of view. the benefit of such
signaling is small: it means your zone can be DoS'd by any on-path and
some off-path attackers who can cause parts of your namespace to falsely
disappear for some clients. the cost is high: added complexity for all
parties including those who see no benefit in namespace DoS.

i suggest that you look instead at the cloudflare blog which describes a
way to encode an equivalent of nxdomain, with dnssec, that fits in a
512-octet dns payload. it's here:


P Vixie

More information about the dns-operations mailing list