DNS Security (DNSSEC) Hashed Authenticated Denial of Existence

E746788

DNS Security (DNSSEC) Hashed Authenticated Denial of Existence is a DNSSEC extension that uses cryptographic hashing to provide verifiable, secure proof that a requested DNS name or type does not exist without revealing the full contents of a zone.

All labels observed (1)

How this entity was disambiguated

Statements (35)

Predicate Object
instanceOf DNS security mechanism
DNSSEC extension
addressesProblem information leakage about non-requested domain names
zone enumeration risk
basedOn hash values of domain names
category DNS privacy enhancement
DNSSEC denial-of-existence mechanism
comparedTo NSEC
NSEC3 NERFINISHED
designGoal limit disclosure of zone contents
support efficient DNSSEC validation
doesNotRequire disclosure of neighboring domain names in zone order
ensures authenticity of denial-of-existence responses
integrity of denial-of-existence responses
evidenceType cryptographically verifiable proof of non-existence
goal to avoid revealing full DNS zone contents
to prove non-existence of DNS names or types
mitigates offline zone-walking attacks
operatesIn Domain Name System (DNS) NERFINISHED
operatesWith DNS Security Extensions (DNSSEC) NERFINISHED
operationalContext authoritative DNS servers
validating DNS resolvers
property cryptographically secure
privacy-preserving
verifiable
provides authenticated denial of existence
relatedConcept authenticated denial of existence
relatedTo DNS zone privacy
DNSSEC proof construction
requires DNSSEC validation by resolvers
securityProperty protection against forged NXDOMAIN responses
resistance to zone enumeration
usedFor proving that a DNS name does not exist
proving that a DNS record type does not exist at an existing name
uses cryptographic hashing

How these facts were elicited

Referenced by (1)

Full triples — surface form annotated when it differs from this entity's canonical label.

RFC 5155 title DNS Security (DNSSEC) Hashed Authenticated Denial of Existence