Authenticated denial of existence enables a resolver to validate that a record does not exist. For this purpose, an authoritative server presents, in a response to the resolver, signed NSEC (Section 3.1.3
of RFC 4035
) or NSEC3 (Section 7.2
of RFC 5155
) records that provide cryptographic proof of this nonexistence. The NSEC3 method enhances NSEC by providing opt-out for signing insecure delegations and also adds limited protection against zone-enumeration attacks.
An authoritative server response carrying records for authenticated denial is always self-contained, and the receiving resolver doesn't need to send additional queries to complete the proof of denial. For this reason, no rollover is needed when switching between NSEC and NSEC3 for a signed zone.
Since authenticated-denial responses are self-contained, NSEC and NSEC3 can be used by different providers to serve the same zone. Doing so, however, defeats the protection against zone enumeration provided by NSEC3 (because an adversary can trivially enumerate the zone by just querying the providers that employ NSEC). A better configuration involves multiple providers using different authenticated denial-of-existence mechanisms that all provide zone-enumeration defense, such as precomputed NSEC3, [RFC 7129
], etc. Note, however, that having multiple providers offering different authenticated-denial mechanisms may impact how effectively resolvers are able to make use of the caching of negative responses.
Usually, the NSEC and NSEC3 methods are used exclusively (i.e., the methods are not used at the same time by different servers). This configuration is preferred, because the behavior is well defined and closest to current operational practice.
Compliant resolvers should be able to validate zone data when different authoritative servers for the same zone respond with different authenticated-denial methods, because this is normally observed when NSEC and NSEC3 are being switched or when NSEC3PARAM is updated.
Resolver software may, however, be designed to handle a single transition between two authenticated denial configurations more optimally than a permanent setup with mixed authenticated-denial methods. This could make caching on the resolver side less efficient, and the authoritative servers may observe a higher number of queries. This aspect should be considered especially in the context of [RFC 8198
In case all providers cannot be configured with the same authenticated-denial mechanism, it is recommended to limit the distinct configurations to the lowest number feasible.
Note that NSEC3 configuration on all providers with different NSEC3PARAM values is considered a mixed setup.