Aggressive use of NSEC

By on 9 Aug 2016

Category: Tech matters

Tags: , , , ,

1 Comment

Blog home

The Domain Name System (DNS) mainly converts easily remembered names (““) into IP addresses (““). In order to improve performance and to allow the DNS to scale, the DNS relies heavily on caching.

Unfortunately, humans (often) make mistakes, and so the DNS also has to implement “negative” caching. This is a cache that records the fact that a name does not exist. This could occur, for instance, because the domain expired or because the person entering it made a typo.

Unfortunately, the (current) negative cache requires an exact match – this means that if there is an entry for, a query for will cause the resolver to go off and try to look this up; the same thing will happen for,, etc.

Domain Name System Security Extensions (DNSSEC) adds security to the DNS by cryptographically signing answers [RFC4034, RFC4035]. This provides protection against tampering with answers by attackers, for example, to return an IP under the attacker’s control instead of the “real” answer for As well as providing cryptographic protection for names which do exist, DNSSEC also provides proof of which names do not exist.

Instead of signing every possible name in a domain that does not exist, DNSSEC accomplishes this with a clever trick – it alphabetically sorts all names in a domain and then adds signed NSEC (short for “Next Secure”) records, which states that nothing exists in the spaces between the names that do exist.

So, if contains (note: there is a fair bit of simplification here – please read the RFCs for actual detail):

banana A
mail       A
www      A

DNSSEC would insert:
banana  NSEC mail
mail        NSEC www

and include signatures over these records. These say that there are no records in the range between “banana” and “mail”; and nothing between “mail” and “www”.

This means that if someone queries for they would get back the “mail NSEC www” record, and would be able to know for certain that the name really does not exist.

There is now a document [html, pdf] in the IETF DNSOP working group that recommends using these NSEC records in a more “aggressive” manner – it states that (DNSSEC validating) resolvers should use the information received in NSEC records, and should suppress queries for names that fall within the ranges in the NSEC records. In our very first example, if the response had included an NSEC record stating that nothing exists in the range “banana” to “mail”, it would be able to immediately return a negative answer (NXDOMAIN) to the client, and would not even have to go off and bother the nameservers again.

This technique will be effective at all levels of the DNS hierarchy, but one of the largest wins is likely to be at the root of the DNS tree, where upwards of 65% of all DNS queries result in an NXDOMAIN response.

Warren Kumari is a Senior Network Security Engineer at Google.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

One Comment

  1. Stéphane Bortzmeyer

    One can note that there are other ways to address the same issue. For instance, with another draft for DNSOP, “NXDOMAIN cut” , a NXDOMAIN reply for a name allows the client, the DNS resolver, to consider all names under this domain to be non-existent. Combined with RFC 7816 (“QNAME minimisation”, sending only the name of the TLD to the root), it could deliver the same results.


Leave a Reply

Your email address will not be published. Required fields are marked *