Knowledge Base

What is authenticated denial and why should I care?

What if a query is made for records that do not exist? An unsecured DNS server returns the Start of zone of Authority (SOA) record of the enclosing zone, along with an error code indicating the specific error that occurred.

This provides the opportunity for a “replay attack,” which repeats an earlier “non-existence” response. This can make actual hosts “disappear” as it spoofs an existing type as non-existent.

In order to provide authenticated denial of records that do not exist yet avoid the replay attack listed above a new record type is introduced: the NSEC (or the latest NSEC3) record. An NSEC record exists for each DNS name with any associated records. The NSEC record’s data includes the name of the next DNS entity in the zone, as well as a list of the types of records present for the current name. When a DNS server responds to a query for which there are no matching records, the DNS server sends the “covering” NSEC record. All possible names are thus either present in the DNS or in a range covered by exactly one NSEC record.

Was this article helpful?