(This is a English translation of this Dutch blog article)

By writing the NSEC3 whitepaper, we gained a lot of insight in how “authenticated denial of existence” works. But some new questions popped up:

  • Is NSEC3 the most efficient way to do (hashed) authenticated denial of existence?
  • Are there ways to optimize the NSEC3 record that asserts or denies the wildcard?
  • Can’t we use Opt-Out for unhashed names too?

Answering these question led to the birth of NSEC4, which is documented in this internet draft.

This is only the first version (a -00 as its called by the IETF). Surely a -01 will follow and maybe an -02.

With NSEC4:

  • We optimize the wildcard NSEC3 away by introducing a Wildcard bit flag. This shrinks negative answers with one NSEC4 (and signatures);
  • We introduce “Zero Hashing”, or no hashing at all. This creates an NSEC like record with Opt-Out; something the current NSEC lacks;
  • We unify NSEC and NSEC3 into one new record: NSEC4.

We’re aiming for the “experimental” track within the IETF, this removes the need for implementers to implement NSEC4, but saves the document for future generations. It’s all about adding extra documentation to help people understand DNSSEC.