Authenticated Denial of Existence in the DNS

Paper on denial of existence in the DNS and how the protocol evolved. It answers two simple questions: Why do you need at most two NSEC records in negative responses? And why does NSEC3 requires an extra record?

Related links:

• PDF
• Blog article at sidnlabs.nl (Dutch)

publication