(This is an English translation of this blog article over at sidnlabs.nl)

In theory DNSSEC isn't really that complicated, but in practice some parts can be pretty intimidating.

One such part is "Authenticated denial of existence". In short this is communicating, with certainty, to a resolver that a name does not exist in the DNS.

The DNSSEC specification uses two records (and thus actually two different methods) for this purpose:

• The NSEC record and;
• The NSEC3 record.

In this white paper (local copy) we explain how NSEC and NSEC3 work and what the main differences are. We also show the evolutionary path of NSEC to NSEC3.

This white paper is intended for people who have some prior knowledge of DNS/DNSSEC.