Background Information

What is DNSSEC?

DNSSEC is a protocol extension adding data origin authentication to the Domain Name System (DNS). This means that by using public key technology one can ensure that the response of the DNS corresponds precisely to the data the respective zone administrator in charge has entered into the system. DNSSEC addresses above all the risks of the DNS protocol as described in RFC3833. IETF had worked on the development of DNSSEC for more than ten years until it finally published the three RFCs RFC4033, RFC4034 and RFC4035 in March 2005. This trilogy is also known as "DNSSECbis".
A serious problem of DNSSECbis was the so-called "zone walking": This side effect makes it possible to list all zone contents, thus providing not only a key to the registration data but also to all changes that are made to the zone contents. DENIC as well as some other registries - mainly but not only European ones - consider this side effect not compatible with data privacy obligations. The IETF pursues two approaches to solve the problem. In the meantime, both were published as "Proposed Standards".
The documents RFC4470 and RFC4471 describe a method how to dynamically generate NSEC records and their signatures. However, since the method requires the DNSSEC keys to be available on all name servers, it is used only in exceptional cases. Thus, no corresponding implementations exist until today. The second solution, NSEC3 (which is described in RFC5155), cleverly disguises data and thus makes the results of potential zone walking worthless and useless. This procedure has been implemented in common name server and resolver implementations. In both cases, DENIC was involved in the development.