The Domain Name System Security Extensions (DNSSEC) introduced two
resource records (RR) for authenticated denial of existence: the NSEC
RR and the NSEC3 RR. This document introduces NSEC5 as an
alternative mechanism for DNSSEC authenticated denial of existence.
NSEC5 uses verifiable random functions (VRFs) to prevent offline
enumeration of zone contents. NSEC5 also protects the integrity of
the zone contents even if an adversary compromises one of the
authoritative servers for the zone. Integrity is preserved because
NSEC5 does not require private zone-signing keys to be present on all
authoritative servers for the zone, in contrast to DNSSEC online
signing schemes like NSEC3 White Lies.https://datatracker.ietf.org/doc/draft-vcelak-nsec5/First author draf