NSEC vs NSEC3
Understanding the differences between NSEC and NSEC3 and when to use each
What is Authenticated Denial?
Both NSEC and NSEC3 provide "authenticated denial of existence" - they prove that a DNS record doesn't exist. This prevents attackers from claiming non-existent records and ensures resolvers can verify when a query returns "no such record" legitimately.
NSEC (Next Secure)
How It Works
NSEC records create a chain that lists all existing record types for each domain name. When a query is made for a non-existent record, the NSEC record proves what records DO exist, thereby proving the queried record doesn't.
Example: NSEC record might show "example.com has A and MX records, next is www.example.com"
Advantages
- Simpler implementation
- Smaller record sizes
- Faster processing
- Easier to debug
Disadvantages
- Zone Enumeration: Reveals all domain names and record types in your zone
- Security risk - attackers can discover hidden subdomains
- Privacy concerns - exposes zone structure
NSEC3 (Next Secure version 3)
How It Works
NSEC3 uses cryptographic hashing to hide domain names. Instead of listing actual names, it shows hashed values. This makes it computationally infeasible to enumerate your zone.
Example: NSEC3 record shows "hash(example.com) to hash(www.example.com)" - actual names are hidden
Advantages
- Prevents Zone Enumeration: Domain names are cryptographically hashed
- Better security and privacy
- Hides zone structure from attackers
- Recommended for production domains
Disadvantages
- More complex implementation
- Slightly larger record sizes
- Requires NSEC3PARAM records
- More computational overhead
Side-by-Side Comparison
| Feature | NSEC | NSEC3 |
|---|---|---|
| Zone Enumeration | Vulnerable | Protected |
| Record Size | Smaller | Larger |
| Complexity | Simple | Complex |
| Security | Basic | Enhanced |
| Use Case | Testing, public zones | Production, sensitive zones |
When to Use NSEC
- Test or development environments
- Public zones where enumeration isn't a concern
- Zones with very simple structure
- Legacy systems that don't support NSEC3
When to Use NSEC3
- Production domains - Always recommended
- Zones with sensitive or hidden subdomains
- Corporate or enterprise domains
- Any domain where privacy matters
- Domains handling sensitive data
NSEC3 Parameters
NSEC3 requires NSEC3PARAM records that define:
- Hash Algorithm: Usually SHA-1 (algorithm 1)
- Flags: Opt-out flag (usually 0)
- Iterations: Number of hash iterations (higher = more secure but slower)
- Salt: Random salt value for hashing
Checking Your Zone
Use our NSEC/NSEC3 Checkerto see which method your domain uses. Most modern DNS providers (Cloudflare, Route 53) use NSEC3 by default.
Recommendation
Use NSEC3 for all production domains. The security and privacy benefits far outweigh the slight increase in complexity. Zone enumeration is a real security risk, and NSEC3 effectively prevents it.
Next Steps
- Check your domain with our NSEC/NSEC3 checker
- If using NSEC, consider migrating to NSEC3
- Review your DNS provider's NSEC3 configuration
- Read about DNSSEC best practices