← Explore More Guides

NSEC vs NSEC3

Understanding the differences between NSEC and NSEC3 and when to use each

What is Authenticated Denial?

Both NSEC and NSEC3 provide "authenticated denial of existence" - they prove that a DNS record doesn't exist. This prevents attackers from claiming non-existent records and ensures resolvers can verify when a query returns "no such record" legitimately.

NSEC (Next Secure)

How It Works

NSEC records create a chain that lists all existing record types for each domain name. When a query is made for a non-existent record, the NSEC record proves what records DO exist, thereby proving the queried record doesn't.

Example: NSEC record might show "example.com has A and MX records, next is www.example.com"

Advantages

Disadvantages

NSEC3 (Next Secure version 3)

How It Works

NSEC3 uses cryptographic hashing to hide domain names. Instead of listing actual names, it shows hashed values. This makes it computationally infeasible to enumerate your zone.

Example: NSEC3 record shows "hash(example.com) to hash(www.example.com)" - actual names are hidden

Advantages

Disadvantages

Side-by-Side Comparison

Feature NSEC NSEC3
Zone Enumeration Vulnerable Protected
Record Size Smaller Larger
Complexity Simple Complex
Security Basic Enhanced
Use Case Testing, public zones Production, sensitive zones

When to Use NSEC

When to Use NSEC3

NSEC3 Parameters

NSEC3 requires NSEC3PARAM records that define:

Checking Your Zone

Use our NSEC/NSEC3 Checker to see which method your domain uses. Most modern DNS providers (Cloudflare, Route 53) use NSEC3 by default.

Recommendation

Use NSEC3 for all production domains. The security and privacy benefits far outweigh the slight increase in complexity. Zone enumeration is a real security risk, and NSEC3 effectively prevents it.

Next Steps