About NSEC and NSEC3
NSEC (Next Secure) and NSEC3 (Next Secure version 3) records provide authenticated denial of existence, which is a critical security feature in DNSSEC. They cryptographically prove that a DNS record doesn't exist, preventing attackers from claiming non-existent records and ensuring that "no such record" responses are authentic.
Without authenticated denial, an attacker could respond to queries for non-existent records with fake data, and resolvers would have no way to verify whether the record actually exists or not. NSEC and NSEC3 solve this problem by providing cryptographic proof of non-existence.
NSEC
- Reveals zone structure
- Lists all record types
- Vulnerable to zone enumeration
- Simpler implementation
NSEC3
- Hides zone structure
- Uses cryptographic hashing
- Prevents zone enumeration
- Recommended for security
To learn more about the differences and when to use each, read our NSEC vs NSEC3 guide.
Related tools
- DNSSEC validator — check overall DNSSEC status and validation
- Chain of trust verifier — verify each link from root to domain