What is zone walking?

Zone walking is the process of enumerating all names in a DNS zone by following the NSEC chain. Since NSEC records point to the 'next' domain name, an attacker can discover every name in the zone. Use NSEC3 to prevent this.

Should I use NSEC or NSEC3?

Use NSEC3 if zone privacy is important, as it hashes domain names to prevent enumeration. Use NSEC if zone contents aren't sensitive and you prefer simpler implementation with smaller response sizes.

How does NSEC prove non-existence?

NSEC chains domain names alphabetically. To prove 'banana.example.com' doesn't exist, it returns the NSEC for 'alpha.example.com' showing the next name is 'beta.example.com'. Since 'banana' falls in that gap, it provably doesn't exist.

NSEC Record DNSSEC

Q: What is an NSEC record?

An NSEC (Next Secure) record provides authenticated denial of existence in DNSSEC. It proves that a name or record type doesn't exist by showing the 'gap' between existing names in alphabetical order.

The NSEC record (Next Secure) provides authenticated denial of existence in DNSSEC. It proves that a name or record type doesn't exist by showing the "gap" between existing names in alphabetical order.

Look Up NSEC Records

Check NSEC records for any domain using our free DNS lookup tool.

Look Up NSEC Records →

What Is an NSEC Record?

Without DNSSEC, an attacker could forge "NXDOMAIN" (name doesn't exist) responses. NSEC records solve this by proving the non-existence cryptographically.

Each NSEC record contains:

The next domain name in the zone (alphabetically)
The record types that exist at the current name

NSEC Record Format

Example NSEC Record

alpha.example.com.    3600    IN    NSEC    beta.example.com. A AAAA RRSIG NSEC

This says: after alpha.example.com, the next name is beta.example.com. Alpha has A, AAAA, RRSIG, and NSEC records.

How NSEC Proves Non-Existence

If someone queries for "banana.example.com" and it doesn't exist:

Server returns the NSEC for "alpha.example.com"
NSEC shows next name is "beta.example.com"
"banana" falls between "alpha" and "beta" alphabetically
Therefore, "banana" doesn't exist (proven by the gap)

NSEC Record Fields

Field	Description
Next Domain Name	The next name in canonical order
Type Bit Maps	Record types present at this name

Zone Walking Concern

Privacy Issue

NSEC records reveal all names in a zone. By following the "next domain" chain, anyone can enumerate every name in your zone. This is called "zone walking."

If zone privacy is important, use NSEC3 instead, which hashes the names to prevent enumeration.

NSEC vs NSEC3

Aspect	NSEC	NSEC3
Zone walking	Possible (reveals all names)	Prevented (hashed names)
Complexity	Simpler	More complex
Response size	Smaller	Larger
Use case	Public zones where privacy isn't needed	When zone enumeration is a concern

When to Use NSEC

Public zones — When zone contents aren't sensitive
Simplicity — Easier to implement and debug
Performance — Slightly smaller responses
Transparency — When zone enumeration is acceptable or desired

NSEC Record Best Practices

Consider privacy needs — Use NSEC3 if zone enumeration is a concern.
Sign NSEC records — NSEC records must have RRSIG signatures.
Chain must be complete — Every gap in the zone must be covered.
Last wraps to first — The last NSEC points back to the zone apex.

Checking NSEC Records

# Query for non-existent name
dig nonexistent.example.com +dnssec

# The response will include NSEC proving non-existence

# List NSEC records
dig example.com NSEC

Troubleshooting NSEC

Common issues and solutions:

NSEC chain broken — Re-sign the zone; ensure all names are covered.
Missing type in bitmap — NSEC type bitmap must include all types at that name.
Expired RRSIG — NSEC records need valid signatures.
Zone walking detected — If privacy is needed, switch to NSEC3.

Check Your NSEC Records

Use our DNS Record Finder to look up NSEC records for any domain.