The NSEC3 record provides authenticated denial of existence like NSEC, but uses hashed names to prevent zone enumeration (zone walking). This provides better privacy while still allowing cryptographic proof that a name or record type doesn't exist.
Check NSEC3 records for any domain using our free DNS lookup tool.
Look Up NSEC3 Records →NSEC3 works like NSEC but replaces actual domain names with cryptographic hashes. Instead of revealing that "alpha.example.com" is followed by "beta.example.com", it shows that hash(alpha) is followed by hash(beta).
This prevents attackers from easily enumerating all names in a zone.
2t7b4g4vsa5smi47k61mv5bv1a22bojr.example.com. 3600 IN NSEC3 1 0 10 aabbccdd (
4g3c2bq7o6bk82n8jls4j7b6sh3s2m89 A AAAA RRSIG )
| Field | Description | Example |
|---|---|---|
| Hash Algorithm | Algorithm used (1 = SHA-1) | 1 |
| Flags | 0 or 1 (opt-out flag) | 0 |
| Iterations | Number of hash iterations | 10 |
| Salt | Random salt (hex) or - | aabbccdd |
| Next Hashed Name | Hash of next name | 4g3c2bq7o6bk82... |
| Type Bit Maps | Record types at this name | A AAAA RRSIG |
NSEC3 parameters are published in an NSEC3PARAM record at the zone apex:
example.com. NSEC3PARAM 1 0 10 aabbccdd
Number of times to hash. Higher = slower zone walking attacks but also slower legitimate resolution.
Random value prepended before hashing. Originally meant to prevent precomputation attacks, but modern guidance (RFC 9276) recommends no salt for simplicity.
When set (flag = 1), allows unsigned delegations to be skipped in the NSEC3 chain. Used by large zones like .com to reduce signing overhead.
| Aspect | NSEC | NSEC3 |
|---|---|---|
| Zone walking | Easy (reveals names) | Harder (only reveals hashes) |
| Response size | Smaller | Larger |
| CPU overhead | Minimal | Hashing required |
| Complexity | Simple | More complex |
Common issues and solutions:
DNS Explorer validates NSEC3 chains, checks parameter consistency, and alerts you to DNSSEC issues.
Start free DNS Explorer trial14-day full-feature trial
Use our DNS Record Finder to look up NSEC3 records for any domain.
Look Up NSEC3 Records →