What are the recommended NSEC3PARAM settings?

Per RFC 9276, use algorithm 1 (SHA-1), flag 0 (no opt-out), 0 iterations, and no salt (-). This provides adequate security with minimal performance overhead.

Where should NSEC3PARAM be placed?

NSEC3PARAM must be placed at the zone apex (e.g., example.com). Only one NSEC3PARAM record should exist per zone, and all NSEC3 records must use matching parameters.

How do I change NSEC3 parameters?

Update the NSEC3PARAM record with new values and re-sign the entire zone. All NSEC3 records will be regenerated with the new parameters during the signing process.

NSEC3PARAM Record DNSSEC

Q: What is an NSEC3PARAM record?

NSEC3PARAM defines the parameters used to generate NSEC3 records in a DNSSEC-signed zone. It specifies the hash algorithm, iteration count, and salt value used when hashing domain names.

The NSEC3PARAM record defines the parameters used to generate NSEC3 records in a DNSSEC-signed zone. It's placed at the zone apex and tells signing software what hash algorithm, iterations, and salt to use.

Look Up NSEC3PARAM Records

Check NSEC3PARAM records for any domain using our free DNS lookup tool.

Look Up NSEC3PARAM Records →

What Is an NSEC3PARAM Record?

When a zone uses NSEC3 for denial of existence, the NSEC3PARAM record at the apex specifies:

Which hash algorithm to use
How many extra iterations to perform
What salt value to prepend
Whether to use the opt-out flag

NSEC3PARAM Record Format

Example NSEC3PARAM Record

example.com.    3600    IN    NSEC3PARAM    1 0 10 aabbccdd

Hash algorithm 1 (SHA-1), no flags, 10 iterations, salt "aabbccdd".

NSEC3PARAM Fields

Field	Description	Values
Hash Algorithm	Algorithm for hashing names	1 (SHA-1)
Flags	Opt-out flag	0 (no opt-out) or 1
Iterations	Additional hash rounds	0-65535 (0 recommended)
Salt	Hex-encoded salt or "-"	- (no salt) or hex value

Modern Best Practices (RFC 9276)

Current recommendations for NSEC3PARAM:

example.com.    NSEC3PARAM    1 0 0 -

Algorithm: 1 (SHA-1 is still standard for NSEC3)
Flags: 0 (no opt-out)
Iterations: 0 (no extra iterations)
Salt: - (no salt)

Older guidance suggested higher iterations and salts, but RFC 9276 determined these provide minimal security benefit while increasing CPU overhead.

Relationship to NSEC3

The NSEC3PARAM record is used during zone signing to generate NSEC3 records. All NSEC3 records in the zone must use the same parameters as specified in NSEC3PARAM.

# NSEC3PARAM at apex
example.com.    NSEC3PARAM    1 0 0 -

# NSEC3 records use same parameters
hash1.example.com.    NSEC3    1 0 0 - hash2 A AAAA
hash2.example.com.    NSEC3    1 0 0 - hash3 A MX

Changing NSEC3 Parameters

To change NSEC3 parameters:

Update the NSEC3PARAM record with new values
Re-sign the entire zone with new parameters
All NSEC3 records are regenerated

This typically requires a complete zone re-signing operation.

NSEC3PARAM Best Practices

Use 0 iterations — Per RFC 9276, additional iterations don't help.
Use no salt — Salts complicate rotation without significant benefit.
Avoid opt-out — Only use for very large zones with many unsigned delegations.
One NSEC3PARAM per zone — Only one NSEC3PARAM should exist at the apex.

Checking NSEC3PARAM Records

# Query NSEC3PARAM
dig example.com NSEC3PARAM

# Check full DNSSEC info
dig example.com +dnssec

Troubleshooting NSEC3PARAM

Common issues and solutions:

NSEC3 validation failing — Ensure NSEC3 records match NSEC3PARAM values.
Multiple NSEC3PARAM records — Remove extras; only one should exist.
Parameter mismatch — All NSEC3 records must use identical parameters.
High iteration count — Consider reducing to 0 per modern guidance.

Check Your NSEC3PARAM Records

Use our DNS Record Finder to look up NSEC3PARAM records for any domain.