DNSSEC:NSEC vs. NSEC3

DNSSEC badgeThe Domain Name System Security Extensions(DNSSEC) provide two different records for securely handling non-existent names in DNS, NSEC and NSEC3. They are mutually exclusive, so operators need to pick one when deploying DNSSEC.

The Problem

The problem both NSEC and NSEC3 solve is knowing when a name exists within a given zone. This is required to prevent malicious actors from sending fake negative responses to queries.

Imagine you want to go to “research.example.com” in our web browser. The browser sends the request to your recursive DNS server and gets back the answer that the site doesn’t exist. How does the browser know that a malicious attacker didn’t just spoof that response so that you couldn’t get to the site? How does the browser really know that research.example.com does not have an A or AAAA record?

The Solution

The answer to both of those questions are the NSEC and NSEC3 DNS records that provide the “authenticated denial of existence”.  Basically what happens is that for each record in a zone the NSEC/NSEC3 record provides a pointer to the next record of the same type.  Imagine that there were A records for these names:

ftp.example.com
mail.example.com
research.example.com
www.example.com

Each would have a pointer to the next in an NSEC record that is cryptographically signed and can create a linked-list of all the records.  So if someone queried for “store.example.com”, the DNS server could answer back definitively that such a record does not exist.

NSEC vs. NSEC3

The next obvious question is which one to use. When should an operator use NSEC, and when should they use NSEC3?

As you might gather from the example above, the challenge with the plain NSEC record is that someone could use the NSEC responses to “walk the zone” and build a list of all of the records in a DNS zone.  Because of this exposure of information, the NSEC3 record was created that adds a hashing mechanism so that the zone cannot be simply walked.

NSEC is simpler, and the simple answer to this question is operators should use NSEC when they don’t care about people crawling their domains. If you don’t care that someone might enumerate every name in your zone(zone walk), then use NSEC.

NSEC3 should be used in instances where zone operators care about others walking their entire zone. It’s downside is greater cryptographic overhead for recursive validators, and silghtly more complicated DNS configuration.

Further Reading

That’s the short answer. For longer, more detail discussion check out some of the following resources.


If you would like to learn more about DNSSEC check out some of our other DNSSEC resources or visit our “Start Here” pages to find DNSSEC-related information focused on your type of organization.

August 8th, 2014 by | Posted in DNSSEC, Information, Tutorials | Tags: , , | No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *