DNSSEC:NSEC vs. NSEC3
The Domain Name System Security Extensions(DNSSEC) provide two different records for securely handling non-existent names in DNS, NSEC and NSEC3. They are mutually exclusive, so operators need to pick one when deploying DNSSEC.
The problem both NSEC and NSEC3 solve is knowing when a name exists within a given zone. This is required to prevent malicious actors from sending fake negative responses to queries.
Imagine you want to go to “research.example.com” in our web browser. The browser sends the request to your recursive DNS server and gets back the answer that the site doesn’t exist. How does the browser know that a malicious attacker didn’t just spoof that response so that you couldn’t get to the site? How does the browser really know that research.example.com does not have an A or AAAA record?
The answer to both of those questions are the NSEC and NSEC3 DNS records that provide the “authenticated denial of existence”. Basically what happens is that for each record in a zone the NSEC/NSEC3 record provides a pointer to the next record of the same type. Imagine that there were A records for these names:
Each would have a pointer to the next in an NSEC record that is cryptographically signed and can create a linked-list of all the records. So if someone queried for “store.example.com”, the DNS server could answer back definitively that such a record does not exist.
NSEC vs. NSEC3
The next obvious question is which one to use. When should an operator use NSEC, and when should they use NSEC3?
As you might gather from the example above, the challenge with the plain NSEC record is that someone could use the NSEC responses to “walk the zone” and build a list of all of the records in a DNS zone. Because of this exposure of information, the NSEC3 record was created that adds a hashing mechanism so that the zone cannot be simply walked.
NSEC is simpler, and the simple answer to this question is operators should use NSEC when they don’t care about people crawling their domains. If you don’t care that someone might enumerate every name in your zone(zone walk), then use NSEC.
NSEC3 should be used in instances where zone operators care about others walking their entire zone. It’s downside is greater cryptographic overhead for recursive validators, and silghtly more complicated DNS configuration.
That’s the short answer. For longer, more detail discussion check out some of the following resources.
- A detailed discussion of both options, including BIND configuration examples.
- Section 5 of RFC 6781. The relevant RFC and section where NSEC and NSEC3 are specified.
- Section 10.3 of RFC 5155. Useful deployment tips for transitioning from NSEC to NSEC3 and vice-versa.
- An argument for NSEC3 from a large DNS provider.