Donate
‹ Back
Domain Name System Security Extensions (DNSSEC) 8 August 2014

DNSSEC:NSEC vs. NSEC3

DNSSEC badgeThe Domain Name System Security Extensions(DNSSEC) provide two different records for securely handling non-existent names in DNS, NSEC and NSEC3. They are mutually exclusive, so operators need to pick one when deploying DNSSEC.

The Problem

The problem both NSEC and NSEC3 solve is knowing when a name exists within a given zone. This is required to prevent malicious actors from sending fake negative responses to queries.

Imagine you want to go to “research.example.com” in our web browser. The browser sends the request to your recursive DNS server and gets back the answer that the site doesn’t exist. How does the browser know that a malicious attacker didn’t just spoof that response so that you couldn’t get to the site? How does the browser really know that research.example.com does not have an A or AAAA record?

The Solution

The answer to both of those questions are the NSEC and NSEC3 DNS records that provide the “authenticated denial of existence”.  Basically what happens is that for each record in a zone the NSEC/NSEC3 record provides a pointer to the next record of the same type.  Imagine that there were A records for these names:

ftp.example.com
mail.example.com
research.example.com
www.example.com

Each would have a pointer to the next in an NSEC record that is cryptographically signed and can create a linked-list of all the records.  So if someone queried for “store.example.com”, the DNS server could answer back definitively that such a record does not exist.

NSEC vs. NSEC3

The next obvious question is which one to use. When should an operator use NSEC, and when should they use NSEC3?

As you might gather from the example above, the challenge with the plain NSEC record is that someone could use the NSEC responses to “walk the zone” and build a list of all of the records in a DNS zone.  Because of this exposure of information, the NSEC3 record was created that adds a hashing mechanism so that the zone cannot be simply walked.

NSEC is simpler, and the simple answer to this question is operators should use NSEC when they don’t care about people crawling their domains. If you don’t care that someone might enumerate every name in your zone(zone walk), then use NSEC.

NSEC3 should be used in instances where zone operators care about others walking their entire zone. It’s downside is greater cryptographic overhead for recursive validators, and silghtly more complicated DNS configuration.

Further Reading

That’s the short answer. For longer, more detail discussion check out some of the following resources.


If you would like to learn more about DNSSEC check out some of our other DNSSEC resources or visit our “Start Here” pages to find DNSSEC-related information focused on your type of organization.

‹ Back

Related articles

State of DNSSEC Deployment 2016
State of DNSSEC Deployment 2016
Domain Name System (DNS)31 December 2016

State of DNSSEC Deployment 2016

This report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. Please download the...

DNS Considerations for IPv6
Domain Name System (DNS)18 June 2014

DNS Considerations for IPv6

With so much information on IPv6 focusing on connectivity, it's sometimes important to remember that deploying IPv6 for actual use...

The Two Sides of DNSSEC – Signing and Validation
Domain Name System Security Extensions (DNSSEC)5 August 2014

The Two Sides of DNSSEC – Signing and Validation

There are two sides of DNSSEC, Signing and Validation, that together provide the increased level of security offered by DNSSEC...

Join the conversation with Internet Society members around the world