NSEC/NSEC3 Checker

Check NSEC and NSEC3 records for authenticated denial of existence

About NSEC and NSEC3

NSEC (Next Secure) and NSEC3 (Next Secure version 3) records provide authenticated denial of existence, which is a critical security feature in DNSSEC. They cryptographically prove that a DNS record doesn't exist, preventing attackers from claiming non-existent records and ensuring that "no such record" responses are authentic.

Without authenticated denial, an attacker could respond to queries for non-existent records with fake data, and resolvers would have no way to verify whether the record actually exists or not. NSEC and NSEC3 solve this problem by providing cryptographic proof of non-existence.

NSEC

• Reveals zone structure
• Lists all record types
• Vulnerable to zone enumeration
• Simpler implementation

NSEC3

• Hides zone structure
• Uses cryptographic hashing
• Prevents zone enumeration
• Recommended for security