/ˈɛn-ɛs-siː/
n. “Proof of nothing — and everything in between.”
NSEC, short for Next Secure, is a record type used in DNSSEC to provide authenticated denial of existence. In plain terms, it proves that a queried DNS record does not exist while maintaining cryptographic integrity. When a resolver asks for a domain or record that isn’t present, NSEC ensures that the response cannot be forged or tampered with by an attacker.
The way NSEC works is deceptively simple. Each NSEC record links one domain name in a zone to the “next” domain name in canonical order, along with the list of record types present at that name. If a resolver queries a name that isn’t present, the authoritative server returns an NSEC proving the non-existence: the requested name falls between the current name and the “next” name listed in the record. The resolver can cryptographically verify the NSEC using the corresponding RRSIG and DNSKEY records.
This mechanism prevents attackers from silently fabricating negative responses. Without NSEC, a man-in-the-middle could claim that any nonexistent domain exists or does not exist, undermining the authenticity of DNSSEC validation. NSEC ensures that negative answers are just as verifiable as positive ones.
There are nuances. The original NSEC design exposes zone structure because it reveals the next valid domain in the zone. For sensitive zones, this can be considered an information leak, potentially aiding enumeration attacks. Later enhancements, like NSEC3, mitigate this by hashing the domain names while preserving the proof of non-existence.
An example of NSEC in action: suppose a resolver queries nonexistent.example.com. The authoritative server responds with an NSEC showing alpha.example.com → zeta.example.com. The resolver sees that nonexistent.example.com falls between alpha and zeta, confirming that it truly does not exist.
NSEC does not encrypt DNS traffic. It only guarantees that absence can be proven securely. When combined with DNSSEC’s chain of trust, NSEC ensures that both presence and absence of records are authentic, making the DNS resistant to spoofing, cache poisoning, and other attacks that rely on falsifying non-existent entries.
In modern DNSSEC deployments, NSEC and its variants are indispensable. They complete the story: every “yes” or “no” answer can be trusted, leaving no room for silent forgery in the system.