/ˈɛn-ɛs-siː-θriː/
n. “Proof of nothing — without revealing the map.”
NSEC3 is a record type in DNSSEC designed to provide authenticated denial of existence while mitigating the privacy concern inherent in the original NSEC records. Unlike NSEC, which directly reveals the next valid domain name in a zone, NSEC3 hashes domain names so that the zone structure cannot be trivially enumerated, making it more resistant to zone-walking attacks.
The fundamental purpose of NSEC3 is the same as NSEC: to cryptographically prove that a requested DNS name does not exist. When a resolver queries a non-existent domain, the authoritative server responds with an NSEC3 record. The resolver uses the hash and the associated RRSIG signature to verify that the non-existence claim is authentic, without seeing the actual names in the zone.
Hashing is the key feature. Each domain name in the zone is processed with a cryptographic hash function, often with multiple iterations, producing a pseudo-random label. NSEC3 records then link these hashed labels in canonical order. When a resolver queries a name, it is hashed the same way, and the resolver checks the hashed interval against the NSEC3 record to confirm the name’s absence.
This approach solves a significant problem with plain NSEC. Original NSEC records, while providing proof of non-existence, inadvertently exposed the zone’s structure — every non-existent query returned the next valid domain. With NSEC3, attackers cannot easily enumerate all names in the zone, increasing security for sensitive domains while retaining cryptographic proof.
Consider a domain example.com with hashed labels in NSEC3. A client queries secret.example.com. The server responds with an NSEC3 record showing that the hash of secret.example.com falls between two hashed domain names, confirming non-existence. The actual names remain concealed, protecting internal structure.
NSEC3 is fully compatible with DNSSEC’s chain of trust. Resolvers use the parent zone’s DS record, the zone’s DNSKEY, and the RRSIG on the NSEC3 to verify authenticity. If any signature verification fails, the response is discarded, preventing spoofed negative responses.
While NSEC3 increases security and privacy, it also adds computational overhead. Each query requires hashing and comparison operations, and zone signing becomes slightly more complex. Despite this, the trade-off is widely accepted, and many modern DNSSEC-enabled zones use NSEC3 by default to prevent zone enumeration without sacrificing cryptographic assurances.
In short, NSEC3 is the evolution of negative proof in DNSSEC: it preserves the integrity and authenticity of non-existent domain answers while preventing attackers from easily mapping the zone, enhancing both security and privacy in the domain name system.