When a name server receives a request for a domain name that does not exist in a zone, the name server sends an authenticated negative response in the form of an NSEC or NSEC3 RR. NSEC and NSEC3 records contain the next secure domain name in a zone and list the RR types present at the NSEC or NSEC3 RR's owner name. The difference between an NSEC and NSEC3 RRs is that the owner name in an NSEC3 RR is a cryptographic hash of the original owner name prepended to the name of the zone. NSEC3 RRs protect against zone enumeration.
Following is an example of an NSEC record: corpxyz.com 86400INNSEC a1.corpxyz.com. NS SOA RRSIG NSEC DNSKEY
Owner Name
TTL ClassRR Type
Next Owner Name
RRsets
1010NIOS Administrator Guide (Rev. A)NIOS 8.1
About DNSSEC
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The first four fields specify the owner name, TT, class and RR type. The succeeding fields are:
...
Following is an example of an NSEC3 RR:
| Drawio | ||||
|---|---|---|---|---|
|
TTL Class
Iterations Flags
Algorithm Salt Field
u1e6lovi99jvlertev0e080ta34ocu39 900 IN NSEC3 1 0 100 74ae486f6ecbbd29010047ad
ULJ8BVITGP5OAORMMRFUPQV6A2197FIB NS SOA RRSIG DNSKEY NSEC3PARAM
Hashed Owner Name RR Type
RRsets Next Owner Name
|
The first field contains the hashed owner name. It is followed by the TTL ,class and RR type. The fields after the RR type are:
...