Page Comparison

When a name server receives a request for a domain name that does not exist in a zone, the name server sends an authenticated negative response in the form of an NSEC or NSEC3 RR. NSEC and NSEC3 records contain the next secure domain name in a zone and list the RR types present at the NSEC or NSEC3 RR's owner name. The difference between an NSEC and NSEC3 RRs is that the owner name in an NSEC3 RR is a cryptographic hash of the original owner name prepended to the name of the zone. NSEC3 RRs protect against zone enumeration.
Following is an example of an NSEC record:

Drawio

width

border	true
viewerToolbar	true
fitWindow	false
diagramName	Arrow3
simpleViewer	false
1
baseUrl	https://infoblox-docs.atlassian.net/wiki
diagramName	Arrow3
zoom	1
pageId	22252203
custContentId	7345809
lbox	1
contentVer	1
revision	1

The first four fields specify the owner name, TT, class and RR type. The succeeding fields are:

...

Following is an example of an NSEC3 RR:

Drawio

border	true
viewerToolbar	true
fitWindow	false
diagramName	Arrows4
simpleViewer	false
width	1
baseUrl	https://infoblox-docs.atlassian.net/wiki
diagramName	Arrows4
zoom	1
pageId	22252203
custContentId	7345803
lbox	1
contentVer	1
revision	1

The first field contains the hashed owner name. It is followed by the TTL ,class and RR type. The fields after the RR type are:

...

Version	Old Version 3	New Version Current
Changes made by	Aliaksei Shautsou	Ryan Kulek (Deactivated)
Saved on	May 16, 2017	Jun 17, 2022

Versions Compared

Key