NSEC Lookup

Query NSEC records to verify DNSSEC negative responses and zone coverage

NSEC (Next Secure) records provide authenticated denial of existence in DNSSEC by creating a chain that covers all names in a zone, proving that queried names don't exist.

Domain Lookup

Enter a domain name to query its NSEC records

What are NSEC Records?

NSEC (Next Secure) records are a crucial component of DNSSEC that provide authenticated denial of existence. They prove that a particular domain name or record type does not exist in a DNS zone, preventing attackers from spoofing non-existent records.

How NSEC Records Work:

Create a chain of all existing domain names in a zone
Each NSEC record points to the next domain name in alphabetical order
Include a list of record types that exist for the current domain
Are signed with RRSIG records to ensure authenticity
Allow resolvers to prove non-existence of queried names or types

NSEC vs NSEC3:

NSEC: Provides clear proof of non-existence but allows zone walking (enumeration of all domain names).
NSEC3: Uses hashed domain names to prevent zone walking while still providing denial of existence.