NSEC3PARAM Lookup

What are NSEC3PARAM Records?

NSEC3PARAM records define the parameters used for NSEC3 hashing in DNSSEC. They specify the hash algorithm, iteration count, and salt value used to create NSEC3 records, which provide authenticated denial of existence while preventing zone enumeration.

Key Components

• Hash Algorithm: Cryptographic function used (typically SHA-1)
• Flags: Control parameters (0=standard, 1=opt-out)
• Iterations: Number of hash iterations for security
• Salt: Random data to prevent rainbow table attacks

Security Benefits

• Prevents zone walking and enumeration attacks
• Maintains authenticated denial of existence
• Protects against rainbow table attacks with salt
• Configurable security level through iterations

Use Cases

• High-security domains requiring privacy protection
• Large zones where NSEC records would reveal structure
• Domains with sensitive subdomain information
• Compliance with privacy regulations