What Is NSEC3PARAM?
Understanding NSEC3PARAM and authenticated denial of existence
Table of Contents
What Is NSEC3PARAM?
NSEC3PARAM is a DNSSEC record that specifies parameters for NSEC3 (Next Secure version 3) records used for authenticated denial of existence. NSEC3PARAM enables DNSSEC to prove that a DNS record doesn't exist without revealing all DNS records in a zone.
NSEC3PARAM includes: hash algorithm (algorithm used to hash domain names), flags (NSEC3 flags), iterations (number of hash iterations), and salt (salt value for hashing). NSEC3PARAM is used with NSEC3 records to provide authenticated denial of existence, preventing zone enumeration attacks.
NSEC3 is an improvement over NSEC, providing better privacy by hashing domain names. Learn more about DNSSEC.
NSEC3PARAM Purpose
Authenticated Denial
NSEC3PARAM enables authenticated denial of existence, allowing DNSSEC to prove that a DNS record doesn't exist cryptographically.
Zone Privacy
NSEC3PARAM provides zone privacy by hashing domain names, preventing zone enumeration attacks that reveal all DNS records in a zone.
NSEC3 Configuration
NSEC3PARAM specifies parameters used to generate NSEC3 records, configuring hash algorithm, iterations, and salt.
Security Enhancement
NSEC3PARAM enhances DNS security by preventing attackers from enumerating all DNS records in a zone.
DNSSEC Compliance
NSEC3PARAM enables DNSSEC to provide authenticated denial of existence while maintaining zone privacy.
Authenticated Denial of Existence
What Is Authenticated Denial?
Authenticated denial of existence is the ability to cryptographically prove that a DNS record doesn't exist, preventing DNS spoofing attacks.
How NSEC3 Works
NSEC3 records use hashed domain names to prove that a queried domain name doesn't exist, without revealing actual domain names in the zone.
Zone Enumeration Prevention
NSEC3 prevents zone enumeration by hashing domain names, making it difficult for attackers to discover all DNS records in a zone.
NSEC3PARAM Role
NSEC3PARAM specifies parameters (hash algorithm, iterations, salt) used to generate NSEC3 records for authenticated denial.
Validation
DNS resolvers use NSEC3PARAM parameters to verify NSEC3 records and validate authenticated denial of existence.
NSEC3 vs NSEC
NSEC3 is an improvement over NSEC:
NSEC (Original)
- Lists actual domain names in zone
- Vulnerable to zone enumeration
- Reveals all DNS records in zone
- Less privacy protection
NSEC3 (Improved)
- Uses hashed domain names
- Prevents zone enumeration
- Protects zone privacy
- Better security
Privacy Benefits
NSEC3 provides better privacy by hashing domain names, preventing attackers from discovering all DNS records in a zone.
Adoption
NSEC3 is widely adopted as it provides better security and privacy compared to NSEC.
NSEC3PARAM Format
Record Format
NSEC3PARAM records follow this format: hash-algorithm flags iterations salt
Example NSEC3PARAM Record
example.com. NSEC3PARAM 1 0 10 abcdef1234567890
- Hash Algorithm: 1 (SHA-1)
- Flags: 0 (no flags set)
- Iterations: 10 (number of hash iterations)
- Salt: abcdef1234567890 (salt value for hashing)
Hash Algorithm
Hash algorithm specifies which algorithm to use for hashing domain names (SHA-1, SHA-256, etc.).
Iterations
Iterations specify how many times to hash domain names, increasing security but requiring more computation.
Salt
Salt is a random value added to domain names before hashing, preventing rainbow table attacks.
