NSEC3

From DNSSEC-Tools
Jump to: navigation, search

About NSEC3

NSEC3 is an alternate version of NSEC proof of non-existence. A side effect of NSEC records is that a zone can be traversed from one end to the other and every record can be discovered. NSEC3, defined in RFC5155 solves this by publishing only hash records of zone names.

DNSSEC-Tools support for NSEC3

NSEC3 support is first available for zonesigner and donuts in version 1.5 of the DNSSEC-Tools release. It requires bind 9.6 in order for the functionality to work.