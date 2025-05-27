NSEC3 support
As explained in our blog ↗, Cloudflare's implementation of negative answers with NSEC is protected against zone walking1. This implementation removes the need for NSEC3 and has been proposed as an IETF standard ↗.
However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
Use the Edit DNSSEC Status endpoint, setting
status to
active and
dnssec_use_nsec3 to
true. You should replace the values started by
$ with your zone ID and authentication credentials. To learn more about using the Cloudflare API, refer to Fundamentals.
At least one of the following token permissions
is required:
Required API token permissions
DNS Write
If you use Cloudflare as a secondary DNS provider with pre-signed DNSSEC, setting
dnssec_use_nsec3 to
true means that Cloudflare will use NSEC3 records as transferred in from your primary DNS provider.
Otherwise, NSEC3 records will be generated and signed at request time.
To validate that NSEC3 is being used, consider the following scenarios:
A command like the following would trigger a signed negative response using NSEC3 for proof of non-existence. Look for NSEC3 records under the
Authority Section of the response.
If the name
www exists but the type TXT does not, the example below would trigger a signed NODATA response using NSEC3. Look for NSEC3 records under the
Authority Section of the response.
-
A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain. ↩
