NSEC Lookup
Shortcuts: / or Ctrl+L to focus, Esc to return
Inspect your zone's NSEC chain to understand which owner names exist and how validators receive authenticated denial of existence responses. This helps diagnose delegation gaps and confirm signer coverage.
Frequently Asked Questions
- What does an NSEC record show?
- NSEC records link to the next owner name in sorted order and list which record types exist at the current name.
- How does NSEC provide denial of existence?
- Resolvers prove a name or type is missing because the queried name falls between the owner and next-domain values in the NSEC chain.
- Why are type bitmaps important?
- The bitmap enumerates RR types present at the owner name so validators can tell whether a response is authenticated denial or a misconfiguration.
- How can I prevent zone walking with NSEC?
- NSEC allows easy enumeration; to discourage this, publish NSEC3 records instead, which hash owner names before linking.
- Why might an NSEC lookup return no records?
- Unsigned zones and NSEC3-only deployments without opt-out at the queried name will not return NSEC records for direct queries.
- What are common troubleshooting steps for NSEC issues?
- Confirm the signer generated a complete NSEC chain, ensure TTLs align across the zone, and verify validators see matching signatures for each NSEC owner.