NSEC3PARAM Lookup
Shortcuts: / or Ctrl+L to focus, Esc to return
Review your zone's NSEC3 parameters to confirm the hashing algorithm, iteration count, and salt align with resiliency goals and resolver performance expectations.
Frequently Asked Questions
- What is an NSEC3PARAM record?
- NSEC3PARAM publishes the hashing settings a zone uses for NSEC3 denial-of-existence responses.
- Why does NSEC3 use a salt and iterations?
- Salts and iterations slow down attackers who try to precompute hashes of domain names, making zone walking harder.
- How do I change NSEC3 parameters safely?
- Update the zone with new NSEC3PARAM values, publish the record alongside existing settings, and regenerate signatures so validators can transition smoothly.
- What does the opt-out flag control?
- When set, opt-out lets unsigned delegations skip hashing, reducing signer workload but leaving gaps attackers could probe.
- How many iterations are appropriate?
- Most operators use 0 or low iteration counts to balance protection and resolver CPU usage; very high counts can create validation latency.
- Why might my salt show as '-'?
- A dash indicates an empty salt. This is valid but removes entropy from hashed responses, so consider using a random salt rotated periodically.