NSEC Lookup
Lookup NSEC records and inspect authenticated denial of existence signals. Run fast checks, interpret results, and use related tools for validation.
Use NSEC Lookup in 4 Steps
What is NSEC Lookup?
NSEC (Next Secure) records provide authenticated denial of existence in DNSSEC zones. When a resolver queries for a name that doesn't exist, the authoritative server returns an NSEC record that proves no name exists between the query name and the next signed name in canonical order.
NSEC records allow zone enumeration — an observer can walk the NSEC chain to discover all names in a zone. For zones where enumeration is a concern (e.g., internal infrastructure), NSEC3 (with hashing) or an online signer with NSEC black-lies can prevent this. NSEC records are required for correct NXDOMAIN responses in DNSSEC-signed zones.
Quick Interpretation Table
Use this reference to diagnose common outcomes when running NSEC Lookup.
| Observed Result | Likely Cause | Next Step |
|---|---|---|
| No NSEC/NSEC3 on NXDOMAIN response | Invalid denial proof — signed zone missing expected record | Check signer denial configuration; trigger zone re-sign |
| Broken NSEC next-name chain | Zone walk inconsistency — signing may be incomplete | Re-sign and republish zone; verify all names are included in NSEC chain |
| RRSIG over NSEC is invalid | Denial proof signature cannot be trusted | Regenerate signatures and verify keyset alignment |
CLI Examples
Run these commands directly from a terminal to verify NSEC records without relying on a browser-based tool.
dig A nonexistent.example.com +dnssecdig NSEC example.comdig NSEC example.com +dnssec +shortldns-walk example.comTroubleshooting Workflow
- Run this record check first for a scoped signal on the target hostname.
- Validate nameserver authority and SOA context if results are unexpected.
- Use propagation checks when different regions return different values.
- Re-run after applying fixes and compare values against your expected configuration.
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.