HomeDNS ToolsNSEC Lookup
DNS Tool

NSEC Lookup

Lookup NSEC records and inspect authenticated denial of existence signals. Run fast checks, interpret results, and use related tools for validation.

Record Type
NSEC
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
NSEC Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use NSEC Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run NSEC Lookup
Execute NSEC Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is NSEC Lookup?

NSEC (Next Secure) records provide authenticated denial of existence in DNSSEC zones. When a resolver queries for a name that doesn't exist, the authoritative server returns an NSEC record that proves no name exists between the query name and the next signed name in canonical order.

NSEC records allow zone enumeration — an observer can walk the NSEC chain to discover all names in a zone. For zones where enumeration is a concern (e.g., internal infrastructure), NSEC3 (with hashing) or an online signer with NSEC black-lies can prevent this. NSEC records are required for correct NXDOMAIN responses in DNSSEC-signed zones.

Best Use
Diagnosing NXDOMAIN validation failures and understanding zone-enumeration behavior in DNSSEC environments.
Common Mistake
Assuming denial-of-existence proof records are optional when DNSSEC is enabled. Missing NSEC/NSEC3 records cause DNSSEC-validating resolvers to reject valid NXDOMAIN responses.
Validation Path
NXDOMAIN responses for a signed zone should include a valid NSEC record and a matching RRSIG signature covering it.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running NSEC Lookup.

Observed ResultLikely CauseNext Step
No NSEC/NSEC3 on NXDOMAIN responseInvalid denial proof — signed zone missing expected recordCheck signer denial configuration; trigger zone re-sign
Broken NSEC next-name chainZone walk inconsistency — signing may be incompleteRe-sign and republish zone; verify all names are included in NSEC chain
RRSIG over NSEC is invalidDenial proof signature cannot be trustedRegenerate signatures and verify keyset alignment

CLI Examples

Run these commands directly from a terminal to verify NSEC records without relying on a browser-based tool.

dig A nonexistent.example.com +dnssec
Query a non-existent name to see the NSEC denial proof in the authority section
dig NSEC example.com
Query NSEC records at the zone apex to see the next signed name
dig NSEC example.com +dnssec +short
Compact NSEC output showing next name and covered record types
ldns-walk example.com
Walk the NSEC chain to enumerate all names (requires ldns-utils; demonstrates zone enumeration risk)

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is an NSEC record?
An NSEC (Next Secure) record provides authenticated denial of existence in a DNSSEC zone. When a resolver queries a name that doesn't exist, the server returns an NSEC record proving no names exist between the previous signed name and the next signed name in the zone's canonical ordering. This prevents attackers from fabricating NXDOMAIN responses.
What is zone enumeration and why is NSEC a concern?
Because NSEC records link every signed name to the next signed name, an observer can walk the entire NSEC chain to discover all hostnames in a zone. This is called zone enumeration (or zone walking). For sensitive zones with internal infrastructure names, NSEC3 (which hashes names before linking) or NSEC black-lies provide enumeration resistance.
What is the difference between NSEC and NSEC3?
NSEC links signed names in plaintext — zone enumeration is trivial. NSEC3 hashes the name before linking, making enumeration computationally expensive (though not impossible with brute force). NSEC is simpler to implement and debug. NSEC3 provides enumeration resistance at the cost of slightly larger responses and more complex signing.
When is an NSEC record returned?
NSEC records appear in the authority section of NXDOMAIN responses and NOERROR responses for non-existent record types (NODATA). For example, querying an MX record for a domain that has only A records returns NSEC in the authority section proving MX doesn't exist.
Why is my NSEC record causing validation failures?
Common causes: (1) the NSEC chain has a gap — a signed name is missing from the chain, (2) the RRSIG over the NSEC has expired, (3) the NSEC next-name doesn't match the canonical ordering of the zone. Run a full zone re-sign and use DNSSEC debugger tools (Verisign DNSViz) to visualize the chain.
Record Scope
ToolNSEC Lookup
Query TypeNSEC
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.