HomeDNS ToolsNSEC3PARAM Lookup
DNS Tool

NSEC3PARAM Lookup

Lookup NSEC3PARAM records and inspect DNSSEC hashing parameters, iteration settings, and denial-of-existence hardening signals. Run fast checks, interpret…

Record Type
NSEC3PARAM
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
NSEC3PARAM Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use NSEC3PARAM Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run NSEC3PARAM Lookup
Execute NSEC3PARAM Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is NSEC3PARAM Lookup?

NSEC3PARAM records define the hashing parameters used for authenticated denial of existence in NSEC3-signed zones. They specify the hash algorithm, flags, iterations, and salt used to generate hashed owner names in NSEC3 records.

NSEC3 was designed to prevent zone enumeration by hashing zone names before linking them in denial chains. The NSEC3PARAM record at the zone apex encodes the parameters that all NSEC3 records in the zone must match. Changing NSEC3PARAM requires a coordinated zone re-sign — both the parameters and all NSEC3 records must be updated atomically.

Best Use
DNSSEC hardening audits, denial-proof parameter tuning, and verifying NSEC3 parameter consistency across zone updates.
Common Mistake
Changing NSEC3 parameters without a coordinated zone re-sign plan. The transition creates a window where the NSEC3PARAM and existing NSEC3 records diverge, breaking validation.
Validation Path
NSEC3PARAM hash algorithm and iterations should align with the active NSEC3 chain and the zone's signing policy.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running NSEC3PARAM Lookup.

Observed ResultLikely CauseNext Step
NSEC3PARAM mismatch with NSEC3 chainSigner and published chain diverge — validation may failAlign signer config and republish zone with coordinated re-sign
Very high iteration countResolver performance impact — RFC 9276 recommends 0 iterationsReview signing policy; reduce to 0 iterations per RFC 9276 best practice
Salt rotation driftInconsistent denial proofs across zone updatesSynchronize salt lifecycle with signer re-sign schedule

CLI Examples

Run these commands directly from a terminal to verify NSEC3PARAM records without relying on a browser-based tool.

dig NSEC3PARAM example.com
Query NSEC3PARAM record to see hash algorithm, flags, iterations, and salt
dig NSEC3PARAM example.com +dnssec
Include RRSIG signature over the NSEC3PARAM record
dig NSEC3PARAM example.com +short
Compact output: algorithm iterations salt (- means empty salt)
ldns-nsec3-hash -a 1 -t 0 -s "" example.com
Calculate the NSEC3 hash for "example.com" using SHA-1 (algorithm 1) with 0 iterations

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is an NSEC3PARAM record?
An NSEC3PARAM record lives at the zone apex and defines the hashing parameters used for NSEC3 denial-of-existence records: the hash algorithm (currently only SHA-1, value 1), opt-out flags, iteration count, and salt value. Every NSEC3 record in the zone must use the same parameters encoded in NSEC3PARAM.
What iteration count should I use?
RFC 9276 (2022) recommends 0 iterations for new NSEC3 deployments. Higher iteration counts were originally intended to make brute-force enumeration harder, but they impose CPU cost on resolvers and the security benefit is minimal. Modern guidance from ICANN and DNS operators favors 0 iterations with an empty salt.
Why does NSEC3PARAM have a salt?
The salt randomizes the NSEC3 hashes to prevent precomputed rainbow table attacks against zone enumeration. However, since the salt is public (published in NSEC3PARAM), an attacker can still build targeted dictionaries. RFC 9276 acknowledges this and recommends 0 iterations over complex salt management.
What does the NSEC3 opt-out flag do?
The opt-out flag (flag value 1 in NSEC3PARAM) allows unsigned delegations to exist within a signed zone without requiring NSEC3 records for each unsigned subdomain. This is used by TLD operators to sign their zones without requiring every delegated second-level domain to be DNSSEC-signed. For most regular domains, opt-out should be 0 (disabled).
How do I change NSEC3 parameters safely?
Changing NSEC3 parameters requires a full zone re-sign with the new parameters. The sequence: (1) update the signer configuration with the new NSEC3PARAM values, (2) trigger a full zone re-sign, (3) publish the updated zone with the new NSEC3PARAM record and updated NSEC3 chain simultaneously. Never update NSEC3PARAM without re-signing all NSEC3 records in the same operation.
Record Scope
ToolNSEC3PARAM Lookup
Query TypeNSEC3PARAM
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.