🚫 NSEC Record Checker

What you'll see

• Owner name, next domain, and bitmap of RR types proving which records exist in the zone.
• TTL values indicating how long negative answers may be cached by clients.
• Authority responses revealing which server confirmed the denial of existence.

Common use cases

• Check for unintended zone walking exposure when using NSEC instead of NSEC3.
• Validate DNSSEC responses when troubleshooting missing subdomains.
• Confirm wildcard coverage and understand which RRsets are published at each node.

Troubleshooting tips

• If privacy is a concern, consider switching to NSEC3 to obscure adjacent hostnames.
• Ensure the next-domain ordering follows the canonical DNSSEC requirements to avoid validation failures.
• Use the bitmap to confirm only the intended record types are exposed at a particular node.

FAQ

Why does the bitmap matter?

The type bitmap shows exactly which RRsets exist at an owner name. Validators rely on it to prove a record is missing.

Can attackers enumerate my zone with NSEC?

Yes. Classic NSEC responses reveal the next valid name, allowing zone walking. Switch to NSEC3 with opt-out to reduce exposure.

What causes validation failures?

Out-of-order next-domain pointers or mismatched signatures will fail DNSSEC validation. Compare with your zone signer configuration.

Resources

• RFC 4035: Protocol Modifications for DNSSEC
• ICANN whitepaper on NSEC vs NSEC3
• Cloudflare DNSSEC guide to understanding NSEC