🧮 NSEC3PARAM Checker

What you'll see

• Hash algorithm, iteration count, and salt values used to generate NSEC3 records.
• TTL details so you know when parameter updates will be respected by resolvers.
• Authority responses that confirm which server supplied the NSEC3 configuration.

Common use cases

• Plan DNSSEC rollovers that require updating salts or iteration counts.
• Validate that published parameters match those expected by your signing software.
• Troubleshoot validation failures caused by mismatched hashing settings between zones and resolvers.

Troubleshooting tips

• High iteration counts can slow resolvers—keep the value reasonable for your audience.
• Changing the salt requires resigning the entire zone; schedule during maintenance windows.
• Ensure your actual NSEC3 records reflect the same parameters shown here to maintain chain of trust.

FAQ

What does the iteration count do?

Iterations control how many times the hash is applied. Higher values increase brute-force cost but add latency for resolvers.

When should I rotate the salt?

Rotate periodically or when compromising data is suspected. Remember to re-sign the zone so new hashes propagate.

Why is my algorithm listed as 1?

Algorithm 1 corresponds to SHA-1 per RFC 5155. Other algorithms are currently uncommon but supported by the spec.

Resources

• RFC 5155: DNSSEC Hashed Authenticated Denial of Existence
• AWS Route 53 DNSSEC configuration guide
• ISC BIND tips for tuning NSEC3 parameters