NSEC3PARAM Record DNSSEC
The NSEC3PARAM record defines the parameters used to generate NSEC3 records in a DNSSEC-signed zone. It's placed at the zone apex and tells signing software what hash algorithm, iterations, and salt to use.
Look Up NSEC3PARAM Records
Check NSEC3PARAM records for any domain using our free DNS lookup tool.
Look Up NSEC3PARAM Records →What Is an NSEC3PARAM Record?
When a zone uses NSEC3 for denial of existence, the NSEC3PARAM record at the apex specifies:
- Which hash algorithm to use
- How many extra iterations to perform
- What salt value to prepend
- Whether to use the opt-out flag
NSEC3PARAM Record Format
Example NSEC3PARAM Record
example.com. 3600 IN NSEC3PARAM 1 0 10 aabbccddHash algorithm 1 (SHA-1), no flags, 10 iterations, salt "aabbccdd".
NSEC3PARAM Fields
| Field | Description | Values |
|---|---|---|
| Hash Algorithm | Algorithm for hashing names | 1 (SHA-1) |
| Flags | Opt-out flag | 0 (no opt-out) or 1 |
| Iterations | Additional hash rounds | 0-65535 (0 recommended) |
| Salt | Hex-encoded salt or "-" | - (no salt) or hex value |
Modern Best Practices (RFC 9276)
Current recommendations for NSEC3PARAM:
example.com. NSEC3PARAM 1 0 0 -- Algorithm: 1 (SHA-1 is still standard for NSEC3)
- Flags: 0 (no opt-out)
- Iterations: 0 (no extra iterations)
- Salt: - (no salt)
Older guidance suggested higher iterations and salts, but RFC 9276 determined these provide minimal security benefit while increasing CPU overhead.
Relationship to NSEC3
The NSEC3PARAM record is used during zone signing to generate NSEC3 records. All NSEC3 records in the zone must use the same parameters as specified in NSEC3PARAM.
# NSEC3PARAM at apex
example.com. NSEC3PARAM 1 0 0 -
# NSEC3 records use same parameters
hash1.example.com. NSEC3 1 0 0 - hash2 A AAAA
hash2.example.com. NSEC3 1 0 0 - hash3 A MXChanging NSEC3 Parameters
To change NSEC3 parameters:
- Update the NSEC3PARAM record with new values
- Re-sign the entire zone with new parameters
- All NSEC3 records are regenerated
This typically requires a complete zone re-signing operation.
NSEC3PARAM Best Practices
- Use 0 iterations — Per RFC 9276, additional iterations don't help.
- Use no salt — Salts complicate rotation without significant benefit.
- Avoid opt-out — Only use for very large zones with many unsigned delegations.
- One NSEC3PARAM per zone — Only one NSEC3PARAM should exist at the apex.
Checking NSEC3PARAM Records
# Query NSEC3PARAM
dig example.com NSEC3PARAM
# Check full DNSSEC info
dig example.com +dnssecTroubleshooting NSEC3PARAM
Common issues and solutions:
- NSEC3 validation failing — Ensure NSEC3 records match NSEC3PARAM values.
- Multiple NSEC3PARAM records — Remove extras; only one should exist.
- Parameter mismatch — All NSEC3 records must use identical parameters.
- High iteration count — Consider reducing to 0 per modern guidance.
Validate Your DNSSEC Parameters
DNS Explorer checks NSEC3PARAM configuration, validates consistency, and alerts you to misconfigurations.
Start free DNS Explorer trial14-day full-feature trial
Check Your NSEC3PARAM Records
Use our DNS Record Finder to look up NSEC3PARAM records for any domain.
Look Up NSEC3PARAM Records →Related Record Types
- NSEC3 Record — Hashed denial of existence
- NSEC Record — Unhashed denial of existence
- DNSKEY Record — Zone signing keys
- RRSIG Record — DNSSEC signatures