NSEC3PARAM
E746789
NSEC3PARAM is a DNSSEC resource record that specifies the parameters used for NSEC3 hashing, enabling more secure and privacy-preserving denial-of-existence proofs in DNS.
All labels observed (1)
| Label | Occurrences |
|---|---|
| NSEC3PARAM canonical | 1 |
How this entity was disambiguated
This entity first appeared as the object of triple T8619347 — resolving that mention is where its identity was fixed. The disambiguator weighed these candidate entities and picked the highlighted one (or “None”, minting a new entity). This is how homonymy is resolved: the same surface form can point to different entities.
Target entity: NSEC3PARAM Context triple: [RFC 5155, definesExtension, NSEC3PARAM]
-
A.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication and integrity protection to DNS data to prevent attacks such as cache poisoning and spoofing.
-
B.
DNSKEY
DNSKEY is a DNS Security Extensions (DNSSEC) resource record that stores public keys used to verify digital signatures and authenticate DNS data.
-
C.
Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
"Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC" (RFC 5702) is an IETF standards-track document that specifies how to employ SHA-2 hash algorithms with RSA signatures in DNSSEC to enhance the security of DNS authentication.
-
D.
DNSSEC root key signing ceremony
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
-
E.
DNSSEC KSK
The DNSSEC KSK (Key Signing Key) is a long-term cryptographic key used to sign and authenticate a zone’s DNSKEY records, forming the trust anchor at the top of the DNSSEC validation chain.
- F. None of above. chosen
- G. Unsure - the case is ambiguous/there is not enough information to decide.
Target entity: NSEC3PARAM Target entity description: NSEC3PARAM is a DNSSEC resource record that specifies the parameters used for NSEC3 hashing, enabling more secure and privacy-preserving denial-of-existence proofs in DNS.
-
A.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication and integrity protection to DNS data to prevent attacks such as cache poisoning and spoofing.
-
B.
DNSKEY
DNSKEY is a DNS Security Extensions (DNSSEC) resource record that stores public keys used to verify digital signatures and authenticate DNS data.
-
C.
Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC
"Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC" (RFC 5702) is an IETF standards-track document that specifies how to employ SHA-2 hash algorithms with RSA signatures in DNSSEC to enhance the security of DNS authentication.
-
D.
DNSSEC root key signing ceremony
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
-
E.
DNSSEC KSK
The DNSSEC KSK (Key Signing Key) is a long-term cryptographic key used to sign and authenticate a zone’s DNSKEY records, forming the trust anchor at the top of the DNSSEC validation chain.
- F. None of above. chosen
Statements (44)
| Predicate | Object |
|---|---|
| instanceOf |
DNS resource record
ⓘ
DNSSEC resource record type ⓘ |
| affects | NSEC3 records in the zone ⓘ |
| appearsIn | zone apex authoritative data ⓘ |
| category | security ⓘ |
| controls | NSEC3 hash parameters for a zone ⓘ |
| definedInRFC | RFC 5155 NERFINISHED ⓘ |
| flagsBit0Meaning | Opt-Out ⓘ |
| flagsFieldType | 8-bit unsigned integer ⓘ |
| hasField |
Flags
ⓘ
Hash Algorithm ⓘ Iterations ⓘ Salt ⓘ Salt Length ⓘ |
| hashAlgorithmDefault | SHA-1 ⓘ |
| hashAlgorithmFieldType | 8-bit unsigned integer ⓘ |
| hashAlgorithmRegistry | IANA DNSSEC NSEC3 Hash Algorithm Registry NERFINISHED ⓘ |
| hasMnemonic | NSEC3PARAM ⓘ |
| hasPurpose |
improve privacy of DNSSEC negative responses
ⓘ
specify parameters for NSEC3 hashing ⓘ support authenticated denial of existence ⓘ |
| improvesOver | NSEC ⓘ |
| iterationsFieldType | 16-bit unsigned integer ⓘ |
| iterationsPurpose | increase cost of dictionary attacks ⓘ |
| mustBeSigned | true ⓘ |
| negativeResponseType |
authenticated denial of existence of names
ⓘ
authenticated denial of existence of types at an existing name ⓘ |
| ownerNameScope | zone apex ⓘ |
| privacyProperty | prevents simple zone walking ⓘ |
| processedBy |
authoritative DNS servers
ⓘ
validating resolvers ⓘ |
| recordClass | IN ⓘ |
| relatedTo | NSEC3 NERFINISHED ⓘ |
| saltFieldType | variable-length octet string ⓘ |
| saltLengthFieldType | 8-bit unsigned integer ⓘ |
| saltPurpose | defend against precomputed hash attacks ⓘ |
| status | Standard ⓘ |
| supportsOptOut | true GENERATED ⓘ |
| tag | NSEC3PARAM ⓘ |
| usedFor |
authenticated denial of existence of DNS names
ⓘ
negative DNSSEC responses ⓘ |
| usedIn | DNSSEC NERFINISHED ⓘ |
| usedWith | signed DNS zones ⓘ |
| wireFormatDefinedIn | RFC 5155 Section 3.2 NERFINISHED ⓘ |
How these facts were elicited
The pipeline generated the facts above by prompting gpt-5.1 with this entity's name + description and the instruction below.
You are a knowledge base construction expert. Given a subject entity and a description of it, return factual statements that you know for the subject as a JSON list of dictionaries(triples), where keys must be "subject", "predicate" and "object". The number of facts may be very high, between 25 to 50 or more, for very popular subjects. For less popular subjects, the number of facts can be very low, like 5 or 10. # Requirements - If you don't know the subject at all, return an empty list. - If the subject is not a named entity, return an empty list. - Include at least one triple where predicate is "instanceOf". - Do not get too wordy. - Separate several objects into multiple triples with one object.
Subject: NSEC3PARAM Description of subject: NSEC3PARAM is a DNSSEC resource record that specifies the parameters used for NSEC3 hashing, enabling more secure and privacy-preserving denial-of-existence proofs in DNS.
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.