NSEC3PARAM

E746789
DNS resource record DNSSEC resource record type

NSEC3PARAM is a DNSSEC resource record that specifies the parameters used for NSEC3 hashing, enabling more secure and privacy-preserving denial-of-existence proofs in DNS.

Jump to: Statements Referenced by

Statements (44)

Predicate Object
instanceOf DNS resource record
DNSSEC resource record type
affects NSEC3 records in the zone
appearsIn zone apex authoritative data
category security
controls NSEC3 hash parameters for a zone
definedInRFC RFC 5155 NERFINISHED
flagsBit0Meaning Opt-Out
flagsFieldType 8-bit unsigned integer
hasField Flags
Hash Algorithm
Iterations
Salt
Salt Length
hashAlgorithmDefault SHA-1
hashAlgorithmFieldType 8-bit unsigned integer
hashAlgorithmRegistry IANA DNSSEC NSEC3 Hash Algorithm Registry NERFINISHED
hasMnemonic NSEC3PARAM
hasPurpose improve privacy of DNSSEC negative responses
specify parameters for NSEC3 hashing
support authenticated denial of existence
improvesOver NSEC
iterationsFieldType 16-bit unsigned integer
iterationsPurpose increase cost of dictionary attacks
mustBeSigned true
negativeResponseType authenticated denial of existence of names
authenticated denial of existence of types at an existing name
ownerNameScope zone apex
privacyProperty prevents simple zone walking
processedBy authoritative DNS servers
validating resolvers
recordClass IN
relatedTo NSEC3 NERFINISHED
saltFieldType variable-length octet string
saltLengthFieldType 8-bit unsigned integer
saltPurpose defend against precomputed hash attacks
status Standard
supportsOptOut true GENERATED
tag NSEC3PARAM
usedFor authenticated denial of existence of DNS names
negative DNSSEC responses
usedIn DNSSEC NERFINISHED
usedWith signed DNS zones
wireFormatDefinedIn RFC 5155 Section 3.2 NERFINISHED

Referenced by (1)

Full triples — surface form annotated when it differs from this entity's canonical label.

RFC 5155 definesExtension NSEC3PARAM