Skip to main content

Guidance for NSEC3 parameter settings

Document Type Replaced Internet-Draft (individual)
Expired & archived
Authors Wes Hardaker , Viktor Dukhovni
Last updated 2021-05-06
Replaced by draft-ietf-dnsop-nsec3-guidance
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Replaced by draft-ietf-dnsop-nsec3-guidance
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


NSEC3 is a DNSSEC mechanism providing proof of non-existence by promising there are no names that exist between two domainnames within a zone. Unlike its counterpart NSEC, NSEC3 avoids directly disclosing the bounding domainname pairs. This document provides guidance on setting NSEC3 parameters based on recent operational deployment experience.


Wes Hardaker
Viktor Dukhovni

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)