You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Create new page for NSEC3 and adjust docs order
* Add section on how to verify NSEC3 is in use
* Replace API example with APIRequest component version
* Update dnssec-for-secondary to account for NSEC3 support
* Add note on pre-signed DNSSEC to NSEC3 docs
description: Learn how to enable NSEC3 support with Cloudflare to meet compliance requirements.
5
+
sidebar:
6
+
order: 6
7
+
---
8
+
9
+
import { APIRequest } from"~/components";
10
+
11
+
As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare's implementation of negative answers with NSEC is protected against zone walking[^1]. This implementation removes the need for NSEC3 and has been [proposed as an IETF standard](https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/).
12
+
13
+
However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
14
+
15
+
## Enable NSEC3
16
+
17
+
Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and authentication credentials. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/).
18
+
19
+
<APIRequest
20
+
path="/zones/{zone_id}/dnssec"
21
+
method="PATCH"
22
+
json={{
23
+
"dnssec_use_nsec3": true,
24
+
"status": "active"
25
+
}}
26
+
/>
27
+
28
+
### Pre-signed DNSSEC
29
+
30
+
If you use Cloudflare as a secondary DNS provider with [pre-signed DNSSEC](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/), setting `dnssec_use_nsec3` to `true` means that Cloudflare will use NSEC3 records as transferred in from your primary DNS provider.
31
+
32
+
Otherwise, NSEC3 records will be generated and signed at request time.
33
+
34
+
## Verify NSEC3 is in use
35
+
36
+
To validate that NSEC3 is being used, consider the following scenarios:
37
+
38
+
### Non-existent zone name
39
+
40
+
A command like the following would trigger a signed negative response using NSEC3 for proof of non-existence. Look for NSEC3 records under the `Authority Section` of the response.
41
+
42
+
```sh
43
+
dig +dnssec doesnotexist.example.com
44
+
```
45
+
46
+
### Non-existent record type at an existing name
47
+
48
+
If the name `www` exists but the type TXT does not, the example below would trigger a signed NODATA response using NSEC3. Look for NSEC3 records under the `Authority Section` of the response.
49
+
50
+
```sh
51
+
dig +dnssec www.example.com TXT
52
+
```
53
+
54
+
[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.
-**[Multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/setup/)**: Both Cloudflare and your primary DNS provider know the signing keys of each other and perform their own live-signing of DNS records, in accordance with [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).
16
16
-**[Live signing](#set-up-live-signing-dnssec)**: If your domain is not delegated to your primary provider's nameservers and Cloudflare secondary nameservers are the only nameservers authoritatively responding to DNS queries (hidden primary setup), you can choose this option to allow Cloudflare to perform live-signing of your DNS records.
17
-
-**[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. Cloudflare only supports [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/)(and not NSEC3 records) and this setup does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/).
17
+
-**[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. By default, Cloudflare uses [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/)and not NSEC3 - refer to [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed. Also, Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/).
18
18
19
19
---
20
20
@@ -62,15 +62,10 @@ In this setup, DNSSEC on your pirmary DNS provider does not need to be enabled.
62
62
63
63
## Set up pre-signed DNSSEC
64
64
65
-
:::caution[Important: NSEC3 not supported]
66
-
67
-
If your primary DNS provider uses NSEC3 instead of NSEC, Cloudflare will fail to serve the pre-signed zone. Authenticated denial of existence is an essential part of DNSSEC ([RFC 7129](https://www.rfc-editor.org/rfc/rfc7129.html)) and is only supported by Cloudflare through NSEC.
68
-
:::
69
-
70
65
### Prerequisites
71
66
72
67
- Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly.
73
-
-Your primary DNS provider supports DNSSEC using NSEC records (and not NSEC3).
68
+
-You have considered whether your primary DNS provider uses NSEC or NSEC3, and have enabled [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed.
74
69
- Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC.
75
70
76
71
### Steps
@@ -84,9 +79,9 @@ Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zo
0 commit comments