Add section on how to verify NSEC3 is in use

Author: RebeccaTamachiro

src/content/docs/dns/dnssec/enable-nsec3.mdx

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: how-to
-title: Enable NSEC3
+title: NSEC3 support
 description: Learn how to enable NSEC3 support with Cloudflare to meet compliance requirements.
 sidebar:
   order: 6
@@ -10,6 +10,8 @@ As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare'
 
 However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
 
+## Enable NSEC3
+
 Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and API token. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/).
 
 ```bash
@@ -23,4 +25,24 @@ https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \
 }'
 ```
 
+## Verify NSEC3 is in use
+
+To validate that NSEC3 is being used, consider the following scenarios:
+
+### Non-existent zone name
+
+A command like the following would trigger a signed negative response using NSEC3 for proof of non-existence. Look for NSEC3 records under the `Authority Section` of the response.
+
+```sh
+dig +dnssec doesnotexist.example.com
+```
+
+### Non-existent record type at an existing name
+
+If the name `www` exists but the type TXT does not, the example below would trigger a signed NODATA response using NSEC3. Look for NSEC3 records under the `Authority Section` of the response.
+
+```sh
+dig +dnssec www.example.com TXT
+```
+
 [^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.