cloudflare · RebeccaTamachiro · May 27, 2025 · Apr 23, 2025 · May 13, 2025 · May 13, 2025
@@ -0,0 +1,54 @@
+---
+pcx_content_type: how-to
+title: NSEC3 support
+description: Learn how to enable NSEC3 support with Cloudflare to meet compliance requirements.
+sidebar:
+  order: 6
+---
+
+import { APIRequest } from "~/components";
+
+As explained in [our blog](https://blog.cloudflare.com/black-lies/), Cloudflare's implementation of negative answers with NSEC is protected against zone walking[^1]. This implementation removes the need for NSEC3 and has been [proposed as an IETF standard](https://datatracker.ietf.org/doc/draft-ietf-dnsop-compact-denial-of-existence/).
+
+However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
+
+## Enable NSEC3
+
+Use the [Edit DNSSEC Status endpoint](/api/resources/dns/subresources/dnssec/methods/edit/), setting `status` to `active` and `dnssec_use_nsec3` to `true`. You should replace the values started by `$` with your zone ID and authentication credentials. To learn more about using the Cloudflare API, refer to [Fundamentals](/fundamentals/api/get-started/).
+
+<APIRequest
+	path="/zones/{zone_id}/dnssec"
+	method="PATCH"
+	json={{
+		"dnssec_use_nsec3": true,
+		"status": "active"
+	}}
+/>
+
+### Pre-signed DNSSEC
+
+If you use Cloudflare as a secondary DNS provider with [pre-signed DNSSEC](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/), setting `dnssec_use_nsec3` to `true` means that Cloudflare will use NSEC3 records as transferred in from your primary DNS provider.
+
+Otherwise, NSEC3 records will be generated and signed at request time.
+
+## Verify NSEC3 is in use
+
+To validate that NSEC3 is being used, consider the following scenarios:
+
+### Non-existent zone name
+
+A command like the following would trigger a signed negative response using NSEC3 for proof of non-existence. Look for NSEC3 records under the `Authority Section` of the response.
+
+```sh
+dig +dnssec doesnotexist.example.com
+```
+
+### Non-existent record type at an existing name
+
+If the name `www` exists but the type TXT does not, the example below would trigger a signed NODATA response using NSEC3. Look for NSEC3 records under the `Authority Section` of the response.
+
+```sh
+dig +dnssec www.example.com TXT
+```
+
+[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.
@@ -3,7 +3,7 @@ pcx_content_type: troubleshooting
 source: https://support.cloudflare.com/hc/en-us/articles/360021111972-Troubleshooting-DNSSEC
 title: Troubleshooting
 sidebar:
-  order: 6
+  order: 9
 head:
   - tag: title
     content: Troubleshooting DNSSEC

@@ -14,7 +14,7 @@ import { Render, TabItem, Tabs, GlossaryTooltip, APIRequest } from "~/components
 
 - **[Multi-signer DNSSEC](/dns/dnssec/multi-signer-dnssec/setup/)**: Both Cloudflare and your primary DNS provider know the signing keys of each other and perform their own live-signing of DNS records, in accordance with [RFC 8901](https://www.rfc-editor.org/rfc/rfc8901.html).
 - **[Live signing](#set-up-live-signing-dnssec)**: If your domain is not delegated to your primary provider's nameservers and Cloudflare secondary nameservers are the only nameservers authoritatively responding to DNS queries (hidden primary setup), you can choose this option to allow Cloudflare to perform live-signing of your DNS records.
-- **[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. Cloudflare only supports [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/)(and not NSEC3 records) and this setup does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/).
+- **[Pre-signed](#set-up-pre-signed-dnssec)**: Your primary DNS provider signs records and transfers out the signatures. Cloudflare then serves these records and signatures as is, without doing any signing. By default, Cloudflare uses [NSEC records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/) and not NSEC3 - refer to [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed. Also, Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/proxy-traffic/) nor [Load Balancing](/load-balancing/).
 
 ---
 
@@ -62,15 +62,10 @@ In this setup, DNSSEC on your pirmary DNS provider does not need to be enabled.
 
 ## Set up pre-signed DNSSEC
 
-:::caution[Important: NSEC3 not supported]
-
-If your primary DNS provider uses NSEC3 instead of NSEC, Cloudflare will fail to serve the pre-signed zone. Authenticated denial of existence is an essential part of DNSSEC ([RFC 7129](https://www.rfc-editor.org/rfc/rfc7129.html)) and is only supported by Cloudflare through NSEC.
-:::
-
 ### Prerequisites
 
 - Your secondary zone in Cloudflare already exists and zone transfers from your primary DNS provider are working correctly.
-- Your primary DNS provider supports DNSSEC using NSEC records (and not NSEC3).
+- You have considered whether your primary DNS provider uses NSEC or NSEC3, and have enabled [NSEC3 support](/dns/dnssec/enable-nsec3/) if needed.
 - Your primary DNS provider transfers out DNSSEC related records, such as RRSIG, DNSKEY, and NSEC.
 
 ### Steps
@@ -84,9 +79,9 @@ Pre-signed DNSSEC does not support [Secondary DNS Overrides](/dns/zone-setups/zo
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-a. Select your zone and go to **DNS** > **Settings**.
+1. Select your zone and go to **DNS** > **Settings**.
 
-b. Under **DNSSEC with Secondary DNS** select **Pre-signed**.
+2. Under **DNSSEC with Secondary DNS** select **Pre-signed**.
 
 </TabItem> <TabItem label="API">