Add changelog entry for NSEC3 support and update ENT-only availability for NSEC3

src/content/changelog/dns/2025-06-11-nsec3-support.mdx

@@ -0,0 +1,15 @@
+---
+title: NSEC3 support for DNSSEC
+description: Cloudflare DNSSEC supports NSEC3 for proof of non-existence.
+date: 2025-06-11T12:00:00Z
+---
+
+Enterprise customers can now select NSEC3 as method for proof of non-existence on their zones.
+
+What's new:
+
+- **NSEC3 support for live-signed zones** – For both primary and secondary zones that are configured to be live-signed (also known as "on-the-fly signing"), NSEC3 can now be selected as proof of non-existence.
+
+- **NSEC3 support for pre-signed zones** – Secondary zones that are transferred to Cloudflare in a [pre-signed setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/#set-up-pre-signed-dnssec) now also support NSEC3 as proof of non-existence.
+
+For more information and how to enable NSEC3, refer to the [NSEC3 documentation](/dns/dnssec/enable-nsec3/).

src/content/docs/dns/dnssec/enable-nsec3.mdx

@@ -51,4 +51,8 @@ If the name `www` exists but the type TXT does not, the example below would trig
 dig +dnssec www.example.com TXT
 ```
 
-[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.
+## Availability
+
+NSEC3 is only available for zones on the Enterprise plan.
+
+[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.