Add changelog entry for NSEC3 support and update ENT-only availability for NSEC3 (cloudflare#22996)

hannes-cf · windsurf-bot[bot] · kodster28 · sdnts · commit 7c0a09056dd1 · 2025-07-24T16:06:03.000-04:00
* Add ENT-only availability for NSEC3

* Add changelog entry for NSEC3 support

* Fix typo

Co-authored-by: windsurf-bot[bot] &lt;189301087+windsurf-bot[bot]@users.noreply.github.com&gt;

* Update title

Co-authored-by: Kody Jackson &lt;kody.s.jackson@gmail.com&gt;

---------

Co-authored-by: windsurf-bot[bot] &lt;189301087+windsurf-bot[bot]@users.noreply.github.com&gt;
Co-authored-by: Kody Jackson &lt;kody.s.jackson@gmail.com&gt;
diff --git a/src/content/changelog/dns/2025-06-11-nsec3-support.mdx b/src/content/changelog/dns/2025-06-11-nsec3-support.mdx
@@ -0,0 +1,15 @@
+---
+title: NSEC3 support for DNSSEC
+description: Cloudflare DNSSEC supports NSEC3 for proof of non-existence.
+date: 2025-06-11T12:00:00Z
+---
+
+Enterprise customers can now select NSEC3 as method for proof of non-existence on their zones.
+
+What's new:
+
+- **NSEC3 support for live-signed zones** – For both primary and secondary zones that are configured to be live-signed (also known as "on-the-fly signing"), NSEC3 can now be selected as proof of non-existence.
+
+- **NSEC3 support for pre-signed zones** – Secondary zones that are transferred to Cloudflare in a [pre-signed setup](/dns/zone-setups/zone-transfers/cloudflare-as-secondary/dnssec-for-secondary/#set-up-pre-signed-dnssec) now also support NSEC3 as proof of non-existence.
+
+For more information and how to enable NSEC3, refer to the [NSEC3 documentation](/dns/dnssec/enable-nsec3/).
diff --git a/src/content/docs/dns/dnssec/enable-nsec3.mdx b/src/content/docs/dns/dnssec/enable-nsec3.mdx
@@ -51,4 +51,8 @@ If the name `www` exists but the type TXT does not, the example below would trig
 dig +dnssec www.example.com TXT
 ```
 
-[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.
+## Availability
+
+NSEC3 is only available for zones on the Enterprise plan.
+
+[^1]: A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain.
