NSEC3 Hash Calculator

Calculate NSEC3 owner hashes for a name given salt, iterations, and algorithm, showing the hashed owner FQDN for DNSSEC authenticated denial of existence.

NSEC3 Examples

Domain Name (FQDN)

Using example data - modify to see your results

Salt (Hexadecimal)

Iterations (0-2500)

Hash Algorithm

NSEC3 Purpose

NSEC3 provides authenticated denial of existence for DNS records while preventing zone enumeration. The hash function obscures the actual domain names in the zone, making it difficult for attackers to discover all records through zone walking.

Security Considerations

Use sufficient iterations (10-100) and a random salt to resist offline dictionary attacks. Higher iteration counts increase CPU usage during validation. The salt should be randomly generated and periodically changed during zone re-signing.

Implementation Notes

NSEC3 hashes are calculated by iteratively applying SHA-1 to the concatenation of the domain name (in wire format) and salt. The resulting hash is encoded in Base32 without padding and used as the owner name for NSEC3 records.

Performance Impact

Higher iteration counts provide better security but increase validation time. Consider server capacity and client timeout requirements when choosing iteration values. Typical values range from 5-150 iterations depending on security needs.