When a name server receives a request for a domain name that does not exist in a zone, the name server sends an authenticated negative response in the form of an NSEC or NSEC3 RR. NSEC and NSEC3 records contain the next secure domain name in a zone and list the RR types present at the NSEC or NSEC3 RR’s owner name. The difference between an NSEC and NSEC3 RRs is that the owner name in an NSEC3 RR is a cryptographic hash of the original owner name prepended to the name of the zone. NSEC3 RRs protect against zone enumeration.
NSEC3 resource record is desribed in RFC 5155.
NSEC3 records are automatically generated during signing of the corresponding zone.
The name part of a DNS NSEC3 object reference has the following components:
- The name of the record.
- The name of the view.
Example: record:nsec3/ZG5zLmJpsaG9zdA:us.example.com/default.external
References to record:nsec3 are object references.
The object does not support the following operations:
The object cannot be managed on Cloud Platform members.
These fields are actual members of the object; thus, they can be requested by using _return_fields, if the fields are readable.
The basic version of the object contains the field(s): name, view.
The hash algorithm that was used.
Type
String.
Search
The field is available for search via
Notes
The algorithm cannot be updated.
algorithm cannot be written.
Structure containing all cloud API related information for this object.
Type
A/An Cloud Information struct.
Search
The field is not available for search.
Notes
The cloud_info cannot be updated.
cloud_info cannot be written.
The creation time of the record.
Type
Timestamp.
Search
The field is not available for search.
Notes
The creation_time cannot be updated.
creation_time cannot be written.
Creator of the record.
Type
String.
Search
The field is available for search via
Notes
The creator cannot be updated.
creator cannot be written.
Name for an NSEC3 record in punycode format.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is not available for search.
Notes
The dns_name cannot be updated.
dns_name cannot be written.
The set of 8 one-bit flags, of which only one flag, the Opt-Out flag, is defined by RFC 5155. The Opt-Out flag indicates whether the NSEC3 record covers unsigned delegations.
Type
Unsigned integer.
Search
The field is available for search via
Notes
The flags cannot be updated.
flags cannot be written.
The number of times the hash function was performed.
Type
Unsigned integer.
Search
The field is available for search via
Notes
The iterations cannot be updated.
iterations cannot be written.
The time of the last DNS query in Epoch seconds format.
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_queried cannot be updated.
last_queried cannot be written.
The name of the NSEC3 record in FQDN format.
Type
String.
Search
The field is available for search via
Notes
The name is part of the base object.
The name cannot be updated.
name cannot be written.
The hashed next owner name that has authoritative data or that contains a delegation point NS record.
Type
String.
Search
The field is not available for search.
Notes
The next_owner_name cannot be updated.
next_owner_name cannot be written.
The RRSet types that exist at the original owner name of the NSEC3 RR.
Type
String array.
Search
The field is not available for search.
Notes
The rrset_types cannot be updated.
rrset_types cannot be written.
A series of case-insensitive hexadecimal digits. It is appended to the original owner name as protection against pre-calculated dictionary attacks. A new salt value is generated when ZSK rolls over. You can control the period of the rollover. For random salt values, the selected length is between one and 15 octets.
Type
String.
Search
The field is not available for search.
Notes
The salt cannot be updated.
salt cannot be written.
The Time To Live (TTL) value for the record. A 32-bit unsigned integer that represents the duration, in seconds, for which the record is valid (cached). Zero indicates that the record should not be cached.
Type
Unsigned integer.
Search
The field is not available for search.
Notes
ttl is associated with the field use_ttl (see use flag).
The ttl cannot be updated.
ttl cannot be written.
Use flag for: ttl
Type
Bool.
Search
The field is not available for search.
Notes
The use_ttl cannot be updated.
use_ttl cannot be written.
The name of the DNS View in which the record resides. Example: “external”.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The view is part of the base object.
The view cannot be updated.
view cannot be written.
The name of the zone in which the record resides. Example: “zone.com”. If a view is not specified when searching by zone, the default view is used.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The zone cannot be updated.
zone cannot be written.
| Field | Type | Req | R/O | Base | Search |
|---|---|---|---|---|---|
| algorithm | String | N | Y | N | = |
| cloud_info | struct | N | Y | N | N/A |
| creation_time | Timestamp | N | Y | N | N/A |
| creator | String | N | Y | N | = |
| dns_name | String | N | Y | N | N/A |
| flags | Unsigned int | N | Y | N | < = > |
| iterations | Unsigned int | N | Y | N | < = > |
| last_queried | Timestamp | N | Y | N | N/A |
| name | String | N | Y | Y | : = ~ |
| next_owner_name | String | N | Y | N | N/A |
| rrset_types | [String] | N | Y | N | N/A |
| salt | String | N | Y | N | N/A |
| ttl | Unsigned int | N | Y | N | N/A |
| use_ttl | Bool | N | Y | N | N/A |
| view | String | N | Y | Y | = |
| zone | String | N | Y | N | = |
record:nsec : DNS NSEC record object.
