NSEC / NSEC3

DNSSEC needs a way to prove a negative: "this name really does not exist" or "this type really is not present." NSEC records do this by listing the next existing name in the zone, so a resolver can see that the queried name falls in a gap. Walking the NSEC chain reveals every name in the zone, which operators consider a privacy leak. NSEC3 hashes names before chaining them, but the protection is weak for small zones: the hash set can be cracked offline with rainbow tables or brute force in minutes. RFC 9276 (2022) accordingly recommends 0 extra iterations and no salt, and many operators have moved to compact denial-of-existence or online signing instead of NSEC3 opt-out for new deployments.