Enable NSEC3
As explained in our blog ↗, Cloudflare's implementation of negative answers with NSEC is protected against zone walking1. This implementation removes the need for NSEC3 and has been proposed as an IETF standard ↗.
However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
Use the Edit DNSSEC Status endpoint, setting status to active and dnssec_use_nsec3 to true. You should replace the values started by $ with your zone ID and API token. To learn more about using the Cloudflare API, refer to Fundamentals.
curl --request PATCH \https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec \--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \--header "Content-Type: application/json" \--data '{"dnssec_use_nsec3": true,"status": "active"}'-
A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain. ↩
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark