NSEC3 support
As explained in our blog ↗, Cloudflare's implementation of negative answers with NSEC is protected against zone walking1. This implementation removes the need for NSEC3 and has been proposed as an IETF standard ↗.
However, if you must use NSEC3 for compliance reasons, you can enable it as explained below.
Use the Edit DNSSEC Status endpoint, setting status to active and dnssec_use_nsec3 to true. You should replace the values started by $ with your zone ID and authentication credentials. To learn more about using the Cloudflare API, refer to Fundamentals.
Required API token permissions
 
At least one of the following token permissions 
is required:
- DNS Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dnssec" \  --request PATCH \  --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \  --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \  --json '{    "dnssec_use_nsec3": true,    "status": "active"  }'If you use Cloudflare as a secondary DNS provider with pre-signed DNSSEC, setting dnssec_use_nsec3 to true means that Cloudflare will use NSEC3 records as transferred in from your primary DNS provider.
Otherwise, NSEC3 records will be generated and signed at request time.
To validate that NSEC3 is being used, consider the following scenarios:
A command like the following would trigger a signed negative response using NSEC3 for proof of non-existence. Look for NSEC3 records under the Authority Section of the response.
dig +dnssec doesnotexist.example.comIf the name www exists but the type TXT does not, the example below would trigger a signed NODATA response using NSEC3. Look for NSEC3 records under the Authority Section of the response.
dig +dnssec www.example.com TXTNSEC3 is only available for zones on the Enterprise plan.
- 
A method where an attacker exploits NSEC negative answers to obtain all names in a given zone. This is possible when such negative answers provide information on the previous and next names in a chain. ↩ 
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark