• caglararli@hotmail.com
  • 05386281520

Can someone explain me the DNSSEC NSEC3 output?

Çağlar Arlı      -    39 Views

Can someone explain me the DNSSEC NSEC3 output?

I'm trying to understand how NSEC and NSEC3 records work in DNSSEC. When I query for an non-existent domain with supports NSEC3, I get the following output

$ dig +dnssec NSEC3 gggg.icann.org. | grep -F "NSEC3" | grep -Fv "RRSIG NSEC3"

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec NSEC3 gggg.icann.org.icann.org.
    ;gggg.icann.org.icann.org.  IN  NSEC3
    l6bdbf682dc45lv4vrfmrfnithopmvm0.icann.org. 3599 IN NSEC3 1 0 5 9974AA028A677BF0 L6CPA6V9R9563KMQT2NF2NL4BE1DPO3U 
    dggsrhgbge97oj2ltjnpkieb951c9dsq.icann.org. 3599 IN NSEC3 1 0 5 9974AA028A677BF0 DGP62KNMI7ESBJ8BEKD60CEF9T7EUCO4 A RRSIG
    fke7dkh6es15igh27a4tl1fic0ukppkp.icann.org. 3599 IN NSEC3 1 0 5 9974AA028A677BF0 FKGU9H93DI168B3MQ3VK7VHTPNN67GA0 A RRSIG

My question is, why are there 3 NSEC3 records in the response? In case of NSEC I only get one NSEC record in response.