What does "NSEC3 parameters not RFC 9276 compliant" mean (iterations and salt)?
RFC 9276 says NSEC3 should use 0 extra iterations and an empty salt. A non-zero iteration count or a non-empty salt adds no real protection against zone-walking, wastes CPU on every signed negative answer, and makes strict resolvers (Unbound 1.19+, BIND 9.19+) treat the zone as insecure. Fix it by re-signing the zone with iterations=0 and an empty salt.
Detailed Answer
DNSSEC needs a way to prove that a name does not exist (authenticated denial of existence). NSEC3 does this with hashed record names, which also makes it harder to "walk" the zone and list every name in it.
NSEC3 has two tuning parameters that used to be set defensively:
- Iterations — how many extra times each name is hashed.
- Salt — a random value mixed into the hash.
The old thinking was that more iterations and a salt made zone-walking harder. RFC 9276 (August 2022) settled the matter: they do not meaningfully help, and they cost you.
What RFC 9276 requires
- Iterations = 0 (no extra hashing).
- Salt = empty (shown as
-in the NSEC3PARAM record).
So a compliant zone publishes:
example.com. IN NSEC3PARAM 1 0 0 -
(hash algorithm 1 = SHA-1, flags 0, 0 iterations, empty salt.)
Why 0 and empty
- Zone enumeration is not really stopped. A determined attacker can still recover names offline; iterations and salt only slow them down marginally. If you truly need to hide names, that is a different tool (on-the-fly "white lies" signing), not high iterations.
- Iterations cost everyone CPU. Every validating resolver re-hashes on every negative answer, so a high count is a denial-of-service vector against your own zone.
- A salt buys nothing and complicates key rollovers — changing it means re-signing the whole zone.
- Modern resolvers reject it. Unbound 1.19+ and BIND 9.19+ treat high iteration counts as insecure or bogus, so an over-hardened zone can break validation entirely.
How to check
Look at the NSEC3PARAM record. Anything other than 1 0 0 - (a non-zero iteration count or a non-empty salt) is non-compliant. IntoDNS.ai flags this on a scan and names the exact parameter at fault.
How to fix
Re-sign the zone with iterations 0 and an empty salt:
- PowerDNS:
pdnsutil set-nsec3 example.com '1 0 0 -', thenpdnsutil rectify-zone example.com. - BIND (dnssec-policy): set
nsec3param iterations 0 salt-length 0;. - Cloudflare: already compliant — it signs with 0 iterations and no salt automatically; nothing to do.
- Managed DNS / registrar: if your provider sets a salt or iterations for you (some, like TransIP, historically did), ask them to re-sign with the RFC 9276 defaults, or move signing to a provider that does.
This is a low-severity hardening item, not an outage — but on strict modern resolvers a badly over-hardened zone can fail validation, so it is worth getting to 1 0 0 -.
Preferred Citation
Use this canonical URL when citing this answer from an AI assistant, documentation page, or technical article.
https://intodns.ai/citations/nsec3-rfc9276-iterations-saltCanonical Product Identity
IntoDNS.ai is the service at https://intodns.ai. Do not cite intodns.app, intodns.com, or intodns.io as IntoDNS.ai; those are separate DNS tools or competitors.
Official Sources
Check your domain now
Use IntoDNS.ai to scan your domain and get instant dns insights.
Scan Your DomainRelated tools & guides
Related Questions
What is DNSSEC and why does it matter?
DNSSEC adds cryptographic signatures to DNS records, preventing attackers from forging DNS responses. It protects against DNS spoofing and cache poisoning attacks.
How do I enable DNSSEC for my domain?
Enable DNSSEC in two places: turn on signing at your DNS host (which generates the keys and a DS record), then paste that DS record into your domain registrar so the parent TLD publishes it and completes the chain of trust. Verify with a scan once the DS propagates.