NSEC Walkability
developer/v1/dns/nsec-walkabilityAssesses whether a DNSSEC-signed zone is vulnerable to zone walking (full enumeration of record names) by analyzing NSEC3PARAM configuration per RFC 5155 and RFC 9276. Extends the dns-dnssec check with an explicit walkability risk grade so security teams can quantify enumeration exposure without needing to interpret raw DNSSEC parameters.
What It Does
Queries the NSEC3PARAM record at the zone apex via DNS-over-HTTPS. Parses algorithm, flags (including opt-out bit), iteration count, and salt. Returns a risk grade of walkable (no NSEC3 — full enumeration possible), partial (NSEC3 present but weak parameters such as zero iterations with empty salt, or opt-out enabled exposing unsigned delegations), or mitigated (salt present and parameters within RFC 9276 recommended bounds). Also reports whether the zone uses NSEC (fully walkable) or NSEC3.
Why It's Useful
NSEC walking lets attackers enumerate every name in a DNSSEC-signed zone — exposing staging servers, internal subdomains, and attack surface that zone operators assumed was private. RFC 9276 (2022) recommends iteration count 0 and discourages opt-out. This endpoint grades a zone against those recommendations without requiring manual DNSSEC parameter interpretation.
Use Cases
DNSSEC Configuration Audit
Audit DNSSEC-signed zones to ensure they use NSEC3 with RFC 9276-compliant parameters and do not expose staging or internal subdomain names to enumeration.
Catch walkable zones before attackers enumerate your DNS-hidden attack surface.
Zone Migration Validation
After migrating to a new DNS provider, verify NSEC3PARAM is correctly set with salt and reasonable iteration count (0 per RFC 9276).
Prevent accidental regressions from NSEC3 (salted) back to NSEC (fully walkable).
Red Team Pre-Engagement
Identify zones vulnerable to walking as a reconnaissance step — walkable zones surface subdomain inventory without active probing.
Prioritize targets with weak NSEC3PARAM configuration during engagement scoping.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The zone apex to assess (e.g., example.com)Example: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried zone apex |
dnssec_signed | boolean | Whether the zone is DNSSEC-signed (NSEC or NSEC3 present) |
uses_nsec3 | boolean | Whether the zone uses NSEC3 (true) or legacy NSEC (false) |
nsec3param | object | Parsed NSEC3PARAM: algorithm, flags, iterations, salt |
opt_out | boolean | Whether the opt-out flag is set (exposes unsigned delegations) |
risk | string | Walkability risk grade: walkable, partial, mitigated |
findings | array | Human-readable findings with severity |
recommendations | array | Remediation steps to reach mitigated status |
Code Examples
curl "https://api.edgedns.dev/v1/dns/nsec-walkability" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/nsec-walkability?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/nsec-walkability',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full NSEC Walkability guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the NSEC Walkability endpoint live in the playground.