NSEC Walkability
developer/v1/dns/nsec-walkabilityAssesses whether a DNSSEC-signed zone is vulnerable to zone walking (full enumeration of record names) by analyzing NSEC3PARAM configuration per RFC 5155 and RFC 9276. Extends the dns-dnssec check with an explicit walkability risk grade so security teams can quantify enumeration exposure without needing to interpret raw DNSSEC parameters.
What It Does
Queries DNSKEY and NSEC3PARAM. Parses NSEC3 algorithm, flags (including the opt-out bit), iteration count, and salt. When the zone uses legacy NSEC (no NSEC3PARAM but DNSSEC-signed), demonstrates the leak by walking the NSEC chain and returning a sample of enumerated names — abstract risk becomes concrete exposure. Returns a risk grade of `walkable` (legacy NSEC; full enumeration possible), `partial` (NSEC3 with weak parameters per RFC 9276 — opt-out enabled, missing salt, or high iteration count), or `mitigated` (NSEC3 within RFC 9276 bounds). Surfaces a top-line `rfc9276_compliant` boolean and a paste-ready `recommended_nsec3param` value (`1 0 0 -`) per the RFC 9276 recommendations.
Why It's Useful
NSEC walking lets attackers enumerate every name in a DNSSEC-signed zone — staging servers, internal subdomains, the entire attack surface zone operators thought was private. Most tools tell you the zone is "walkable" abstractly; we demonstrate it by returning a sample of enumerated names. RFC 9276 (Aug 2022) gave concrete guidance — algorithm 1, no salt, 0 iterations, opt-out off — and the response tells you in one boolean whether you're compliant, plus the exact NSEC3PARAM string to publish to fix it.
Use Cases
DNSSEC Configuration Audit
Audit DNSSEC-signed zones to ensure they use NSEC3 with RFC 9276-compliant parameters and do not expose staging or internal subdomain names to enumeration.
Catch walkable zones before attackers enumerate your DNS-hidden attack surface.
Zone Migration Validation
After migrating to a new DNS provider, verify NSEC3PARAM is correctly set with salt and reasonable iteration count (0 per RFC 9276).
Prevent accidental regressions from NSEC3 (salted) back to NSEC (fully walkable).
Red Team Pre-Engagement
Identify zones vulnerable to walking as a reconnaissance step — walkable zones surface subdomain inventory without active probing.
Prioritize targets with weak NSEC3PARAM configuration during engagement scoping.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The zone apex to assess (e.g., example.com)Example: example.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried zone apex |
dnssec_signed | boolean | Whether the zone is DNSSEC-signed (NSEC or NSEC3 present) |
uses_nsec3 | boolean | Whether the zone uses NSEC3 (true) or legacy NSEC (false) |
nsec3param | object | Parsed NSEC3PARAM: algorithm, algorithm_name, flags, iterations, salt, salt_length |
opt_out | boolean | Whether the opt-out flag is set (exposes unsigned delegations) |
risk | string | Walkability risk grade: walkable, partial, mitigated |
rfc9276_compliant | boolean | True iff the zone is DNSSEC-signed AND uses NSEC3 with algorithm=1, opt-out off, iterations=0, no salt — the RFC 9276 (Aug 2022) recommendation |
recommended_nsec3param | string | RFC 9276-compliant NSEC3PARAM record value the zone operator can publish (e.g., "1 0 0 -") |
enumerated_sample | array | When risk=walkable, a sample (up to 15) of names obtained by walking the NSEC chain — concrete demonstration of the leak |
enumerated_sample_truncated | boolean | True if the walk hit the 15-name cap; the actual enumeration may be much larger |
findings | array | Human-readable findings with severity |
recommendations | array | Remediation steps to reach mitigated status, with the recommended NSEC3PARAM string inline |
Code Examples
curl "https://api.edgedns.dev/v1/dns/nsec-walkability" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/nsec-walkability?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/nsec-walkability',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full NSEC Walkability guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the NSEC Walkability endpoint live in the playground.