NSEC / NSEC3 (DNSSEC Denial of Existence)

NSEC (Next Secure) and NSEC3 (RFC 5155) are [[dnssec|DNSSEC]] record types used to prove that a queried domain name does not exist — 'authenticated denial of existence.' NSEC links records alphabetically, enabling zone enumeration (a privacy concern). NSEC3 hashes the record names before linking, preventing easy enumeration while still providing cryptographic proof of non-existence. NSEC3 is strongly preferred for public zones handling sensitive data.