A tool to compute NSEC3 hashes for DNS zones
Reason this release was yanked:
Use py_nsec3hash instead
Project description
NSEC3 Hash Utility
This project provides a Python CLI tool to compute the NSEC3 hash for a Fully-Qualified Domain Name (FQDN). The NSEC3 hash is commonly used in DNSSEC deployments to provide authenticated denial of existence without leaking zone contents.
Features
- Converts a domain name into its canonical DNS wire format.
- Hashes the name using SHA-1 with optional salt and iterations, as defined by the NSEC3 specification.
- Outputs the hash as an NSEC3-compliant Base32hex string (without padding, using characters
0-9andA-V).
Usage
-
Ensure your input is a Fully-Qualified Domain Name (FQDN):
- The name must end with a dot (e.g.,
www.example.com.). - The trailing dot denotes the root of the DNS tree; omitting it will canonicalize the name by appending a dot automatically, but for correctness and standard compliance, always provide FQDN.
- The name must end with a dot (e.g.,
-
Running from the command line:
python3 hash_nsec3.py <name> [--salt SALT] [--iterations N]<name>: The domain name to hash, e.g.,host.example.com.--salt SALT: (Optional) Hexadecimal salt string, e.g.,AABBCCDD(default is no salt).--iterations N: (Optional) Number of additional hash iterations (default: 0).
Examples
python3 hash_nsec3.py www.example.com. python3 hash_nsec3.py www.example.com. --salt AABBCC python3 hash_nsec3.py www.example.com. --salt AABBCC --iterations 5
About NSEC3 Hashing
- Canonicalization: The tool converts domain names to the DNS wire format (length-prefixed labels, lowercased).
- Hashing: It applies SHA-1, followed by the specified number of additional iterations, salting each hash.
- Base32hex Encoding: The raw 20-byte SHA-1 digest is encoded according to RFC 4648 section 7, without padding and using the restricted alphabet.
For example, the hash of www.example.com. with no salt and zero iterations will be a 32-character Base32-encoded string, MIFDNDT3NFF3OD53O7TLA1HRFF95JKUK
References
- RFC 5155 - DNSSEC Hashed Authenticated Denial of Existence (NSEC3)
- RFC 4648 - The Base16, Base32, and Base64 Data Encodings
Alternatives
ISC have a similar command, called nsec3hash written in C as part of BIND
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file nsec3_hash-1.0.0.tar.gz.
File metadata
- Download URL: nsec3_hash-1.0.0.tar.gz
- Upload date:
- Size: 11.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
783c93e4c85ac3e94fb04e3a90d8208672405a31538829758491c0248fc6c8c1
|
|
| MD5 |
9925ba1ce4591df9cd2a702316b946b1
|
|
| BLAKE2b-256 |
ef6a74b069146b9027a218cac9f5fd643c9dab716942c7eba87f7b0c2d03952a
|
File details
Details for the file nsec3_hash-1.0.0-py3-none-any.whl.
File metadata
- Download URL: nsec3_hash-1.0.0-py3-none-any.whl
- Upload date:
- Size: 6.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
835dc150e004f1f483869b42dbdf9b481f5d9e65e0c255138f6008292ee8256b
|
|
| MD5 |
237bb0e62c430fdc7326b4d58d0ab889
|
|
| BLAKE2b-256 |
80759ca8e7cf8095c8aaf1b0829e3de9d6829654a44766d87db1b05ada50b3eb
|
