NSEC RR

Ensure validity of negative response (NXDOMAIN)
cannot simply sign a single "no such name"
vulnerable to replay attack
NSEC's idea
provide "before" and "after" of the non-existent name
(need formal canonicalization and ordering of RRs)

"Disadvantage" of NSEC
can be used to get all RRs in a zone one by one
ask NSEC for the zone origin
kame.net. NSEC aaa.kame.net.
ask NSEC for the "next" of the origin
aaa.kame.net. NSEC bbb.kame.net.
...