Jump to first page
 -32
¥
¥
¥$ORIGIN ripe.net.
¥@ SOA       É..
¥ NS NS.ripe.net.
¥ KEY       É..
¥ NXT   mailbox.ripe.net. SOA NS NXT KEY SIG
¥mailbox A 192.168.10.2
¥ NXT www.ripe.net.  A NXT SIG
¥WWW A 192.168.10.3
F NXT     ripe.net. A NXT SIG
F
F
Fquery for popserver.ripe.net would return:
¥aa bit set   RCODE=NXDOMAIN
¥authority: mailbox.ripe.net.  NXT www.ripe.net.  A NXT SIG
Fquery for www.ripe.net MX would return: an empty answer section and the www NXT record in the authority section
NXT Record
ÔpopserverÕ is missing                      
In the above example the SIG RRs are left out for clarity.

The NXT record is circular over the zone. The next label after www.ripe.net. Is ripe.net  Once signed the RR that are available with label www.bla.foo are A SIG and NXT.

Using the NXT record, one can do a zone walk. Some people find this undesirable. However, the DNS is a public database. (One can use views to block your ÔinternalÕ naming scheme from external eyes.)