1. Introduction

   With DNSSEC [1], an NSEC record lists the next instantiated name in
   its zone, proving that no names exist in the "span" between the
   NSEC's owner name and the name in the "next name" field.  In this
   document, an NSEC record is said to "cover" the names between its
   owner name and next name.

   Through repeated queries that return NSEC records, it is possible to
   retrieve all of the names in the zone, a process commonly called
   "walking" the zone.  Some zone owners have policies forbidding zone
   transfers by arbitrary clients; this side effect of the NSEC
   architecture subverts those policies.

   This document presents a way to prevent zone walking by constructing
   NSEC records that cover fewer names.  These records can make zone
   walking take approximately as many queries as simply asking for all
   possible names in a zone, making zone walking impractical.  Some of
   these records must be created and signed on demand, which requires
   on-line private keys.  Anyone contemplating use of this technique is
   strongly encouraged to review the discussion of the risks of on-line
   signing in Section 5.

1.1. Keywords

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [4].