1. Introduction

   One of the proposals for avoiding the exposure of zone information
   during the deployment DNSSEC is dynamic NSEC resource record (RR)
   synthesis.  This technique is described in [DNSSEC-TRANS] and
   [RFC4470], and involves the generation of NSEC RRs that just span the
   query name for non-existent owner names.  In order to do this, the
   DNS names that would occur just prior to and just following a given
   query name must be calculated in real time, as maintaining a list of
   all possible owner names that might occur in a zone would be
   impracticable.

   Section 6.1 of [RFC4034] defines canonical DNS name order.  This
   document does not amend or modify this definition.  However, the
   derivation of immediate predecessor and successor, although trivial,
   is non-obvious.  Accordingly, several methods are described here as
   an aid to implementors and a reference to other interested parties.

   This document describes two methods:

   1.  An "absolute method", which returns the immediate predecessor or
       successor of a domain name such that no valid DNS name could
       exist between that DNS name and the predecessor or successor.

   2.  A "modified method", which returns a predecessor and successor
       that are more economical in size and computation.  This method is
       restricted to use with zones consisting exclusively of owner
       names that contain no more than one label more than the owner
       name of the apex, where the longest possible owner name (i.e.,
       one with a maximum length left-most label) would not exceed the
       maximum DNS name length.  This is, however, the type of zone for
       which the technique of online signing is most likely to be used.