Assume zone foo.tld has entries for
big.foo.tld,
medium.foo.tld.
small.foo.tld.
tiny.foo.tld.
Then a query to a security aware server for huge.foo.tld would produce an error reply with the authority section data including something like the following:
big.foo.tld. NXT medium.foo.tld. A MX SIG NXT
big.foo.tld. SIG NXT 1 3 ( ;type-cov=NXT, alg=1, labels=3
19960102030405 ;signature expiration
19951211100908 ;time signed
21435 ;key footprint
foo.tld. ;signer
MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6VAuHAoNUz4YoU
1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ;signature (640 bits)
)
Note that this response implies that big.foo.tld is an existing name in the zone and thus has other RR types associated with it than NXT. However, only the NXT (and its SIG) RR appear in the response to this query for huge.foo.tld, which is a non-existent name.