Assume zone foo.tld has entries for
big.foo.tld, medium.foo.tld. small.foo.tld. tiny.foo.tld.
Then a query to a security aware server for huge.foo.tld would produce an error reply with the authority section data including something like the following:
big.foo.tld. NXT medium.foo.tld. A MX SIG NXT big.foo.tld. SIG NXT 1 3 ( ;type-cov=NXT, alg=1, labels=3 19960102030405 ;signature expiration 19951211100908 ;time signed 21435 ;key footprint foo.tld. ;signer MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6VAuHAoNUz4YoU 1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ;signature (640 bits) )
Note that this response implies that big.foo.tld is an existing name in the zone and thus has other RR types associated with it than NXT. However, only the NXT (and its SIG) RR appear in the response to this query for huge.foo.tld, which is a non-existent name.