The SIG RR mechanism described in Section 4 above provides strong authentication of RRs that exist in a zone. But is it not clear above how to authenticatably deny the existence of a name in a zone or a type for an existent name.
The nonexistence of a name in a zone is indicated by the NXT ("next") RR for a name interval containing the nonexistent name. A NXT RR and its SIG are returned in the authority section, along with the error, if the server is security aware. The same is true for a non-existent type under an existing name. This is a change in the existing standard which contemplates only NS and SOA RRs in the authority section. NXT RRs will also be returned if an explicit query is made for the NXT type.
The existence of a complete set of NXT records in a zone means that any query for any name and any type to a security aware server serving the zone will always result in an reply containing at least one signed RR.
NXT RRs do not appear in zone master files since they can be derived from the rest of the zone.