The NXT resource record is used to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and to indicate what zone signed RR types are present for an existing name.
The owner name of the NXT RR is an existing name in the zone. It's RDATA is a "next" name and a type bit map. The presence of the NXT RR means that generally no name between its owner name and the name in its RDATA area exists and that no other zone signed types exist under its owner name. This implies a canonical ordering of all domain names in a zone.
The ordering is to sort labels as unsigned left justified octet strings where the absence of a octet sorts before a zero value octet and upper case letters are treated as lower case letters. Names are then sorted by sorting on the highest level label and then, within those names with the same highest level label by the next lower label, etc. down to leaf node labels. Since we are talking about a zone, the zone name itself always exists and all other names are the zone name with some prefix of lower level labels. Thus the zone name itself always sorts first.
There is a potential problem with the last NXT in a zone as it wants to have an owner name which is the last existing name in canonical order, which is easy, but it is not obvious what name to put in its RDATA to indicate the entire remainder of the name space. This is handled by treating the name space as circular and putting the zone name in the RDATA of the last NXT in a zone.
There are special considerations due to interaction with wildcards as explained below.
The NXT RRs for a zone SHOULD be automatically calculated and added to the zone by the same recommended off-line process that signs the zone (see Section 7.2). The NXT RR's TTL SHOULD not exceed the zone minimum TTL.