For "Check for CNAME": For example, an attacker takes this original response: [NOTE: this isn't an actual response. BIND and NSD both return different authority sections. So, it is possible that normally an attacker would also have to somehow get the www.example.com NSEC record. This isn't hard, but would make this example harder to describe] RCODE: NOERROR ;; QUESTION SECTION ;www.example.com. IN AAAA ;; ANSWER SECTION: www.example.com. IN CNAME example.org. www.example.com. IN RRSIG CNAME ... ;; AUTHORITY SECTION: example.com. IN SOA ... example.com. IN RRSIG SOA .. www.example.com IN NSEC x.example.com CNAME RRSIG www.example.com IN RRSIG NSEC ... And turns it into: RCODE: NOERROR ;; QUESTION SECTION ;www.example.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: example.com. IN SOA ... example.com. IN RRSIG SOA .. www.example.com IN NSEC x.example.com CNAME NSEC RRSIG www.example.com IN RRSIG NSEC ... A validator that does not follow this rule might consider this response a valid NOERROR/NODATA response since the NSEC record proves that www.example.com AAAA does not exist. For Insecure Delegation Proofs: For example, an attacker takes the original response: RCODE: NOERROR ;; QUESTION SECTION ;www.example.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: example.com. IN SOA ... example.com. IN RRSIG SOA .. www.example.com IN NSEC x.example.com A NSEC RRSIG www.example.com IN RRSIG NSEC ... And converts it into a spoofed delegation: RCODE: NOERROR ;; QUESTION SECTION ;www.example.com. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: www.example.com. IN NS bad1.example.net. www.example.com. IN NS bad2.example.net. www.example.com IN NSEC x.example.com A NSEC RRSIG www.example.com IN RRSIG NSEC ... A validator that does not follow this rule might consider this a valid delegation since the NSEC record proves that there is no DS record at www.example.com.