NSEC and ldns-walk

In my previous blog post, I discussed the weakness of NSEC in DNSSEC which causes zone walking by means of trying alphabetical combinations in domain names. Actually, for those who have installed the ldns DNS tool, they need not try alphabetcial combinations for zone-walking. Just invoke "ldns-walk ripe.net" will give all sub-domain names under ripe.net and the associated NSEC records.