NSEC question

[Josef Moellers]

Good morning (from this particular part of the world),

I am currently trying to wrap my head around DNSSEC and associated
topics. My understanding is that DNSSEC isn't really that complicated:
you "just" sign the data and the client can verify that it's legitimate
using public keys and the "chain of trust".

I'm not at the point of trying to understand NSEC.
Quite a nice example is here:
https://dnsinstitute.com/documentation/dnssec-guide/ch06s02.html
which uses the picture of a company with three employees "Alice",
"Edward" and "Susan", and a "nameless intern" who answers phone calls
and forwards them to the appropriate person.

At the end of the intro, the author describes the problem that arises
without NSEC when someone asks for "Bob" ("That person does not exist.")
and then for "Susan" ("Susan works here, I'll put you through!") and
explains that an attacker could deny the existence of "Susan" by
replaying the answer given for "Bob" .
In comes NSEC and this problem is solved. So far I'm with it.

Now I'm trying to understand if (and how) this might work when a person
joins the company (in real life: when a host is added):
Before "Bob" joins the company, the answer would be "I'm sorry, that
person doesn't work here. The name before that is Alice, and the name
after that is Edward". That answer is correct, as "Bob" is not with the
company at that time, and verifiably signed.
Now "Bob" joins the company and somebody asks for him and the attacker
replays the message "I'm sorry, that person doesn't work here. The name
before that is Alice, and the name after that is Edward". That answer is
incorrect ("Bob" IS with the company) but still verifiably signed.

How would NSEC prevent this?
My guess is that it might use time stamps, but I fail to see how that
would work.

Thanks,

Josef
-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev