[tptacek]

Correction: you can also enumerate through NSEC3, the most common (and default) mode of deployment; NSEC3 turns enumerable zone entries into the equivalent of a password hash file, which can be cracked.

There's a hack to prevent this that seeds the zone with false entries, but it requires the server to operate as an online signer. Since this is essentially incoherent to the design of the protocol (which makes major cryptographic and usability sacrifices to enable offline signers), there's an "NSEC4" being worked on now.

DNSSEC is silly.