The blog post about Subdomain Enumeration in the APNIC blog provides a great overview of the techniques, defenses, and tools for it. Subdomain enumeration is the act of learning available subdomains in a zone using DNSSEC. This is with
NSEC records and somewhat harder with
NSEC3, due to hashing of names. The blog goes explains how online signing can combat subdomain enumeration, using the white lies or the black lies strategies. Lastly, it links to tools for performing these attacks.