diff --git a/lookup.go b/lookup.go
index 2d074861..0e7f5c81 100644
--- a/lookup.go
+++ b/lookup.go
@@ -15,6 +15,15 @@ const (
 	INDETERMINATE
 )
 
+// Types of answers (without looking the RFCs)
+// len(m.Ns) > 0
+// NS records in there? -> delegation (rcode should be rcode.Success)
+//	- secure delegation -> DS should be there
+//	- insecure delegation -> Proof of no DS (either NSEC or NSEC3)
+//	- plain old DNS delegation -> ...
+// SOA record in there? -> nxdomain   (rcode should be rcode.Nxdomain)
+
+
 // Lookup does a (secure) DNS lookup. The message m contains
 // the question to be asked. Lookup returns last packet seen
 // which is either the answer or a packet somewhere in the
diff --git a/nsecx.go b/nsecx.go
index 684fb86b..9480c53e 100644
--- a/nsecx.go
+++ b/nsecx.go
@@ -69,7 +69,11 @@ func (nsec3 *RR_NSEC3) Match(domain string) bool {
 	return strings.ToUpper(SplitLabels(nsec3.Header().Name)[0]) == strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
 }
 
-// Cover checks if domain is covered by the NSEC3 record. Domain must be given in plain text.
+// RR_NSEC Match? (Do have them both??)
+
+// Cover checks if domain is covered by the NSEC3 record. Domain must be given in plain text (i.e. not hashed)
+// TODO(mg): this doesn't loop around
+// TODO(mg): make a CoverHashed variant?
 func (nsec3 *RR_NSEC3) Cover(domain string) bool {
 	hashdom := strings.ToUpper(HashName(domain, nsec3.Hash, nsec3.Iterations, nsec3.Salt))
 	nextdom := strings.ToUpper(nsec3.NextDomain)