DNSSEC10 gives false error when the zone is signed with NSEC3, NSEC3 opt-out flag is set and wildcard is present. Possibly for other cases too.
There are problems with the implementation, and possibly with the specification too. The test case is too complex to reach the purpose of the test case.
The problematic message tag is DS10_ANSWER_VERIFY_ERROR, which is show below.
# zonemaster-cli hyttbatar.se --show-testcase --test dnssec/dnssec10
Seconds Level Testcase Message
======= ========= ============== =======
0.46 ERROR DNSSEC10 The name "xx--oplk4f3fgh9lksdfhu7h--xx.hyttbatar.se." of RR type "A" is signed by RRSIG, but the signature or signatures cannot be verified. Fetched from the nameservers with IP addresses "2a02:250:ffff::20;2a02:250:ffff::21;93.188.0.20;93.188.0.21".
It passes according to DNSviz:
DNSSEC10 gives false error when the zone is signed with NSEC3, NSEC3 opt-out flag is set and wildcard is present. Possibly for other cases too.
There are problems with the implementation, and possibly with the specification too. The test case is too complex to reach the purpose of the test case.
The problematic message tag is DS10_ANSWER_VERIFY_ERROR, which is show below.
It passes according to DNSviz: