Issue #1. Fix opt-out ENT case in NSEC3 NODATA

This attempts to adjust the proof to match the errata filed back in
2012.  It turns out that the qtype=DS/qtype!=DS logic is the same either
in the case we find a matching NSEC3 or we do not and the "next closer"
NSEC3 has the opt-out bit set.

diff --git a/src/com/verisign/tat/dnssec/NSEC3ValUtils.java b/src/com/verisign/tat/dnssec/NSEC3ValUtils.java
index 5ec7c5c..ef0b66e 100644 (file)
--- a/src/com/verisign/tat/dnssec/NSEC3ValUtils.java
+++ b/src/com/verisign/tat/dnssec/NSEC3ValUtils.java
@@ -687,14 +687,7 @@ public class NSEC3ValUtils {
             return true;
         }
 
-        // Case 5.
-        if (qtype != Type.DS) {
-            st_log.debug("proveNodata: could not find matching NSEC3, " +
-                         "nor matching wildcard, and qtype is not DS -- no more options.");
-
-            return false;
-        }
-
+        // Cases 1b and 2b
         // We need to make sure that the covering NSEC3 is opt-in.
         if (!isOptOut(ce.nc_nsec3)) {
             st_log.debug("proveNodata: covering NSEC3 was not " +