From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 9 Jul 2014 23:45:54 +0000 (+0200)
Subject: don't add superfluous nsec3 for old bind
X-Git-Tag: auth-3.4.0-rc1~91^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F1526%2Fhead;p=thirdparty%2Fpdns.git

don't add superfluous nsec3 for old bind
---

diff --git a/debian/config/pdns.conf b/debian/config/pdns.conf
index 6fb80f48ff..d70154f7a2 100644
--- a/debian/config/pdns.conf
+++ b/debian/config/pdns.conf
@@ -1,9 +1,4 @@
 # Autogenerated configuration file template
-#################################
-# add-superfluous-nsec3-for-old-bind	Add superfluous NSEC3 record to positive wildcard response
-#
-# add-superfluous-nsec3-for-old-bind=yes
-
 #################################
 # allow-axfr-ips	Allow zonetransfers only to these subnets
 #
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 5bfa4e92c0..1cbaaa7ade 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -156,7 +156,6 @@ void declareArguments()
 
   ::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
   ::arg().setSwitch("direct-dnskey","Fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
-  ::arg().setSwitch("add-superfluous-nsec3-for-old-bind","Add superfluous NSEC3 record to positive wildcard response")="yes";
   ::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
@@ -356,7 +355,6 @@ void mainthread()
      newuid=Utility::makeUidNumeric(::arg()["setuid"]); 
    
    g_anyToTcp = ::arg().mustDo("any-to-tcp");
-   g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
 
    DNSPacket::s_udpTruncationThreshold = std::max(512, ::arg().asNum("udp-truncation-threshold"));
    DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 001d7d0b71..bcd59d3e4c 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -642,9 +642,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     closest=target;
 
   // add matching NSEC3 RR
-  // we used to skip this one for mode 3, but old BIND needs it
-  // see https://github.com/PowerDNS/pdns/issues/814
-  if (mode != 3 || g_addSuperfluousNSEC3) {
+  if (mode != 3) {
     unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
     DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 4ee3f85781..fd3ddb1aee 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -1,9 +1,4 @@
 # Autogenerated configuration file template
-#################################
-# add-superfluous-nsec3-for-old-bind	Add superfluous NSEC3 record to positive wildcard response
-#
-# add-superfluous-nsec3-for-old-bind=yes
-
 #################################
 # allow-2136-from	A global setting to allow RFC2136 from these IP ranges.
 #
diff --git a/regression-tests/tests/any-wildcard-dnssec/expected_result.narrow b/regression-tests/tests/any-wildcard-dnssec/expected_result.narrow
index d32de2872e..dc937bb7ca 100644
--- a/regression-tests/tests/any-wildcard-dnssec/expected_result.narrow
+++ b/regression-tests/tests/any-wildcard-dnssec/expected_result.narrow
@@ -1,7 +1,5 @@
 0	www.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
 1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/any-wildcard-dnssec/expected_result.nsec3 b/regression-tests/tests/any-wildcard-dnssec/expected_result.nsec3
index 9cec8cc17e..5d117598ef 100644
--- a/regression-tests/tests/any-wildcard-dnssec/expected_result.nsec3
+++ b/regression-tests/tests/any-wildcard-dnssec/expected_result.nsec3
@@ -1,7 +1,5 @@
 0	www.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
 1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/cname-wildcard-chain/expected_result.narrow b/regression-tests/tests/cname-wildcard-chain/expected_result.narrow
index 746bf5923c..2b1a993a17 100644
--- a/regression-tests/tests/cname-wildcard-chain/expected_result.narrow
+++ b/regression-tests/tests/cname-wildcard-chain/expected_result.narrow
@@ -12,20 +12,10 @@
 0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
 1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
 1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 936EEBQ7JR1UC4BN1MAA69A3AUPEITFD
-1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd A376DJ0HNUCS849R3DP2EVRVBG967OEV
-1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd AKAD2JTK186U143VHL92EN81U06LJNA6
-1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
 1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B3MJ2RAG3TFRK0CBK5UVLM9HNT6K6TMK
-1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
 1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd BI61D8HTVRNFKTNIG400N722D2V3LQ1J
-1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
 1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
diff --git a/regression-tests/tests/cname-wildcard-chain/expected_result.nsec3 b/regression-tests/tests/cname-wildcard-chain/expected_result.nsec3
index 4f4b838bad..6d89b279f8 100644
--- a/regression-tests/tests/cname-wildcard-chain/expected_result.nsec3
+++ b/regression-tests/tests/cname-wildcard-chain/expected_result.nsec3
@@ -12,20 +12,10 @@
 0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
 1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
 1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 938CRGVGJ6PEHDHT49EJCEIIRMH75IJ8
-1	936eebq7jr1uc4bn1maa69a3aupeitfc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd A37U32P0GF09BE4EHU7VTEESS1GU45UB
-1	a376dj0hnucs849r3dp2evrvbg967oeu.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd AKATF5BN9NMCT00E5PLMMOJM196CHN71
-1	akad2jtk186u143vhl92en81u06ljna5.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
 1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B3ONOQ30J349UAJOB6H2FM1FIT3TOJKR
-1	b3mj2rag3tfrk0cbk5uvlm9hnt6k6tmj.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
 1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd BI7NGLVDS01SK3172JRF6UPDINT4OEDL
-1	bi61d8htvrnfktnig400n722d2v3lq1i.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
 1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
diff --git a/regression-tests/tests/ent-wildcard-below-ent/expected_result.narrow b/regression-tests/tests/ent-wildcard-below-ent/expected_result.narrow
index 90a1d81b3c..d5143be038 100644
--- a/regression-tests/tests/ent-wildcard-below-ent/expected_result.narrow
+++ b/regression-tests/tests/ent-wildcard-below-ent/expected_result.narrow
@@ -2,8 +2,6 @@
 0	something.a.b.c.test.com.	IN	RRSIG	3600	A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
 1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
 1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
-1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd VLVUJATANOF6FEAJOESTI9KQ4S0CRST4
-1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='something.a.b.c.test.com.', qtype=A
diff --git a/regression-tests/tests/ent-wildcard-below-ent/expected_result.nsec3 b/regression-tests/tests/ent-wildcard-below-ent/expected_result.nsec3
index 62c0665c30..84c6ef54e5 100644
--- a/regression-tests/tests/ent-wildcard-below-ent/expected_result.nsec3
+++ b/regression-tests/tests/ent-wildcard-below-ent/expected_result.nsec3
@@ -2,8 +2,6 @@
 0	something.a.b.c.test.com.	IN	RRSIG	3600	A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
 1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
 1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
-1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd 0BH8DI769I8VVTKDDS8EFJDA19ABIGO5
-1	vlvujatanof6feajoesti9kq4s0crst3.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='something.a.b.c.test.com.', qtype=A
diff --git a/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.narrow b/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.narrow
index 3933943f79..7283555c9f 100644
--- a/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.narrow
+++ b/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.narrow
@@ -1,7 +1,5 @@
 0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
 1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.nsec3 b/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
index 75988a08d5..3a4e9a1dce 100644
--- a/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
+++ b/regression-tests/tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
@@ -1,7 +1,5 @@
 0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/five-levels-wildcard/expected_result.narrow b/regression-tests/tests/five-levels-wildcard/expected_result.narrow
index 9ebb71d062..2736694ec1 100644
--- a/regression-tests/tests/five-levels-wildcard/expected_result.narrow
+++ b/regression-tests/tests/five-levels-wildcard/expected_result.narrow
@@ -1,7 +1,5 @@
 0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
 0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd BAGSLTIUMGOAVHE3IG8960L8J2IL0MH9 TXT RRSIG
-1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
 1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/five-levels-wildcard/expected_result.nsec3 b/regression-tests/tests/five-levels-wildcard/expected_result.nsec3
index cb12311459..28c063dcbe 100644
--- a/regression-tests/tests/five-levels-wildcard/expected_result.nsec3
+++ b/regression-tests/tests/five-levels-wildcard/expected_result.nsec3
@@ -1,7 +1,5 @@
 0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
 0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd CV382M4JQHLE9U45MDQFH64VP0JBFPN5 TXT RRSIG
-1	bagsltiumgoavhe3ig8960l8j2il0mh8.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/nsecx-mode3-wildcard/expected_result.narrow b/regression-tests/tests/nsecx-mode3-wildcard/expected_result.narrow
index 18973c7f6b..e22fd72641 100644
--- a/regression-tests/tests/nsecx-mode3-wildcard/expected_result.narrow
+++ b/regression-tests/tests/nsecx-mode3-wildcard/expected_result.narrow
@@ -1,7 +1,5 @@
 0	second.first.something.wtest.com.	IN	A	3600	4.3.2.1
 0	second.first.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd D0RJLF3TFUL8JFJK86VI5CE50NUEA9A8
 1	d0rjlf3tful8jfjk86vi5ce50nuea9a6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
diff --git a/regression-tests/tests/nsecx-mode3-wildcard/expected_result.nsec3 b/regression-tests/tests/nsecx-mode3-wildcard/expected_result.nsec3
index 0c2216dd18..8590874deb 100644
--- a/regression-tests/tests/nsecx-mode3-wildcard/expected_result.nsec3
+++ b/regression-tests/tests/nsecx-mode3-wildcard/expected_result.nsec3
@@ -1,7 +1,5 @@
 0	second.first.something.wtest.com.	IN	A	3600	4.3.2.1
 0	second.first.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd J02K7MH36PLGFKRS6UTOCESCCQ5P7EOB A RRSIG
 1	cv382m4jqhle9u45mdqfh64vp0jbfpn5.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768