// newNSEC3CEandWildcard returns the NSEC3 for the closest encloser // and the NSEC3 that denies that wildcard at that level. func newNSEC3CEandWildcard(apex, ce string, ttl uint32) (*dns.NSEC3, *dns.NSEC3) { n1 := new(dns.NSEC3) n1.Hdr.Class = dns.ClassINET n1.Hdr.Rrtype = dns.TypeNSEC3 n1.Hdr.Ttl = ttl n1.Hash = dns.SHA1 n1.Flags = 0 n1.Iterations = 0 n1.Salt = "" n1.TypeBitMap = []uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeAAAA, dns.TypeRRSIG, dns.TypeDNSKEY} prev := dns.HashName(ce, dns.SHA1, n1.Iterations, n1.Salt) n1.Hdr.Name = strings.ToLower(prev) + "." + apex buf := packBase32(prev) byteArith(buf, true) // one next n1.NextDomain = unpackBase32(buf) n2 := new(dns.NSEC3) n2.Hdr.Class = dns.ClassINET n2.Hdr.Rrtype = dns.TypeNSEC3 n2.Hdr.Ttl = ttl n2.Hash = dns.SHA1 n2.Flags = 0 n2.Iterations = 0 n2.Salt = "" prev = dns.HashName("*."+ce, dns.SHA1, n2.Iterations, n2.Salt) buf = packBase32(prev) byteArith(buf, false) // one before n2.Hdr.Name = strings.ToLower(unpackBase32(buf)) + "." + apex byteArith(buf, true) // one next byteArith(buf, true) // and another one n2.NextDomain = unpackBase32(buf) return n1, n2 }