// newNSEC3CEandWildcard returns the NSEC3 for the closest encloser
// and the NSEC3 that denies that wildcard at that level.
func newNSEC3CEandWildcard(apex, ce string, ttl uint32) (*dns.NSEC3, *dns.NSEC3) {
n1 := new(dns.NSEC3)
n1.Hdr.Class = dns.ClassINET
n1.Hdr.Rrtype = dns.TypeNSEC3
n1.Hdr.Ttl = ttl
n1.Hash = dns.SHA1
n1.Flags = 0
n1.Iterations = 0
n1.Salt = ""
n1.TypeBitMap = []uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeAAAA, dns.TypeRRSIG, dns.TypeDNSKEY}
prev := dns.HashName(ce, dns.SHA1, n1.Iterations, n1.Salt)
n1.Hdr.Name = strings.ToLower(prev) + "." + apex
buf := packBase32(prev)
byteArith(buf, true) // one next
n1.NextDomain = unpackBase32(buf)
n2 := new(dns.NSEC3)
n2.Hdr.Class = dns.ClassINET
n2.Hdr.Rrtype = dns.TypeNSEC3
n2.Hdr.Ttl = ttl
n2.Hash = dns.SHA1
n2.Flags = 0
n2.Iterations = 0
n2.Salt = ""
prev = dns.HashName("*."+ce, dns.SHA1, n2.Iterations, n2.Salt)
buf = packBase32(prev)
byteArith(buf, false) // one before
n2.Hdr.Name = strings.ToLower(unpackBase32(buf)) + "." + apex
byteArith(buf, true) // one next
byteArith(buf, true) // and another one
n2.NextDomain = unpackBase32(buf)
return n1, n2
}
