Test for DNSSEC opt-out

[baknu]

From mail GT (13th of June, 2022):

V. points out that although the zone is signed and replies are secure, in the case of these NXDOMAIN responses (and for NODATA answers; so negative answers) an opt-out NSEC3 record is used marking the negative replies as insecure. This is no good for DANE where you need an authentic denial of existence answer in a DNSSEC signed zone. Since they are using online signing with narrow responses (what you requested exactly does not exist; different than the usual range of domain names that do not exist) there is no point in doing opt-out and lowering the security of their denial of existence responses.

Internet.nl is already checking for bogus nodata answers for the DANE test (per V.'s earlier remarks and examples which I don't recall at the moment) but not for this case with the opt-out record. A first thought would be to add the check in the existence test and provide the same result as with the bogus case where "At least one of your mail server domains does not provide DNSSEC proof that DANE TLSA records do not exist", if the nodata comes back as insecure. This however will change the result for all unsigned domains from "not having TLSA records" to "no DNSSEC proof" which I find ok since DNSSEC is a prerequisite. (For unsigned domains with TLSA records the result would be that TLSA records exist but they are not valid).

[baknu]

This relates to testing other DNSSEC settings: #34, #184, #244, and #716.