drill RR not covered by the given NSEC RRs for opt-out delegations

[simtomas]

Hello,

I've noticed, drill claims "Error in denial of existence: RR not covered by the given NSEC RRs" if testing domain which has NS records (but no DS) in the TLDs using NSEC3 with opt-out:

For example:

dig @a.root-servers.net eu ds > EU.ds
drill -S -s -t -k EU.ds @w.dns.eu test.eu
;; Number of trusted keys: 1
;; Chasing: test.eu. A
DNSSEC Trust tree:
test.eu. (A)
|---Error in denial of existence: RR not covered by the given NSEC RRs
|---cs7nl1v9tgtkj2d4ipjvdfm81ohcdd0c.eu. (NSEC3)
|   |---eu. (DNSKEY keytag: 48186 alg: 8 flags: 256)
|       |---eu. (DNSKEY keytag: 35926 alg: 8 flags: 257)
|---Error in denial of existence: RR not covered by the given NSEC RRs
|---rl0ckuf552okcfll7uvgsckm511tcpol.eu. (NSEC3)
    |---eu. (DNSKEY keytag: 48186 alg: 8 flags: 256)
        |---eu. (DNSKEY keytag: 35926 alg: 8 flags: 257)
No trusted keys found in tree: first error was: RR not covered by the given NSEC RRs
;; Chase failed.

or

$ drill -s -t -k EU.ds @w.dns.eu test.eu
;; Number of trusted keys: 1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11289
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0 
;; QUESTION SECTION:
;; test.eu.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
test.eu.	86400	IN	NS	dns.iwelt-ag.net.
test.eu.	86400	IN	NS	dns2.iwelt-ag.net.
test.eu.	86400	IN	NS	dns3.iwelt-ag.de.
cs7nl1v9tgtkj2d4ipjvdfm81ohcdd0c.eu.	600	IN	NSEC3	1 1 0 -  cs7o73fd8i0tp1g4pjbdui5oa3bjs55j NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 
cs7nl1v9tgtkj2d4ipjvdfm81ohcdd0c.eu.	600	IN	RRSIG	NSEC3 8 2 600 20250201213602 20250125204415 48186 eu. Qz+WndkYE1qiWLFuo8edLuAssUfyIjw3Sc9V32B1/hbOriWTW40PcG+9PvtxmK5W2euP50JfpF7lRza5DbeX7J5/B9y9SlZGS9qOqCkWAMLu/1JpwCNTThXw1YvnI5ZMNLkaKL69uFCYrqnCqrh4iwUVC4YVv4wEZ44d3wYlNQM=
rl0ckuf552okcfll7uvgsckm511tcpol.eu.	600	IN	NSEC3	1 1 0 -  rl0ee5qh5cs0a3qtj45m0bbnoor9h9f5 NS DS RRSIG 
rl0ckuf552okcfll7uvgsckm511tcpol.eu.	600	IN	RRSIG	NSEC3 8 2 600 20250202034342 20250126025435 48186 eu. N4Y98LH3DDKFlhrps0JDdblN08IlZNEsETjE2v2dWxtZtQoC0EMjsC9A+2KnDJoue6Lw7mnQoXGRQvFSh0cXj5vbpx33veShK/J4d7QkTAIGF5x4KU4WPnkxvY6I52psP3r5R0INBZY3Qt38pn5vPHMaQuAAxqRtC/DJH3sMcV4=

;; ADDITIONAL SECTION:

;; Query time: 16 msec
;; EDNS: version 0; flags: do ; udp: 1400
;; SERVER: 2001:678:20::28
;; WHEN: Thu Jan 30 07:01:44 2025
;; MSG SIZE  rcvd: 632

; Bad data; RR for name and type not found or failed to verify, and denial of existence failed.

if testing for NXDOMAIN, check works

drill -S -s -t -k EU.ds @w.dns.eu testdsfsfsdf.eu
;; Number of trusted keys: 1
;; Chasing: testdsfsfsdf.eu. A


DNSSEC Trust tree:
testdsfsfsdf.eu. (A)
|---Existence is denied by:
|---7k1eotls803i8vg5ij0qus9sojhtc1ok.eu. (NSEC3)
|   |---eu. (DNSKEY keytag: 48186 alg: 8 flags: 256)
|       |---eu. (DNSKEY keytag: 35926 alg: 8 flags: 257)
|---Existence is denied by:
|---cs7nl1v9tgtkj2d4ipjvdfm81ohcdd0c.eu. (NSEC3)
|   |---eu. (DNSKEY keytag: 48186 alg: 8 flags: 256)
|       |---eu. (DNSKEY keytag: 35926 alg: 8 flags: 257)
|---Existence is denied by:
|---mm2cco24rnv426llflivi1qt8gjdufj7.eu. (NSEC3)
    |---eu. (DNSKEY keytag: 48186 alg: 8 flags: 256)
        |---eu. (DNSKEY keytag: 35926 alg: 8 flags: 257)
;; Chase successful

Am I using drill incorrectly or there is issue with NSEC3 / opt-out?
For reference delv:

 delv +vtrace test.eu
;; fetch: test.eu/A
;; validating test.eu/A: starting
;; validating test.eu/A: attempting insecurity proof
;; validating test.eu/A: checking existence of DS at 'eu'
;; fetch: eu/DS
;; validating eu/DS: starting
;; validating eu/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=20326): success
;; validating ./DNSKEY: marking as secure (DS)
;; validating eu/DS: in fetch_callback_dnskey
;; validating eu/DS: keyset with trust secure
;; validating eu/DS: resuming validate
;; validating eu/DS: verify rdataset (keyid=26470): success
;; validating eu/DS: marking as secure, noqname proof not needed
;; validating test.eu/A: in fetch_callback_ds
;; validating test.eu/A: resuming proveunsecure
;; validating test.eu/A: checking existence of DS at 'test.eu'
;; fetch: test.eu/DS
;; validating test.eu/DS: starting
;; validating test.eu/DS: attempting negative response validation from message
;;   validating eu/SOA: starting
;;   validating eu/SOA: attempting positive response validation
;; fetch: eu/DNSKEY
;; validating eu/DNSKEY: starting
;; validating eu/DNSKEY: attempting positive response validation
;; validating eu/DNSKEY: verify rdataset (keyid=35926): success
;; validating eu/DNSKEY: marking as secure (DS)
;;   validating eu/SOA: in fetch_callback_dnskey
;;   validating eu/SOA: keyset with trust secure
;;   validating eu/SOA: resuming validate
;;   validating eu/SOA: verify rdataset (keyid=48186): success
;;   validating eu/SOA: marking as secure, noqname proof not needed
;; validating test.eu/DS: in validator_callback_nsec
;; validating test.eu/DS: resuming validate_nx
;;   validating CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu/NSEC3: starting
;;   validating CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu/NSEC3: attempting positive response validation
;;   validating CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu/NSEC3: keyset with trust secure
;;   validating CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu/NSEC3: verify rdataset (keyid=48186): success
;;   validating CS7NL1V9TGTKJ2D4IPJVDFM81OHCDD0C.eu/NSEC3: marking as secure, noqname proof not needed
;; validating test.eu/DS: in validator_callback_nsec
;; validating test.eu/DS: resuming validate_nx
;;   validating RL0CKUF552OKCFLL7UVGSCKM511TCPOL.eu/NSEC3: starting
;;   validating RL0CKUF552OKCFLL7UVGSCKM511TCPOL.eu/NSEC3: attempting positive response validation
;;   validating RL0CKUF552OKCFLL7UVGSCKM511TCPOL.eu/NSEC3: keyset with trust secure
;;   validating RL0CKUF552OKCFLL7UVGSCKM511TCPOL.eu/NSEC3: verify rdataset (keyid=48186): success
;;   validating RL0CKUF552OKCFLL7UVGSCKM511TCPOL.eu/NSEC3: marking as secure, noqname proof not needed
;; validating test.eu/DS: in validator_callback_nsec
;; validating test.eu/DS: resuming validate_nx
;; validating test.eu/DS: looking for relevant NSEC3
;; validating test.eu/DS: looking for relevant NSEC3
;; validating test.eu/DS: looking for relevant NSEC3
;; validating test.eu/DS: NSEC3 indicates potential closest encloser: 'eu'
;; validating test.eu/DS: NSEC3 at super-domain eu
;; validating test.eu/DS: looking for relevant NSEC3
;; validating test.eu/DS: NSEC3 proves name does not exist: 'test.eu'
;; validating test.eu/DS: NSEC3 indicates optout
;; validating test.eu/DS: in checkwildcard: *.eu
;; validating test.eu/DS: looking for relevant NSEC3
;; validating test.eu/DS: NSEC3 at super-domain eu
;; validating test.eu/DS: looking for relevant NSEC3
;; validating test.eu/DS: in checkwildcard: *.eu
;; validating test.eu/DS: nonexistence proof(s) found
;; validating test.eu/A: in fetch_callback_ds
;; validating test.eu/A: marking as answer (fetch_callback_ds)
; unsigned answer
test.eu.		140	IN	A	128.65.209.96

says ;; validating test.eu/DS: NSEC3 proves name does not exist: 'test.eu'