No, that’s NSEC / NSEC3.
And yes, it’s difficult.
If a wildcard
*.example.com exists, the domain name
www.example.com exists via wildcard expansion.
Then the CAA +
www.example.com -> the domain name exists, so it must be a NoError (error 0) /NoData result, not a NXDOMAIN (= error 3).
But a NoError requires a NSEC that proves that
www.example.com doesn’t exist and a second NSEC that proves that
*.example.com exists and has a Bitmap without the CAA flag (empty result).
PS: Rereading the check result I see, my interpretation is wrong.
Why: A +
www.lokalboligsluseholmen.dk has the result:
RRSIG Type 1 validates the A - Result: 18.104.22.168
Validated: RRSIG-Owner www.lokalboligsluseholmen.dk., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 24.09.2020, 00:00:00 +, Signature-Inception: 03.09.2020, 00:00:00 +, KeyTag 20101, Signer-Name: lokalboligsluseholmen.dk
The query has 3 labels, the RRSIG Label field = 3, so
www.lokalboligsluseholmen.dk exists directly, so the wildcard expansion isn’t used. (Wildcard expansion would be visible with RRSIG Label field = 2 < query with 3 labels).
But then the NSEC is completely wrong (so the result is bogus):
CAA-Query sends a valid NSEC RR as result with the NSEC-owner “lokalboligsluseholmen.dk” equal the NextOwner “lokalboligsluseholmen.dk”. So the zone confirmes that no other domain name exists.
A query www with an NSEC with owner
main-domain and NextOwner =
main-domain says: There exists only that domain name in the zone, nothing else. No www, no wildcard. Then, a NXDomain result is expected. But the result is a NoError/NoData -> bogus.
Didn’t checked that 3 = 3.
PS: To read: