;
DNSSEC mxdane256ta MX 1 dane256ta
DNSSEC dane256ta A HOSTIPV4
-DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 87712b46e3c444c9a58edaa9dbe34c26b81cefb658a002b267ee3223fd9219cd
+DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
; A multiple-return MX where all TLSA lookups defer
DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
-; hosts with no TLSA
+; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config)
+; 1 for dane-required, 2 for merely requested
DNSSEC dane.no.1 A HOSTIPV4
DNSSEC dane.no.2 A 127.0.0.1
+; a broken dane config (or under attack) where the TLSA lookup fails (as opposed to there not being one)
+DNSSEC danebroken1 A 127.0.0.1
+_1225._tcp.danebroken1 CNAME test.fail.dns.
+
+; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
+; 3 for dane-required, 4 for merely requested
+; the TLSA data here is dummy; ignored
+DNSSEC dane.no.3 A HOSTIPV4
+DNSSEC dane.no.4 A 127.0.0.1
+
+DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
+DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
+
; ------- Testing delays ------------
DELAY=500 delay500 A HOSTIPV4