183c183
<       [RFC4034], when the hashed owner names are in base32, encoded with
---
>       [RFC4034], when the hashed owner names are in base32hex, encoded with
214c214
<    Base32:  the "Base 32 Encoding with Extended Hex Alphabet" as
---
>    base32hex:  the "Base 32 Encoding with Extended Hex Alphabet" as
286c286
<    The owner name for the NSEC3 RR is the base32 encoding of the hashed
---
>    The owner name for the NSEC3 RR is the base32hex encoding of the hashed
408c408
<    The next hashed owner name is not base32 encoded, unlike the owner
---
>    The next hashed owner name is not base32hex encoded, unlike the owner
482c482
<       sequence of case-insensitive base32 digits, without whitespace.
---
>       sequence of case-insensitive base32hex digits, without whitespace.
822,824c822,830
<    The server MUST include the NSEC3 RR that matches QNAME.  This NSEC3
<    RR MUST NOT have the bits corresponding to either the QTYPE or CNAME
<    set in its Type Bit Maps field.
---
>   If the No Data Response is a result of an empty non-terminal derived 
>   from an insecure delegation covered by an Opt-Out NSEC3 RR, the 
>   closest provable encloser proof MUST be included in the response.  
>   The included NSEC3 RR that covers the "next closer" name for the 
>   delegation MUST have the Opt-Out flag set to one. 
> 
>   In all other cases, the server MUST include the NSEC3 RR that matches 
>   QNAME.  This NSEC3 RR MUST NOT have the bits corresponding to either 
>   the QTYPE or CNAME set in its Type Bit Maps field.
1067,1073c1073,1086
<    The validator MUST verify that an NSEC3 RR that matches QNAME is
<    present and that both the QTYPE and the CNAME type are not set in its
<    Type Bit Maps field.
< 
<    Note that this test also covers the case where the NSEC3 RR exists
<    because it corresponds to an empty non-terminal, in which case the
<    NSEC3 RR will have an empty Type Bit Maps field.
---
>   If there is an NSEC3 RR that matches QNAME present, the validator must 
>   check that both the QTYPE and the CNAME type are not set in its Type 
>   Bit Maps field.
> 
>   Note that this test also covers the case where the NSEC3 RR exists
>   because it corresponds to an empty non-terminal, in which case the
>   NSEC3 RR will have an empty Type Bit Maps field.
> 
>   If there is no NSEC3 RR present that matches QNAME, then the validator 
>   MUST verify a closest provable encloser proof for the QNAME.  The 
>   validator MUST verify that the Opt-Out bit is set in the NSEC3 RR that 
>   covers the "next closer" name to the delegation name. This test covers 
>   the case where the response is due to an Empty Non-Terminal derived 
>   from an insecure delegation covered by an Opt-Out NSEC3 RR.