NSEC3 opt-out does not work if child and parent are on the same server
Attached test asks for unsigned2.box. SOA
and the request ends with SERVFAIL.
I believe that it should work because the domain is an unsigned delegation from parent, with child hosted on the same server. The delegation is inside opt-out range so resolver should verify unsigned status of zone and continue.
(I hope there is no mistake in the test, I did my best. If there is a mistake in test itself I apologize.)