diff --git a/pom.xml b/pom.xml
index 14b407d..38eb6d1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -45,8 +45,14 @@
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-jdk14</artifactId>
-            <version>1.7.18</version>
+            <artifactId>slf4j-log4j12</artifactId>
+            <version>1.7.26</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>log4j</groupId>
+            <artifactId>log4j</artifactId>
+            <version>1.2.17</version>
             <scope>test</scope>
         </dependency>
         <dependency>
diff --git a/src/main/java/org/jitsi/dnssec/validator/NSEC3ValUtils.java b/src/main/java/org/jitsi/dnssec/validator/NSEC3ValUtils.java
index e9ba3ca..0df67f2 100644
--- a/src/main/java/org/jitsi/dnssec/validator/NSEC3ValUtils.java
+++ b/src/main/java/org/jitsi/dnssec/validator/NSEC3ValUtils.java
@@ -736,7 +736,7 @@ public SecurityStatus proveNoDS(List<SRRset> nsec3s, Name qname, Name zonename)
             return SecurityStatus.SECURE;
         }
 
-        // Otherwise, we are probably in the opt-in case.
+        // Otherwise, we are probably in the opt-out case.
         CEResponse ce = this.proveClosestEncloser(qname, zonename, nsec3s);
         if (ce.status != SecurityStatus.SECURE) {
             return SecurityStatus.BOGUS;
@@ -745,11 +745,11 @@ public SecurityStatus proveNoDS(List<SRRset> nsec3s, Name qname, Name zonename)
         // If we had the closest encloser proof, then we need to check that the
         // covering NSEC3 was opt-in -- the proveClosestEncloser step already
         // checked to see if the closest encloser was a delegation or DNAME.
-        if (ce.ncNsec3.getFlags() == 1) {
-            return SecurityStatus.SECURE;
+        if ((ce.ncNsec3.getFlags() & Flags.OPT_OUT) != Flags.OPT_OUT) {
+            return SecurityStatus.BOGUS;
         }
 
-        return SecurityStatus.BOGUS;
+        //RFC5155 section 9.2: if nc has optout then no AD flag set
+        return SecurityStatus.INSECURE;
     }
-
 }
diff --git a/src/main/java/org/jitsi/dnssec/validator/ValidatingResolver.java b/src/main/java/org/jitsi/dnssec/validator/ValidatingResolver.java
index 28a96ec..3b2f061 100644
--- a/src/main/java/org/jitsi/dnssec/validator/ValidatingResolver.java
+++ b/src/main/java/org/jitsi/dnssec/validator/ValidatingResolver.java
@@ -912,15 +912,21 @@ private KeyEntry dsReponseToKeForNodata(SMessage response, Message request, SRRs
 
             switch (this.n3valUtils.proveNoDS(nsec3s, qname, nsec3Signer)) {
                 case INSECURE:
-                    logger.debug("nsec3s proved no delegation.");
-                    return null;
+                    // case insecure also continues to unsigned space. 
+                    // If nsec3-iter-count too high or optout, then treat below as unsigned
                 case SECURE:
                     KeyEntry nullKey = KeyEntry.newNullKeyEntry(qname, qclass, nsec3TTL);
                     nullKey.setBadReason(R.get("insecure.ds.nsec3"));
                     return nullKey;
-                default:
+                case INDETERMINATE:
+                    logger.debug("nsec3s for the referral proved no delegation.");
+                    return null;
+                case BOGUS:
                     bogusKE.setBadReason(R.get("failed.ds.nsec3"));
                     return bogusKE;
+                default:
+                    bogusKE.setBadReason(R.get("unknown.ds.nsec3"));
+                    return bogusKE;
             }
         }
 
diff --git a/src/main/resources/messages.properties b/src/main/resources/messages.properties
index 4dc55d9..7d834b1 100644
--- a/src/main/resources/messages.properties
+++ b/src/main/resources/messages.properties
@@ -41,8 +41,9 @@ failed.ds.nowildcardproof=NSEC for wildcard does not prove absence of DS.
 failed.ds.nsec.ent=NSEC for empty non-terminal did not verify.
 insecure.ds.nsec.ent=NSEC for empty non-terminal proved no DS.
 failed.ds.nonconclusive=NSEC proof did not conclusively point to DS or no DS.
-failed.ds.nsec3=NSEC3s proved bogus.
-insecure.ds.nsec3=NSEC3s proved no DS.
+failed.ds.nsec3=NSEC3s for the referral did not prove no DS.
+unknown.ds.nsec3=no DS but also no proof of that
+insecure.ds.nsec3=NSEC3s for the referral proved no DS.
 failed.ds.unknown=Ran out of validation options, thus bogus.
 failed.ds.notype=Encountered an unhandled type ({0}) of DS response, thus bogus.
 failed.ds.nodigest=No supported digest ID for DS for {0}.
diff --git a/src/test/java/org/jitsi/dnssec/TestBase.java b/src/test/java/org/jitsi/dnssec/TestBase.java
index de0ef69..a21ba3a 100644
--- a/src/test/java/org/jitsi/dnssec/TestBase.java
+++ b/src/test/java/org/jitsi/dnssec/TestBase.java
@@ -42,6 +42,8 @@
 import org.powermock.core.classloader.annotations.PrepareForTest;
 import org.powermock.modules.junit4.PowerMockRunner;
 import org.powermock.reflect.Whitebox;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.xbill.DNS.ARecord;
 import org.xbill.DNS.DClass;
 import org.xbill.DNS.DNSSEC;
@@ -61,6 +63,8 @@
 @RunWith(PowerMockRunner.class)
 @PrepareForTest({DNSSEC.class, TestInvalid.class})
 public abstract class TestBase {
+    private static final Logger logger = LoggerFactory.getLogger(TestBase.class);
+
     private final static boolean offline = !Boolean.getBoolean("org.jitsi.dnssecjava.online");
     private final static boolean partialOffline = "partial".equals(System.getProperty("org.jitsi.dnssecjava.offline"));
     private final static boolean record = Boolean.getBoolean("org.jitsi.dnssecjava.record");
@@ -168,7 +172,7 @@ public void setup() throws NumberFormatException, IOException, DNSSECException {
         resolver = new ValidatingResolver(new SimpleResolver("62.192.5.131") {
             @Override
             public Message send(Message query) throws IOException {
-                System.out.println("---" + key(query));
+                logger.info("---{}", key(query));
                 Message response = queryResponsePairs.get(key(query));
                 if (response != null) {
                     return response;
@@ -188,7 +192,6 @@ else if ((offline && !partialOffline) || unboundTest || alwaysOffline) {
         });
 
         resolver.loadTrustAnchors(getClass().getResourceAsStream("/trust_anchors"));
-        System.err.println("--------------");
     }
 
     protected void add(Message m) throws IOException {
diff --git a/src/test/java/org/jitsi/dnssec/unbound/rpl/RplParser.java b/src/test/java/org/jitsi/dnssec/unbound/rpl/RplParser.java
index 2cae5d0..7bba9f4 100644
--- a/src/test/java/org/jitsi/dnssec/unbound/rpl/RplParser.java
+++ b/src/test/java/org/jitsi/dnssec/unbound/rpl/RplParser.java
@@ -113,7 +113,7 @@ else if (data[2].equals("CHECK_ANSWER")) {
                         rpl.trustAnchors.add(rrset);
                     }
                     else if (line.matches("\\s*val-override-date:.*")) {
-                        rpl.date = DateTime.parse(line.substring(line.indexOf("\"") + 1, line.length() - 2), DateTimeFormat.forPattern("yyyyMMddHHmmss"));
+                        rpl.date = DateTime.parse(line.substring(line.indexOf("\"") + 1, line.length() - 2), DateTimeFormat.forPattern("yyyyMMddHHmmss").withZoneUTC());
                     }
                     else if (line.matches("\\s*val-nsec3-keysize-iterations:.*")) {
                         String[] data = line.substring(line.indexOf("\"") + 1, line.length() - 1).split("\\s");
diff --git a/src/test/resources/log4j.properties b/src/test/resources/log4j.properties
new file mode 100644
index 0000000..63cf99d
--- /dev/null
+++ b/src/test/resources/log4j.properties
@@ -0,0 +1,5 @@
+log4j.rootLogger = TRACE, CONSOLE
+
+log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
+log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
+log4j.appender.CONSOLE.layout.conversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %20c{1}: %m%n
diff --git a/src/test/resources/unbound/val_entds.rpl b/src/test/resources/unbound/val_entds.rpl
index 5ea2d5c..2377d14 100644
--- a/src/test/resources/unbound/val_entds.rpl
+++ b/src/test/resources/unbound/val_entds.rpl
@@ -131,22 +131,6 @@ example.com.    3600    IN      RRSIG   NSEC 3 2 3600 20070926134150 20070829134
 ENTRY_END
 
 ; response for query in question - delegation
-
-ENTRY_BEGIN
-MATCH opcode
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-c.5.6.example.com. IN DS
-SECTION ANSWER
-c.5.6.example.com.      3600    IN      DS      2854 3 1 4449f16fa7d712283aa43cc8dcc8e07c05856e08
-c.5.6.example.com.      3600    IN      RRSIG   DS 3 5 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCgiF7eFL89mSqjUPEpQuL5QEa1OgIUWdfUmMkwVBwOgmxlxZIKfGs5od0= ;{id = 2854}
-SECTION AUTHORITY
-SECTION ADDITIONAL
-ns.c.5.6.example.com.   IN  A 1.2.3.6
-ENTRY_END
-RANGE_END
-
 ; and all other queries, receive a delegation to c.5.6.example.com.
 ENTRY_BEGIN
 MATCH opcode
@@ -218,11 +202,12 @@ MATCH opcode
 ADJUST copy_id copy_query
 REPLY AA QR NOERROR
 SECTION QUESTION
-b.3.4.c.5.6.example.com. IN DS
-SECTION ANSWER
+; dnssecjava: modify query to avoid overlap in query cache, match is not implemented
+4.c.5.6.example.com. IN NS
+SECTION AUTHORITY
+b.3.4.c.5.6.example.com. IN NS ns.b.3.4.c.5.6.example.com.
 b.3.4.c.5.6.example.com.        3600    IN      DS      30899 5 1 849ebbdefa338db3e6c3ddffd58851523ba701de
 b.3.4.c.5.6.example.com.        3600    IN      RRSIG   DS 3 8 3600 20070926134150 20070829134150 2854 c.5.6.example.com. MC0CFEuXbvClpAOx7E1SXeH0d+Q4jpySAhUAtbEbQ8qtRF5chUOWNtg31ESAjWg= ;{id = 2854}
-SECTION AUTHORITY
 SECTION ADDITIONAL
 ns.b.3.4.c.5.6.example.com. IN A 1.2.3.7
 ENTRY_END