This name `hello\000.dev.` is greater than `test.hello.dev.` according to canonical DNS Name Order (RFC4034 section 6.1 ). ```c knot_dname_t *d1 = knot_dname_from_str_alloc("test.hello.dev."); knot_dname_t *d2 = knot_dname_from_str_alloc("hello\\000.dev."); printf("%d\n", knot_dname_cmp(d1, d2)); // output: 116 // doesn't happen with \001 d2 = knot_dname_from_str_alloc("hello\\001.dev."); printf("%d\n", knot_dname_cmp(d1, d2)); // output: -1 ``` This was causing issues with NSEC validation in knot resolver which I mentioned on gitter chat.