The NSEC3 opt-out bit allows DNS registry operators of public suffix domains (TLDs like .com, 2LDs like .co.uk, ...) where most delegations are unsigned to save CPU time and space by including only the signed delegations in their NSEC3 chain. While this is handy for such domains with lots of insecure delegations, it is otherwise a bad idea. Unless you're a TLD/2LD operator of that sort, DO NOT set the opt-bit in your NSEC3PARAM record.
Here's one example of what can go wrong:
http://dnsviz.net/d/_25._tcp.mail.ormanns.net/dnssec/
Until today, the ormanns.net domain used to have working secure TLSA records for its MX host:
ormanns.net. IN MX 0 mail.ormanns.net. ; NoError AD=1 mail.ormanns.net. IN A 37.120.182.194 ; NoError AD=1 mail.ormanns.net. IN AAAA 2a03:4000:15:7e:: ; NoError AD=1
but then the TLSA record:
_25._tcp.mail.ormanns.net. IN TLSA 3 1 1 c95ab7f0b49c1d762408d0089133d20d78c992e6e28b28c165d18e043c574ba8
was replaced with a wildcard:
*._tcp.mail.ormanns.net. IN TLSA 3 1 1 c95ab7f0b49c1d762408d0089133d20d78c992e6e28b28c165d18e043c574ba8
unfortunately, while the zone is DNSSEC-signed, and the wildcard recurd is "secure", denial of existence of the removed TLSA RR for _25._tcp.mail.ormanns.net is "insecure" because of the NSEC3 opt-out bit. And so the wild-card synthesized TLSA is also "insecure" and the domain is no longer DANE-protected.
One could keep the NSEC3 opt-bit bit and carefully add desired CNAMEs to share a TLSA record across services:
_dane.mail.ormanns.net. IN TLSA 3 1 1 c95ab7f0b49c1d762408d0089133d20d78c992e6e28b28c165d18e043c574ba8 _25._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net. _587._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net. _465._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net. _443._tcp.mail.ormanns.net. IN CNAME _dane.mail.ormanns.net.
But, whether that's a good idea or not, it is far better to avoid NSEC3 opt-out and have secure denial of existence for all names in the zone, and then wildcards don't bring any security surprises.