From 15a35f448d78b86536ca3486f2c38b60ebe58e28 Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Tue, 7 May 2019 09:54:52 +0200
Subject: [PATCH] auth: test for #7785

---
 modules/tinydnsbackend/data                   |  20 ++++++++++++------
 modules/tinydnsbackend/data.cdb               | Bin 1352616 -> 1353259 bytes
 .../tinydns-data-check/expected_result        |   7 +++---
 regression-tests/backends/bind-master         |  15 +++++++------
 regression-tests/backends/gsql-common         |   2 +-
 regression-tests/named.conf                   |   5 +++++
 regression-tests/tests/axfr/expected_result   |   2 ++
 .../tests/axfr/expected_result.dnssec         |  11 ++++++++--
 .../tests/axfr/expected_result.nsec3          |   7 ++++++
 .../tests/axfr/expected_result.nsec3-optout   |   5 +++++
 .../expected_result.dnssec                    |   2 +-
 .../secure-cname-to-insecure-child/command    |   3 +++
 .../description                               |   1 +
 .../expected_result                           |   5 +++++
 .../expected_result.dnssec                    |   6 ++++++
 .../tests/secure-cname-to-insecure/command    |   3 +++
 .../secure-cname-to-insecure/description      |   1 +
 .../secure-cname-to-insecure/expected_result  |   5 +++++
 .../expected_result.dnssec                    |   6 ++++++
 .../tests/verify-dnssec-zone/command          |   2 +-
 regression-tests/zones/dnssec-parent.com      |   2 ++
 regression-tests/zones/example.com            |   3 +++
 .../zones/insecure.dnssec-parent.com          |  13 ++++++++++++
 23 files changed, 106 insertions(+), 20 deletions(-)
 create mode 100755 regression-tests/tests/secure-cname-to-insecure-child/command
 create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/description
 create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/expected_result
 create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec
 create mode 100755 regression-tests/tests/secure-cname-to-insecure/command
 create mode 100644 regression-tests/tests/secure-cname-to-insecure/description
 create mode 100644 regression-tests/tests/secure-cname-to-insecure/expected_result
 create mode 100644 regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec
 create mode 100644 regression-tests/zones/insecure.dnssec-parent.com

diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data
index bcbeb035f8..8f76c113b8 100644
--- a/modules/tinydnsbackend/data
+++ b/modules/tinydnsbackend/data
@@ -20100,7 +20100,6 @@
 +toomuchinfo-b.example.com:192.168.99.90:120
 +usa-ns1.usa.example.com:192.168.4.1:120
 +usa-ns2.usa.example.com:192.168.4.2:120
-3ipv6.example.com:200106a80000000102104bfffe4b4c61:120
 :_imap._tcp.example.com:33:\000\000\000\001\000\217\004blah\004test\003com\000:120
 :dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120
 :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120
@@ -20108,17 +20107,18 @@
 :hightype.example.com:65534:\007\355\046\000\001:120
 :host-0.example.com:108:\000PV\233\000\347:120
 :host-1.example.com:109:\000PV\233\000\347\176W:120
-:hostmaster.mb.example.com:8:\004phil\303\231:120
-:hostmaster.mb.example.com:8:\006sheila\303\231:120
+:hostmaster.mb.example.com:8:\004phil\303\263:120
+:hostmaster.mb.example.com:8:\006sheila\303\263:120
 :hwinfo.example.com:13:\003abc\003def:120
+:ipv6.example.com:28:\040\001\006\250\000\000\000\001\002\020K\377\376KLa:120
 :location.example.com:29:\0002\026\023\213\044\323e\176\273\347\100\000\230\230\020:120
 :location.example.com:29:\000B\026\023t\333\053\274\176\273\347\100\000\230\230\020:120
 :location.example.com:29:\000\022\026\023\213\044\310\373\201D\030\300\000\230\230\020:120
 :location.example.com:29:\000\042\026\023t\3331\320\201D\030\300\000\230\230\020:120
 :multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120
-:phil.mb.example.com:7:\002pc\303\231:120
-:philip.mb.example.com:9:\303\250:120
-:sheila.mb.example.com:7:\004bill\303\231:120
+:phil.mb.example.com:7:\002pc\303\263:120
+:philip.mb.example.com:9:\303\302:120
+:sheila.mb.example.com:7:\004bill\303\263:120
 :text.example.com:16:\025Hi\054\040this\040is\040some\040text:120
 :text0.example.com:16:\014k\075rsa\073\040p\075one:120
 :text1.example.com:16:\014k\075rsa\073\040p\075one:120
@@ -20134,6 +20134,7 @@ C\052.w1.example.com:x.y.z.w2.example.com.:120
 C\052.w2.example.com:x.y.z.w3.example.com.:120
 C\052.w3.example.com:x.y.z.w4.example.com.:120
 C\052.w4.example.com:x.y.z.w5.example.com.:120
+Ccname-to-insecure.example.com:www.insecure.dnssec-parent.com.:120
 Cexternal.example.com:somewhere.else.net.:120
 Cloop1.example.com:loop2.example.com.:120
 Cloop2.example.com:loop3.example.com.:120
@@ -20243,6 +20244,7 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:
 &dnssec-parent.com::ns1.dnssec-parent.com.:3600
 &dnssec-parent.com::ns2.dnssec-parent.com.:3600
 &insecure-delegated.ent.ent.auth-ent.dnssec-parent.com::ns.example.com.:3600
+&insecure.dnssec-parent.com::ns.example.com.:3600
 &secure-delegated.dnssec-parent.com::ns1.secure-delegated.dnssec-parent.com.:3600
 &secure-delegated.dnssec-parent.com::ns2.secure-delegated.dnssec-parent.com.:3600
 +dnssec-parent.com:9.9.9.9:3600
@@ -20254,7 +20256,13 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:
 +ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600
 +something1.auth-ent.dnssec-parent.com:1.1.2.3:3600
 :secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600
+Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600
 Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
+#2000081501 auto axfr-get
+&insecure.dnssec-parent.com::ns1.example.com.:120
+&insecure.dnssec-parent.com::ns2.example.com.:120
++www.insecure.dnssec-parent.com:192.0.2.88:120
+Zinsecure.dnssec-parent.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120
 #2005092501 auto axfr-get
 &delegated.dnssec-parent.com::ns1.delegated.dnssec-parent.com.:3600
 &delegated.dnssec-parent.com::ns2.delegated.dnssec-parent.com.:3600
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb
index c41b7e6a89fc684dd5ec66b549a4b5d9de19c92e..317ffaddf2e5134561b0f843acf398475de742c4 100644
GIT binary patch
delta 7486
zc-nPX2Ut``*Pgq(Y+-@9WfcUBKomtVVnrm14T%4$h>40~Cs;tSN5i6v2GD?o&%#wf
z5Ec<>YAja;1%oXv)|f>FjTH+DYV0U{b7wYzeE9o3_jx&I&YU^#J9W)DGb*oqlwSP{
z1S<gm4u=T3ABAAKXdj0l7NO6t5JZdiX$WFOJZHuW=JqQP<RH{lK#+wnr3!*n(Y^!0
z4iT%({u&4h5vpGhzxoaCrw7`42sR-{O(O&w#11kVY!MTyXq?EwhQ{qhEDe%GzpdHt
zNa8A;XizGms~J6La84xBg9aDGfxT()E5bZq8k`l!@gx3_VIt}QFpi=z<DxM%SdFlL
zJPo1{8Yj`1sc{;yQ>N2c30*j`wUMNs&jK236B#X`u@c&7QlR?^g6eo0q=|VGXsm=o
z67kn>qQMTm_{UZnB#RZM(O3Z=0}a-Q1MVUWL-Gka>@zEIki=<^l7SscXmC>OcZw+B
zW2C`Rap22@sjh;wr`$9vagVg?9@9WC2GrCMMn!)SMtN@urqmOEL?aD;5C@VnAVIVh
z3~momGq~LyGMJ%*h9S)Ch+Wf`*hUuy7n;(MA%r{_yaqzLF?t-})0@G}D*G~6i9}xp
ztP>LrCK&Mz@jDDB2`Ym~ylxC>uNlu^<~36o%v3#t!3-;BGvKf|@B-p5TFPJrjLR8N
zEE0{?lR#YpVHB~B!E>zLz~J2wlFVSKYql|9DV`$Io|wtt)t{G5`laMDAXBvWkOCtP
zFnF#Lj}Rqv#~F|>7F0%T<5{ABQGee2#}x*zZfyl&R#Qm=D{m8q+6ScF_?Rf6t0nz(
zf01~HcMLc#GH)OZ9b_z?`$S6?GmW5GtWZR27AukHNZR%FE+n9`6N?$ud$5>MjVFs0
zsP9Qo?aku359!BZB^(BlIJF;XcNofoY_ZT01a;rCcsCRUv$)Wri7ePFPIV}Yl?j=N
z{dy2GhXjNyV2RW}5Y*{dat_3>SPAzy7BjE>nZ-(ktYb0r`VFLiJ<o!2(Vxa*CA3*A
z-tURIEVw4x`-tC1V6j5lV=Ou+(Edv)BT}f(v3S3$FPIr!F*7uo?HdH$Z?Pa=9Oy1l
zB(Ivpr95HrDvzim3Z%SZ$w~O0#cLz6f!GmJ4xfaTN)Duo`@hJVBNDM34oI=(umbLm
z96kpUoj9z7wgZQi@afE9C2GFn@PXytgV>c`9G=_yejH|~9>U?(Zyd^DCDbEHyZaap
zE8#GK19~x_aw<oT%$XeC&-D=;Sp#!9vIZ7%;E_16jw5%0o+Ed_Pb5ygiuh|1NTGS_
z2}W!p#3Hs5V%juPXniKJD|c~vvK{h?BX1vv=Tv)$Bv2P|c&-ym2&zw#1Vv{#EOE_w
zVy9do?G6=$x%*ARRC|vopnhytqSma$YYv<i3DxUKLp{*obHFIqfCFO1RvK~+&>Fle
zA~YJzIKobYCC_st?TJprHn!K`HBsM5L(cfGG<Yr4bk|@7YP>Y$B>Y-~cZGV81{2NG
z`;&k?tp+QRGEzh4ezb<n={VvyPSTL`A(WtT21yVxTZ5HypHKP~E!N<<&C_Wx!^#yJ
zGPSD-!TPltvNkr6ILrF28nSJ6{PaPw>Vtwpp9FnU^vTd?fj&9<#5N`RROqurpBjBu
z=(9$jjqpJMgQA4kmGBcK-|v9Z+3_P{VHcHr;mojEv!|Br=a0q09=vuX^cJ4S!sQgT
zpPw5KyHdaM>G80q<$f0R>3}{N@B9;V5<bPl^-}wG$k7#jOlaiPIbmHE&FwNPa$#8L
z;ss&+_5|o?EnTu?iSi#8l?6FrO#+OtV;oT@v2#;n&~E4=Jj{d&sg<octJquYq~Set
zpv`BJ@wGeQbezlSe{<Pw3{g7#|4r5#w<~R0iA|h&pnqky+o*L>Yk(wJOyKvg1h}5(
zxlqO@<ii2{oD7&NG-N|pYihmF;Q+L?rN#;UjIe~FvV>3Nuwz>)p6~DkdZ~{kL0}zF
zk~C-&<TGx-HbTr3__ds>5{^BGK2iw&{g1!+8angO-$6SC{B8D%yZ0<{Cw|HssN$!-
zf_D6hSJ0LpSq7E-?YGdm|G<mWa(Y_>I6flQzC;P2!*!!1MD<TTxYPHs#L^PLQ)9OO
zpluor&buGJ=z@&*eGTp9uOfE-@{39w$hjjt(rw7Je3U3EJ#kyO3jFUs*zd^lLW!F1
zwuA8=3x|KZa#9}3?tiV$^BV<#ySgaHe5Gy*?zX8z{s=XIFR3~At*ijNe4{um3E@+h
zgv?V2H_P&s<x&6-I!wu2gjkH8_O^e#4X(r&-uIk&I}jy_UD6o!3{`aMVCbl})-5Y?
zbA7V(oeIDNokU`bl3M0HcvoY?k9`MSMl2nb-6^A)919kfMNPB(3@baoTBl}lwl0P1
z{%S_#M7qB3Ve?!#p}F{C=WUn%sfd|h$D`qUteOH<LA%>WNpT>A2cukThoGR*Cyv<%
zTk(64*m`ftRJ+h77VuTlsqpqT0B&FKaC%a+3QBqf+`5a{%(R{5cvu49(A4kGs*yx1
z1N(N4Lh-BW+YC2Aj6S;%7FgA|R;#eB7wwJ>?cb!6xCYVQ_x+&hca(t7ynz<cj@Qu6
z3&xb*nVp5oJJI0h>V>*S-DwyVY1L93zxbF#dNj+ETr$UuvgW(Kg>L-b8<1`XBa3(5
zdW?$f+WA@QoMxoFr*;fpp~fos!tIv}91|=6Joad6nlEA?sPxBgGz)ef_bB*FlzwF)
zxYZXW8#pg@!gN&e(@(QrSxaydFE}qQOIiMz<(PNB!;~tUCcBq*@VOy~OKq2rU#ztv
z6Q+C*uS&XZ6mGqT(`8hh;MV|cEu;(c%^Py5l&-R(;)KyO9jK(Lg`IY^mmRfJxampH
zl}dcK3L|>bldPyGLcst!(2}|-eEL5+(2C3W4+PE=ua!=OHo$p8FZkp?IG-E8dMtgC
ziWG(i)9YoDUTMOu3ADerw8sY0ER0O1t*od9VPYoTQBExs;&SK`g+z!I{P)t+Ehsmk
z;2@puAep~Y7;%|iC#Pl!H!En~ZBSVT1b$V+w)AhM0)EFXZ=Ceb8u%&xNVCg?7-!@l
ze5rWpc~Fh*;vC{<b`w0Yn?FP`Uq~Wz1rx>GvZAtugEkB=rS=NLS!PePWGF8*tYaGF
z?4$w+LTgJ$ZZzZB0^TN>iMPD79od!9Qdt_Gmdv<zZkJB%pG16rd+SgSVxKVkKbf)n
z4xu)giBzlnkz~`a9vl9%5SGc5SX=hm3Bjz4OXYF9g|GH9u2OrKLI}c38^T(nLnGX%
z?fso-BaAN;BKI?6R8*~Ss+dWaQfGv)Qf7u!;;~k^P{#P%NpJpy<#iVNR58WvsT&7h
zv+JeQD<MwC9*|nBk@oJkLu|KK=stP}7D+AmMipxx`O3(_BXXd70cW2Xs`zIW=`QA7
zahQwz&oys!eI-C=_dYM>xwNVMOh4YC7NPs1C3!<-K&PT_6?sd6j!vBCKG_23N-l;h
zlp$N$w%1>AC~nt=qCu_XWHpYoWSwkvetrkr&ai08s6BOgavX`6s~bEvd9sWGx;0sI
z!%|VYIJcXPfz5{Zc|2aQN9kjG_Y6aqy6(&Tqa*B9K$m%Mk8egZ8abim3*(eP_gi^g
zB9G$x-)~>GtLYNZEoCY<`cZh$FLbm=u5AazWy`A3gTrM_K_&AxSG3{RS+e&0NGn$5
z3P$#*Lr*2$nrR=;Cm?OY<(`JzX2rE%W)xDCIH^MSs`HJC5Q?u;v2EJvG#THmijlS0
z!#baYO%9%<48GKoRmyeIv${J6@bk;)?t0yRCRrGVNX#2@J#an}W#F@k+%+^e34Ogb
zjzjg9yf3|xU=4ILP1_Bwh-A{yZyPs%W)$#Zw&4&GbM-L0Z?*C!|DImKp?QeMyOrJU
zc_2G>^M|<6l7BAb-Dpt->Wr@roH~mJe>(Bn##IQ9$tRAjMMZRV-&{Wz73ag1o=&m>
zy8Csh55Go5SX~`8IR7(6$fn!!Q|0_*YqkwOiRHS$=(;6Acxm!G)JR^zqa@)EHPBtp
zneKB^(K5s8XF)|LWM+9|^sUvc$*S?!MW21w&j}I9$}epDC#s=(`RiU$&6Zed|Ao(n
zShUR8!~b|~tQF90y5zNZk$IEI6hVy@WEB3a6-)EE=)4cmy}R>PIs*;ibh;q@ytHL1
zyWj=;6Ppb=zVi|3p9p;i{vy4HWZN_OSYIb{jp}tVP9v8*LlZbU=B0IfvjtSryYA<%
z3bZ<Z(HJw4#;U%9I}d;@2U}GCX7NXqH1*H?>z1F<dei**T}nU0*Zs%h)<0Sb3LCbc
zgSyvx2x2l1r@h)r9zeo8H}<|<x;f2!TE}>@R&CWUvmp5S_ih1&d1iO%aCU;y(tysd
zgw0EWUgYtvW7y-=0^z|Jwp}MGU$D@#s}$18_2w%kC!W0zsZwEWG8-s!NZA9ymf9Y|
zT{F7vC3teLIh;;mzlV}*D}^6&+5XaQ{#zhO+4pXM&Wt4~2&2<xuN$Vo_IuHu^y2xB
zDuC^M!h-^Ku8O+Lj~3XjQnz(b+)CYq!vforK^NV#vn*6l+l5aT*@qN0MR;(Tt)%$9
zCRV98%=)x){g+Lbv*C+}x$i?&z!2siRxl9Z<MZi7@s_}FZr{|OyljBM-g7PYPz?+>
z71oo#LH-A=SB83914Cm(_MHIK{_9}Zz&lpJ;BTDr<7wm{v{04Ov1u|5$wSvX{D}G=
zU!$Dc58AbuEyJ((CkIGv$a**Q%~t$XZ^H*xu-+XFhf3sU7zhkO-&uw}ZF(9Q>O5!7
zKZb@pYCEaNZEN1Qf^7p0-LG3{FQIzQ&rx|v@CtN;hMKF)s%(^@@TII>H5sF$VXyr;
zV-;fhRhje8&MjX<hR#+pL)PB~dG!1({iTZRlWSL5C;T#37y{B1i-tg6ah3I!8y@x#
z2+hEU88qyOIc-Qr$wPzv=fqHWTJ#3TZKsyxBj?%gqX&PB%IRJAn6Ynqd>T#`ObR-Q
zwEd>n*13levF?4!-M2TJqtZ76A_9=MLze4oXEoDyS>4U+OHq8W@0ULwRszF-GZWiU
zNbABNW8*I<erWZD{XZ!5z;JlA#YP|0@HIWacVe@|FW%4C^8+fZ&p4Nh+Ln(m!>Pve
z$3~;Xk17HjQN4zqnX(x{C{M1>LxT&#5pO%WT|xyMSm6Au2F3OH5Td??h#YqF{WA&`
zaAkRDNrW?+m7at9?@wwr@Q5wboL~N93%e><Kc&Q!FVz0Yo~Ed0!ofRiprm^edjDqc
zJ{|p+89Sl5%(hFaPPkx$?MJ!9ugxRaGhgU^pUqZCdZY@sYS`AU(wp1NTcZ=p4WXpV
zHkcm~NgS62CDtiI?=QJXiFEzn8?&?n_nll~!3(WDIFx7nUg3BTu76)~FU{e)N~B?F
z<^&_>abHtZgs^r#*C>@vNi-iDhZl1nCG6@Q5R`p-kXdBLAsNEyrQ91w%UE>GoU@DW
zFm$(YdNXHIQJ017>D(?ShK_~c_e0xslJ8{T_fuP^4;4n2a$}`Zd6K!Xvt`^O1-lF#
zW`7h{AIUePe=<M9$hBs}lZhR}BTRq4xbTYDtFzv;b%kx#ZYeMg2tM;<0z%<T<EUYB
zV5;7gJ@~e|#e|zqoZR@0mjak-Yobl|6fl(!?>Do*yk*>@g5Mn}88Er!p6qUK0Za?F
zR0JorxXkpxWE{Wgn!4%iHaSGSzr7h1a4@~E=MyxL*A~Y$@yIW4Q<Xm+*{g&V>}?4!
zF`022&Y-yI3zrWVtOTa|F84QkG!<;>lX%JnJ;+QYy?h#yTiy+(?_IZQF7s*UIZJ%A
z*_tkeI<MJ)61VzLmHH#9INbQhFpUC>JHr%NyfqbFUoEl}T<P<)m9nM3L3?9nd=p*M
zr0nRAk*LZ(2Rj#ex4g+r)A#|(Y6;(H<nXJY6EykCgHNJ|r0MF97LWGhr;%Gn)5xCv
z6FN1iZJJ=){=iaHb4J0R2W*fSZ<b%{DJ3;~netz$-*5QLSm{$fNMca1cf8N2t4PtJ
z<!wDPkpJhMJ7l*2UveJRAW8yF#q&>}U4S&~ai_s^nw-B_&e`j&Cr$%sahbv`q7QhY
z1%T|XNll}e+I6#iHx*&+KGXBBQ1+c=Wwd9@JJ@td7NRUd7_ew#&lhNn@pY5(zd;M8
z+YxUY(4?rT%hbD7ubTSnP14IT&tD_XYl~v%-9$9*u37fQxX(;M^|FDTFQK>tStkK{
zI-7g~`&OX`nW@z{!_#umGTy&JzSa_<`s~9`*Q|kQ*fOW$?x=s+(_oJiXd;5A$Su<-
zB@T>2zcs}F|LAH;*<F=?9mx<CcKu`oqD$r7UX$<{(W^73Zt{|eodyb?m$+gHHHUw8
zg|lS~(T}%^naZ3oSp@&c7Fz$#6*{<GMO(FMK<cb}zsW#VVVJu$y8A`6*-kLPj4{Hq
zT5i2cYPZIG5^Q<LJylV&g*b_3kA?KhMDu|ZtkgJ4sr|xYwFdo$E$2_Q(lj!;8zHz~
z<vHkytrFbdduG`i;g8lDD3w@k<*VChTqWKqf{neVTETkkgP?k?r9Rw@Ir{{;i{`Y1
z8qc3^uX)SfM8DG>rd$f3_YfSsM=*8JWOtCX$q<%nH4QT9i?qM%8>z{%khIAa`j62>
zN+f>iLSe8bxiz(q_nWJE+opai1aBRV2f0*QgSQioxw>tG7{>~u=V<~gC2jvBq(x~i
cs41;5Ctg#cpz?$+>ohYsDpuH>q2VO|1)O1;ng9R*

delta 6991
zc-n1O3s_BA`(JyXI-O3JwQuS;VbqX>Q6b5QTq+Zi+mw3@Dl@KqGwDPzNs5u{J}KQ!
za!`@58%lDi$R&d#G_FZznq0<k+`qN=I?q@Czv+4Q^Xq-ryWaQx{nlmgv;V>bef5Mm
z;{gcP000z+F{(--SS8wJ5F{XUISE0mXrF-~Uc?#`UNDW<L7+z%ejS25gh{s`$Pn$j
z5M+zkX!1XSpa`L{75j~UOBe@?MhLbchxP*mTf~GU1+)m8<&>1D#)^{0!zl`+ihj=I
z?}+1)x=`Sxh}}%+N`dnT>)j}D31PrM3Y<b1GK2y(Vx1A#ulPp9H~^x@QxfCwNfbyz
zs1Kn)48rK?l*BZ8Hns!4qa-C<!m({!i03sgroc{wrBRfmgmDFKuznTB(w`}iDdtV0
zBqeG#V!wV11+wGBe|QS)5IfAEBn6tYDX>8-xEnK6?88`7WKyC8#~B4&xTcH(XT*7@
zuma6B6gVapzJ!^&T*u=9w@pgi$Kx)KDG(<HX#c{D!k=SCA^%_uc!T|_4;1)OECgtf
zEZXKY-XoT@G+u8_OAKph8Z)!Qw$=gL(Oqe&(SYtWCge&>dqB~bj*|kK`_U4!BrjT0
z!fOZ(ei0M-VpREIf6X^IK~fNocbSC8wIQ^`TsxDNn3jG=OAM1DX;3N_UV{DMKhlx{
z(Xlir6N#>g!+|bIn2~A&Ev>O}6OB*BHd>NetEEA-v_yE^E1Q;fe@Gsl7oev>u4otH
z233b>X|25ktb|J$4GP4DDzP11g%ya7t2O;oM@zfgcnvet-o$}PcQ8Za13Vu67%Sn@
zg6FwB$MH4)(BOo~{2gXkLom|Xdnp)+pu(1s6jE@Eq=btakH=}dGLjV0&WyxJ>&i%s
zlD=Xj1+*R*^`4Bh_C{|;Qliuc$LWXT@lrnq<cmugh*1^HNT(rW3L`ZdGK~QT#l13{
zk(4pcV@&5i5(gL;Gm_LvQ5aP#7)i?dl?>ioYZ!@n^g0GBmBL`9Qt^E4b_QG!{ppOP
zL~{-!op%>K1L{S)2>a^~Gm=8h#~5@^p!4TdiKWn2Gtzn2*P0kzHZi<v^4~D|Z!;iK
zOmG(~;?;=bT$&kamm6EK0xmBYX>%)HGt%Bry~nl@u+mK!E@wf8c>V*dScyRZ#YzD#
z9au?$(vGZj52(7ZSP3T<E760+O7v!>3#-%(+u;LPX>F4Rvl2tCFDvc-5Pufmd}Hx=
z=|omiLLbV4I58l67AswurSn+nJSRo45~JuJSc!4cQWi9eg`-(%_v>R>tVleL(<Wel
zbP{gVYa>SEW=zbu0~4!H$BiasV>^5|8z(Ue*@qoo2UuxM>q~F~Z7D0QwW=JWwh|`@
zsA46Fqib=zs?Ici4Kvr@!c1%KVFi+!Fb1?>C6ZpSph_fcjKc%bA6e;`1ekH)u(-CC
zoW!WchLcW3GtEhin>%ol<SuGFuIPg804Gk`6Vc9`w7a#vIB740yK(p}IDnG~26%JQ
zsYn{i;R`HoBo1&H%}GkA#&Ocx>nCvdo$xL82TbQAhBdP>2F$|=nj<(#Dg7cm&ucj+
zt*y%nPGT4m$4N`8U&~1Zqf<CZp`^_?P8rQ}(y^)E_48Ycb#E;Q^pNP0p~nn8=ID{5
zM;ue2#}YkC^jM+C8a+1Xu@&B0z~C5ONPvTcz%}p#L8S4c6QDPOgap`6c$NTHiN3{&
zurHzKvl3x{B2BoK2uo$cgJif+C8X-$Yf{0YMgq~p`{qNA_sfP1pPma@eo!IoE-cW)
zIvb)!@Hz_Z?FpGM{vxa(h;agS8TRN*xba>saG-KQDg-wE6{#&-dG~Ut7Phv)ujNFd
zQ1=23mVE`|Pu~AN&kDfGkE5IiS^~Hx$lEo>7X1G|cy`LJ9|NTf&d@S=Z?_m3fTJ_M
ztFf{HaDQX>*$uV;D)&D!{)uqx%j5H7c;8o$wOP^_8Fk4FK=%Q&j2n61x5)J}^=xD}
z6m=xVxpgF;QwE*J!I=9WCoHlC(BWn+InA=I>aHt=os!J~9HJW4+7)#-(<yh#1e>;T
z-z6E-=R?$W5xC=RZSwN&MyQ?wdwlHnD(hdEM4BfZlC`VR@*(1-4GCbO^`Fj7sK(fd
zYi90Oem>8ATla!-yl)9q^MAjAD!%I>sDQBJp9LfP%K`k=edL@11+RVu9mNq!4t+1r
z(R=bsuR!%U_~=~tx-XE*e)Uh?0xSR=)#F&?0mL`lKB7}8s@>E1k7y&ReeV0!4<7zY
z?ZU!tP1R`rqO#q0p75JbLbV*eAbx1HmQ<d+-K;=y0WHXYz!B$1qBN7|y!J^%5=T$S
zcgbl-H6|-%XQbul>C2nLGKaR4wPJw(od;qWC%%^vTH5X&`h-*}QQL{}N8^<I@VBt1
z9c*z*&OK}0HmSAG`z{;#)o6)F6@NE;{(S|2%a)&xnbSrGzFfHb&>^wE%5rr`yQzX@
z+=*N5>JK8rRC6Wi_!1=OSjW)jkS|gF%B(o=(tnX>_dO?{468PKPanmUudF_gOV*I2
zy(AeQWrQl5C2R8(7f?S}Zk1)GO0rtOBM!53qipzNXb*V~3hNQF8p%F&VS>6s@p-;o
z%O1~9Me~RJx~hmoaUZKc<#)5@zj+5AkvF#p?(gAzGa~JXma;b|XYUh=&8b(`L|;MA
zP(cb}tYB1A164$j;MR{?EF+(2g&a?6rZutc=m;uENvspbkEMdFnZV5uIL@d)IRn}P
z$LRy$w$0)(bmeb{QfCO2kUf>!WJccICAiO`{05P~<55AUrL3(9y>Kv(>LDjO3-$Y`
z3JWrDjgWSTnr}|bIa*3(Igs^vLe5p{7dgQSZnr4D=kOnLAQ;s!M(fkT5{xRpvUR4>
z28^<}o_R|2Bb=0v@P)+-w<A`Py*D5GKbo*;4{vEkcOj?gg`Q^g9cyB|prC19Mobm5
zIr=~>`S%VXcr*P`&IIm<U~cQl@$n`+vY!vr(uvBHUC6#2D=XT?KiAUEuIDnb-6sp-
zn|o=adt-ZH7REg$Y{(LP)96K3me0_IH~(7s*nUE39$jIh%*cZvBB$=cvOU7;L$tF@
z4GSQMJo#~+-8d@{SsUo-E7}N`7YLO{=qZ+jR!~*YSu$d&P<o19AR`SM1jj1cPes}#
zh~hd4DR=0yZbX6*AY(Skh)khg&K#E6Y^xjipC|w{#`~{j3-~L3ly?`+P~StchXl~X
z$Jtrg$^W-=G}hN9j40rXZ5fBj-B#8L=?b7Zcj0LYFKY{V4!^G+ZSmQr(-_ydKkSV#
z+^|dMECZUCuD5PXBihEP-uvvk^Y{BvPUAEO287JrPqvK>PTuC=)-HB!&)+`<p&W|N
z1O8r%>^)nK5APrcnr%y$_Bm<Z7T2|^FzX_}*^YAZ)Kpxaw%kmtTg$><+fj<|I{v4>
z%z#GdU6Fj<3TR?$j6=GTKvOQC@og)A1yMDhH$9^K5bth9sr@vA$F~M{umBpf`SyGm
zDj5{}^rv8yCiU3FPutDf(r%dZ{$esp6DfDo?L%etb1y7ki{u(x^6Xr()KV8sY=noS
ze>;hy>DyaJA=MQp7WI0_7h6-VahiUeLKi=3Cq>1Q?Ke8Mlfsg^b9@lWzd`2dj=n!M
z&$w3_Z&X(mvaBS<9B2a1UYWHP^_f>t)cG!oyQ!Z)_zdbl*?ZvDP(-`eiZZ(upWjWI
z=tEp>uDl1(<UTwwG)E+C5&Y=}nlP9>S(V!Me$x2<HG{3^ue^sI(yPT&<8OO71)>gG
zX4G$8hu9>IQB4d)9dJ35*2SX)6`oJm_ifuCno*;UbY8#{YRbb|1IG7zs&CiDhP=h|
zGTJSu>dpT2XOen88iAbJ>oTg-x7YS}i;=P;zTGj)terBK_y6Xw7}bq>_v%0IQ6C3p
zm3wzp0!@a`^1nv%_tPnFej#KiJ5ADG!N)7b#@?K~m23kv3ESVUoy=E4u}H6|pZ1S7
z`&^#Jrx}mGMsn7^JbbnWC0{b~X3$cE;Q9Buqeyn`y2&FVrQM8j1bw@w5;ZzG{)J7V
z?DJe-791O=wnTM3`_FR_m(+WN>oAB;M9Pw0v-o1jur?WY3vMb=i%qNk84$x4D;ci)
zlc|ClHBdtD5JD0A>LI*CE1LX%P|$H1YM`IriPi*bA(CQ-I4JM_0zrIkY39o`KDZQJ
z1Xp`8jdF5mCcbkYdN9_Vm7(aqS%1~tKYcIuemS0*u23p>Ly)}vr{Ft#`Sl^p38Iq_
z5XyYvLOc?}S2OD@$hDjB=b6=drV$c7glAeN$V{D72!Xb>pK#fPc10MAi*WSvUCeio
zq<<D}7BD_C_h&o=>BYuj-L)7a(h<gHe*eoD3(3}r_RQzcvKxS8PZI(TGK(#V4SeaZ
zOkeWqM!r~0dk7B4nEo_+PmQl-patol!mqx{utL;t%vFL=3IW%c+XPQ7qyoi#YR*rr
zXWaOM?vzTd+cA2><M+}hlBZ7Xwvm0@_72u{+IjY;g0^oDU6;rE-pp-hXUA9Rc8IFF
z@(%S(*Erq2!H;!LRzT-!ZKlh!1-jn-&t<)6H{q+(j_Vz*fvzaH_R}F7pgX8OU)x}b
z>=$NVG@*D8uM53)A-~5>^T0Y}A71A8*PjZY>z`}3AQ<KKeENh|BkVuIrz91{d4)P%
z4n*_4-cGZ+ql^Q((j@b(gHb?f&!Kl?P(azxFISYJ1Yc9bhR#6tG5eYQ?jiKfxA^-V
zDln{i#uo&NKly6dLVx5xHNrXQK5Fn(<1Bv}8b4DwGx&@W=+1t+SUwr$@vEJ^q6)<w
zt&msK5a<F1q%A&*;zu`KD)}+Q0_e^chy6SdO&q@5GQ9^1II%&ocnHFaKUfYVQKE6L
zU3%7`3FEYL9ABVB{+Sk0Bhh&9B<0)|#N@YCb1N32`8D6gj+lu2BUfqcBlw&?%y7Bx
zcMF?Y0eo;R`a0Exwc4b3v|U}gxgmZ(#J61lx_N%{3Vl(&M|NxG4nlPv`}ohzLH_0&
z{+-YY>z-W9I-ZF7iTJQ))0ceZedy$@d+HXkw7l&TPxt)If&)LcTfOC_I*U-=@wE6g
zZD3raE6-lH^6Bq4qub5;v@rj^zpbFY#f(yrr}qhA511-~;02dPCW!QSoeM$!-m2KC
zI*gmp8Ov9tHYH!OmF(+!?DyJ>(Q%)!w~5KOAb(F6f?F9oXL8+6yyMe3b|isL-MtQM
zH6(?d!rt!eB9e?X9kYHe>?ApPV27~&D;7=nFB056Ss!o0Us$q)?Msp{6Mq++UdDb+
z5FL(2v7cmw@@O>ML#Fn~hT!yvN4fJ%*oyE>x7oLzZsl_{EGtaXu(vxY|3nndt75x*
z?hyuQS%W2^5vW{tPgffKXarY}?$nTz%)r&NY4g_zHK*8bW#mEAeKEL-jj~{RY=Yo=
zS<|mmO!#a&UwM(Wi{o}++ZA05*R$UIr|35T48uaI|ClZVhCzvgCtR}thGp6tA*l$P
z_T-PaX9Wxw#tsShX?w979&A|I1>KB>b;4@q9tjM!Q@7PynE}K4-PvY$+OA*2;2`gY
zg8y^H^FEf8%@l(}%$s}L<-ky9HcfH-vuhg|N~i}3Q&8f9msYwh5Eya_?;f^o*T7JD
z$eCGfFE0a~yLL;p_@;D%hL3@_!V^*RLiMK!W90n#E3DdQ>eHD80jNR08}gE$QN9kL
zx)$_{-q3U384q>4JY`F(YL+1(j%0be{eg0{78{;@Wx@YZ$Ev%}%#VG)2$7auiGTJF
z>dilDYyamcwollDhL`5RU{&+@Lp@*lff_#0@UBne_TEUiy19-UwxC#>8FTib7lolI
zH*DKLGs(V*7Uq9-Hy%$|^1GaWdx>?NZ)jTS>sp5<^}GMkZ4MGCX5P&+3)|l6hCf2%
z=JaX%?O_O+Emvj|z_9!DY03>XQh8=;z(CZz*Ads_gHTbgl(SCgJI3Jt>mXZz2t?Li
zAH(rWiz!#RVY+>{!_j=@WtQ#yg}c2m>|fTR_0L#?nqU0^s_hK&jtvD<+qE)gW!Ewf
z@x#_*oZ<MY&TcvXGJg&~Owoksr0;DgxQW^v-`^+M1<`u7s=mJrwK;$Js$nDA(Ydz5
zyt#xALoIc$7%=$b4kXv%yfXlOlp4}j+vn{?SooV)O9#XxYxY|*zU>34i{W%jNbgD{
zL382NPDI<rGenxl9(Loy#!wz|Lx;Bw87st3Kqp(nqO!CM^f7K2sO_{Nk*5!#<5Th*
zTSgN0{F3XeJrjcNlN;d*eYp-}>uw?KI$Pw>a}_#14Z|`b9-cD;4Mp>M38Ia#Gy~&v
z6S@jZp0k@Q$x|u#a5}tWTPz7XL1E4vFefi2<6GjklItWRW(Y<b4*ksgkq=ODpXf<j
zA!uxH8~%sA0yG}1UYRX~bmX9nJgVg*I&seA!=1wBPF#}()A0ZVO&gVQ-<ojy0bzYN
zu8Jhg`0+is*UWkJYvyr!o&N_Dx)lncE?j<h@^rR9jN?9<k?EPH?j~}1=A>LNREBWq
zvU{2-xKHDD*b&qCnx)+9j=R$!c<pc^*y*+ncs;$``Ko9mB!v29oWGK+P8A$ia+j>o
a@1SQ%T!jTOSvZ)=EntaqL6yg`<bMH-CNRDL

diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result
index bace48899d..6dee487ae9 100644
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -1,10 +1,11 @@
-16f36b572fcb576e465f061e417626f8  ../regression-tests/zones/example.com
+db93ba72fcc30da0f775183ee9126edf  ../regression-tests/zones/example.com
 fe49d2784b1bcc3b91ddd5619f0b6cc1  ../regression-tests/zones/test.com
 f0df67fa656d33fd85098cbe43893395  ../regression-tests/zones/test.dyndns
 dee3e8b568549d9450134b555ca73990  ../regression-tests/zones/sub.test.dyndns
 e7c0fd528e8aaedb1ea3b6daaead4de2  ../regression-tests/zones/wtest.com
 42b442de632686e94bde75acf66cf524  ../regression-tests/zones/nztest.com
-aeff58ea1eb6e63096e6da18337be312  ../regression-tests/zones/dnssec-parent.com
+b06133eb32c5bdf346223563501ba8f8  ../regression-tests/zones/dnssec-parent.com
+e9be89b6e5e0da8910c69e46f35d20ab  ../regression-tests/zones/insecure.dnssec-parent.com
 6510bf48aa3ca3501b73a1f510852a34  ../regression-tests/zones/delegated.dnssec-parent.com
 a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/zones/secure-delegated.dnssec-parent.com
 24514dc104b22206daeb973ff9303545  ../regression-tests/zones/minimal.com
@@ -12,4 +13,4 @@ a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/zones/secure-delegated.dns
 b1f775045fa2cf0a3b91aa834af06e49  ../regression-tests/zones/stest.com
 a98864b315f16bcf49ce577426063c42  ../regression-tests/zones/cdnskey-cds-test.com
 9aeed2c26d0c3ba3baf22dfa9568c451  ../regression-tests/zones/2.0.192.in-addr.arpa
-dcf9536d23ecffbdb706aa7d95bfb725  ../modules/tinydnsbackend/data.cdb
+8fa20d959485419535d0406fd4df2a56  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master
index f051d0d1e3..579935bfb8 100644
--- a/regression-tests/backends/bind-master
+++ b/regression-tests/backends/bind-master
@@ -57,13 +57,16 @@ __EOF__
 				mysql --user="$GMYSQLUSER" --password="$GMYSQLPASSWD" --host="$GMYSQLHOST" \
 					"$GMYSQLDB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
 			fi
-			securezone $zone bind
-			if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+			if [ $zone != insecure.dnssec-parent.com ]
 			then
-				$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
-			elif [ $context = bind-dnssec-nsec3-narrow ]
-			then
-				$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+				securezone $zone bind
+				if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+				then
+					$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
+				elif [ $context = bind-dnssec-nsec3-narrow ]
+				then
+					$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+				fi
 			fi
 			if [ "$zone" = "tsig.com" ]; then
 				$PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common
index 1a9e15eda0..99eff8ecf4 100644
--- a/regression-tests/backends/gsql-common
+++ b/regression-tests/backends/gsql-common
@@ -15,7 +15,7 @@ gsql_master()
 
 	for zone in $(grep 'zone ' named.conf  | cut -f2 -d\")
 	do
-		if [ $context != ${backend}-nodnssec ]
+		if [ $context != ${backend}-nodnssec ] && [ $zone != insecure.dnssec-parent.com ]
 		then
 			if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ]
 			then
diff --git a/regression-tests/named.conf b/regression-tests/named.conf
index 4eaf2a7cae..2a1a754da7 100644
--- a/regression-tests/named.conf
+++ b/regression-tests/named.conf
@@ -48,6 +48,11 @@ zone "dnssec-parent.com"{
 	file "dnssec-parent.com";
 };
 
+zone "insecure.dnssec-parent.com"{
+	type master;
+	file "insecure.dnssec-parent.com";
+};
+
 zone "delegated.dnssec-parent.com"{
 	type master;
 	file "delegated.dnssec-parent.com";
diff --git a/regression-tests/tests/axfr/expected_result b/regression-tests/tests/axfr/expected_result
index edeba95de0..d831426e48 100644
--- a/regression-tests/tests/axfr/expected_result
+++ b/regression-tests/tests/axfr/expected_result
@@ -6,6 +6,7 @@ dnssec-parent.com.	3600	IN	NS	ns2.dnssec-parent.com.
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.secure-delegated.dnssec-parent.com.	3600	IN	A	1.2.3.4
@@ -16,3 +17,4 @@ secure-delegated.dnssec-parent.com.	3600	IN	DS	54319 8 2 a0b9c38cd324182af0ef668
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns1.secure-delegated.dnssec-parent.com.
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns2.secure-delegated.dnssec-parent.com.
 something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec
index f580f6c6e7..e65f647740 100644
--- a/regression-tests/tests/axfr/expected_result.dnssec
+++ b/regression-tests/tests/axfr/expected_result.dnssec
@@ -1,6 +1,6 @@
 delegated.dnssec-parent.com.	3600	IN	NS	ns1.delegated.dnssec-parent.com.
 delegated.dnssec-parent.com.	3600	IN	NS	ns2.delegated.dnssec-parent.com.
-delegated.dnssec-parent.com.	86400	IN	NSEC	ns1.dnssec-parent.com. NS RRSIG NSEC
+delegated.dnssec-parent.com.	86400	IN	NSEC	insecure.dnssec-parent.com. NS RRSIG NSEC
 delegated.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	3600	IN	A	9.9.9.9
 dnssec-parent.com.	3600	IN	NS	ns1.dnssec-parent.com.
@@ -17,6 +17,9 @@ dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 2 86400 [expiry] [inception] [keytag]
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	NSEC	something1.auth-ent.dnssec-parent.com. NS RRSIG NSEC
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 6 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	86400	IN	NSEC	ns1.dnssec-parent.com. NS RRSIG NSEC
+insecure.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.dnssec-parent.com.	3600	IN	RRSIG	A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
@@ -33,9 +36,13 @@ secure-delegated.dnssec-parent.com.	3600	IN	DS	54319 8 2 a0b9c38cd324182af0ef668
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns1.secure-delegated.dnssec-parent.com.
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns2.secure-delegated.dnssec-parent.com.
 secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	DS 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
-secure-delegated.dnssec-parent.com.	86400	IN	NSEC	dnssec-parent.com. NS DS RRSIG NSEC
+secure-delegated.dnssec-parent.com.	86400	IN	NSEC	www.dnssec-parent.com. NS DS RRSIG NSEC
 secure-delegated.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
 something1.auth-ent.dnssec-parent.com.	3600	IN	RRSIG	A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	86400	IN	NSEC	delegated.dnssec-parent.com. A RRSIG NSEC
 something1.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 4 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
+www.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	86400	IN	NSEC	dnssec-parent.com. CNAME RRSIG NSEC
+www.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3
index ad2d868173..425b2b500f 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3
+++ b/regression-tests/tests/axfr/expected_result.nsec3
@@ -25,6 +25,9 @@ ent.ent.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [in
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS
+insecure.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.dnssec-parent.com.	3600	IN	RRSIG	A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
@@ -47,3 +50,7 @@ something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
 something1.auth-ent.dnssec-parent.com.	3600	IN	RRSIG	A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] A RRSIG
 something1.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
+www.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout
index 3e5178ff48..fbd473c1b4 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3-optout
+++ b/regression-tests/tests/axfr/expected_result.nsec3-optout
@@ -17,6 +17,7 @@ dnssec-parent.com.	86400	IN	RRSIG	DNSKEY 13 2 86400 [expiry] [inception] [keytag
 dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	86400	IN	RRSIG	NSEC3PARAM 13 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.dnssec-parent.com.	3600	IN	RRSIG	A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
@@ -39,3 +40,7 @@ something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
 something1.auth-ent.dnssec-parent.com.	3600	IN	RRSIG	A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	86400	IN	NSEC3	1 1 1 abcd [next owner] A RRSIG
 something1.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
+www.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	86400	IN	NSEC3	1 1 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec
index 459ce0f089..2b461d47b5 100644
--- a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec
+++ b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec
@@ -1,4 +1,4 @@
-1	delegated.dnssec-parent.com.	IN	NSEC	86400	ns1.dnssec-parent.com. NS RRSIG NSEC
+1	delegated.dnssec-parent.com.	IN	NSEC	86400	insecure.dnssec-parent.com. NS RRSIG NSEC
 1	delegated.dnssec-parent.com.	IN	RRSIG	86400	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	IN	RRSIG	3600	SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/command b/regression-tests/tests/secure-cname-to-insecure-child/command
new file mode 100755
index 0000000000..0a91615602
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig www.dnssec-parent.com A dnssec
+
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/description b/regression-tests/tests/secure-cname-to-insecure-child/description
new file mode 100644
index 0000000000..57ed85c347
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/description
@@ -0,0 +1 @@
+Signed CNAME to an A record in an unsigned child zone.
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result b/regression-tests/tests/secure-cname-to-insecure-child/expected_result
new file mode 100644
index 0000000000..288e33ba18
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result
@@ -0,0 +1,5 @@
+0	www.dnssec-parent.com.	IN	CNAME	3600	www.insecure.dnssec-parent.com.
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec
new file mode 100644
index 0000000000..937f3a3c00
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec
@@ -0,0 +1,6 @@
+0	www.dnssec-parent.com.	IN	CNAME	3600	www.insecure.dnssec-parent.com.
+0	www.dnssec-parent.com.	IN	RRSIG	3600	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/secure-cname-to-insecure/command b/regression-tests/tests/secure-cname-to-insecure/command
new file mode 100755
index 0000000000..9ad71facf0
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig cname-to-insecure.example.com A dnssec
+
diff --git a/regression-tests/tests/secure-cname-to-insecure/description b/regression-tests/tests/secure-cname-to-insecure/description
new file mode 100644
index 0000000000..a00dbfb8b5
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/description
@@ -0,0 +1 @@
+Signed CNAME to an unsigned A.
diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result b/regression-tests/tests/secure-cname-to-insecure/expected_result
new file mode 100644
index 0000000000..7bcd930365
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/expected_result
@@ -0,0 +1,5 @@
+0	cname-to-insecure.example.com.	IN	CNAME	120	www.insecure.dnssec-parent.com.
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec
new file mode 100644
index 0000000000..76458ceacb
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec
@@ -0,0 +1,6 @@
+0	cname-to-insecure.example.com.	IN	CNAME	120	www.insecure.dnssec-parent.com.
+0	cname-to-insecure.example.com.	IN	RRSIG	120	CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ...
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
diff --git a/regression-tests/tests/verify-dnssec-zone/command b/regression-tests/tests/verify-dnssec-zone/command
index 98cf3d9a07..30dbe19556 100755
--- a/regression-tests/tests/verify-dnssec-zone/command
+++ b/regression-tests/tests/verify-dnssec-zone/command
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$')
+for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\|insecure.dnssec-parent.com\)$')
 do
 	TFILE=$(mktemp tmp.XXXXXXXXXX)
 	drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE
diff --git a/regression-tests/zones/dnssec-parent.com b/regression-tests/zones/dnssec-parent.com
index 1a6e88b6cb..0800ccf1eb 100644
--- a/regression-tests/zones/dnssec-parent.com
+++ b/regression-tests/zones/dnssec-parent.com
@@ -23,3 +23,5 @@ ns1.secure-delegated	IN	A	1.2.3.4
 ns2.secure-delegated	IN	A	5.6.7.8
 insecure-delegated.ent.ent.auth-ent	IN	NS	ns.example.com.
 something1.auth-ent	IN	A	1.1.2.3
+insecure		IN	NS	ns.example.com.
+www			IN	CNAME	www.insecure
diff --git a/regression-tests/zones/example.com b/regression-tests/zones/example.com
index d797d8440a..2657323450 100644
--- a/regression-tests/zones/example.com
+++ b/regression-tests/zones/example.com
@@ -20202,3 +20202,6 @@ philip.mb          IN      MR      phil.mb.example.com.
 
 ; Test that no out of zone data is sent
 _imap._tcp IN SRV 0 1 143 blah.test.com.
+
+;
+cname-to-insecure  IN      CNAME   www.insecure.dnssec-parent.com.
diff --git a/regression-tests/zones/insecure.dnssec-parent.com b/regression-tests/zones/insecure.dnssec-parent.com
new file mode 100644
index 0000000000..b5a3c73cbe
--- /dev/null
+++ b/regression-tests/zones/insecure.dnssec-parent.com
@@ -0,0 +1,13 @@
+$TTL 120
+$ORIGIN insecure.dnssec-parent.com.
+@		IN	SOA	ns1.example.com.	ahu.example.com. (
+			2000081501
+			8H ; refresh
+			2H ; retry
+			1W ; expire
+			1D ; default_ttl
+			)
+
+@			IN	NS	ns1.example.com.
+@			IN	NS	ns2.example.com.
+www			IN	A	192.0.2.88
-- 
2.47.2