From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 11 Feb 2016 15:03:44 +0000 (+0100)
Subject: Add regression tests for root zone serving
X-Git-Tag: dnsdist-1.0.0-beta1~28^2^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=690cc18937ead8ce02ec8c447e3a3f51d86ef4fb;p=thirdparty%2Fpdns.git

Add regression tests for root zone serving
---

diff --git a/.travis.yml b/.travis.yml
index a5227b1d85..bb4e1f525b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -257,6 +257,38 @@ script:
   - ./timestamp ./start-test-stop 5300 tinydns
   - cd ..
 
+  - cd regression-tests.rootzone
+  - ./timestamp ./start-test-stop 5300 bind-both
+#FIXME 400, NSEC record synthesis for root zones is broken
+#  - ./timestamp ./start-test-stop 5300 bind-dnssec-both
+  - ./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-both
+#FIXME 400, NSEC record synthesis for root zones is broken
+#  - ./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-optout-both
+  - ./timestamp ./start-test-stop 5300 bind-dnssec-nsec3-narrow
+  - ./timestamp ./start-test-stop 5300 bind-hybrid-nsec3
+
+  - ./timestamp ./start-test-stop 5300 gmysql-nodnssec-both
+  - ./timestamp ./start-test-stop 5300 gmysql-both
+#FIXME 400, NSEC3 record synthesis for root zones is broken
+#  - ./timestamp ./start-test-stop 5300 gmysql-nsec3-both
+#  - ./timestamp ./start-test-stop 5300 gmysql-nsec3-optout-both
+#  - ./timestamp ./start-test-stop 5300 gmysql-nsec3-narrow
+
+  - ./timestamp ./start-test-stop 5300 gpgsql-nodnssec-both
+  - ./timestamp ./start-test-stop 5300 gpgsql-both
+#FIXME 400, NSEC3 record synthesis for root zones is broken
+#  - ./timestamp ./start-test-stop 5300 gpgsql-nsec3-both
+#  - ./timestamp ./start-test-stop 5300 gpgsql-nsec3-optout-both
+#  - ./timestamp ./start-test-stop 5300 gpgsql-nsec3-narrow
+
+  - ./timestamp ./start-test-stop 5300 gsqlite3-nodnssec-both
+  - ./timestamp ./start-test-stop 5300 gsqlite3-both
+#FIXME 400, NSEC3 record synthesis for root zones is broken
+#  - ./timestamp ./start-test-stop 5300 gsqlite3-nsec3-both
+#  - ./timestamp ./start-test-stop 5300 gsqlite3-nsec3-optout-both
+#  - ./timestamp ./start-test-stop 5300 gsqlite3-nsec3-narrow
+
+  - cd ..
 
   ### recursor ###
 
diff --git a/regression-tests.rootzone/.gitignore b/regression-tests.rootzone/.gitignore
new file mode 120000
index 0000000000..5b73940d36
--- /dev/null
+++ b/regression-tests.rootzone/.gitignore
@@ -0,0 +1 @@
+../regression-tests/.gitignore
\ No newline at end of file
diff --git a/regression-tests.rootzone/backends b/regression-tests.rootzone/backends
new file mode 120000
index 0000000000..7275f81cde
--- /dev/null
+++ b/regression-tests.rootzone/backends
@@ -0,0 +1 @@
+../regression-tests/backends
\ No newline at end of file
diff --git a/regression-tests.rootzone/check_stest_source b/regression-tests.rootzone/check_stest_source
new file mode 120000
index 0000000000..1cc76f2823
--- /dev/null
+++ b/regression-tests.rootzone/check_stest_source
@@ -0,0 +1 @@
+../regression-tests/check_stest_source
\ No newline at end of file
diff --git a/regression-tests.rootzone/cleandig b/regression-tests.rootzone/cleandig
new file mode 120000
index 0000000000..d840bc7cff
--- /dev/null
+++ b/regression-tests.rootzone/cleandig
@@ -0,0 +1 @@
+../regression-tests/cleandig
\ No newline at end of file
diff --git a/regression-tests.rootzone/ext b/regression-tests.rootzone/ext
new file mode 120000
index 0000000000..e09fce4c19
--- /dev/null
+++ b/regression-tests.rootzone/ext
@@ -0,0 +1 @@
+../regression-tests/ext
\ No newline at end of file
diff --git a/regression-tests.rootzone/modules b/regression-tests.rootzone/modules
new file mode 120000
index 0000000000..71550f37bf
--- /dev/null
+++ b/regression-tests.rootzone/modules
@@ -0,0 +1 @@
+../regression-tests/modules
\ No newline at end of file
diff --git a/regression-tests.rootzone/named.conf b/regression-tests.rootzone/named.conf
new file mode 100644
index 0000000000..544a05abdc
--- /dev/null
+++ b/regression-tests.rootzone/named.conf
@@ -0,0 +1,14 @@
+options {
+	directory "./zones/";
+	recursion no;
+	listen-on port 5300 {
+		127.0.0.1;
+	};
+	version "Meow!Meow!";
+	minimal-responses yes;
+};
+zone "."{
+	type master;
+	file "ROOT";
+};
+
diff --git a/regression-tests.rootzone/runtests b/regression-tests.rootzone/runtests
new file mode 120000
index 0000000000..79e015a2ea
--- /dev/null
+++ b/regression-tests.rootzone/runtests
@@ -0,0 +1 @@
+../regression-tests/runtests
\ No newline at end of file
diff --git a/regression-tests.rootzone/start-test-stop b/regression-tests.rootzone/start-test-stop
new file mode 120000
index 0000000000..b528ae3000
--- /dev/null
+++ b/regression-tests.rootzone/start-test-stop
@@ -0,0 +1 @@
+../regression-tests/start-test-stop
\ No newline at end of file
diff --git a/regression-tests.rootzone/tests/.gitignore b/regression-tests.rootzone/tests/.gitignore
new file mode 120000
index 0000000000..292559fbe5
--- /dev/null
+++ b/regression-tests.rootzone/tests/.gitignore
@@ -0,0 +1 @@
+../../regression-tests/tests/.gitignore
\ No newline at end of file
diff --git a/regression-tests.rootzone/tests/00dnssec-grabkeys/command b/regression-tests.rootzone/tests/00dnssec-grabkeys/command
new file mode 100755
index 0000000000..e001f9b04f
--- /dev/null
+++ b/regression-tests.rootzone/tests/00dnssec-grabkeys/command
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+rm -f trustedkeys
+rm -f unbound-host.conf
+
+for zone in $(grep 'zone ' named.conf  | cut -f2 -d\")
+do
+	if [ "${zone: 0:16}" != "secure-delegated" ]
+	then
+		drill -p $port -o rd -D dnskey $zone @$nameserver | grep $'DNSKEY\t257' | grep -v 'RRSIG' | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
+	fi
+	echo "stub-zone:" >> unbound-host.conf
+	echo "  name: $zone" >> unbound-host.conf
+	echo "  stub-addr: $nameserver@$port" >> unbound-host.conf
+	echo "" >> unbound-host.conf
+done
+
+echo "server:" >> unbound-host.conf
+echo "  do-not-query-address: 192.168.0.0/16" >> unbound-host.conf
+echo '  trust-anchor-file: "trustedkeys"' >> unbound-host.conf
+
+if [ -e trustedkeys ]
+then
+  cat trustedkeys | grep -c '.' # because wc -l is not portable enough!
+fi
diff --git a/regression-tests.rootzone/tests/00dnssec-grabkeys/description b/regression-tests.rootzone/tests/00dnssec-grabkeys/description
new file mode 100644
index 0000000000..4315650793
--- /dev/null
+++ b/regression-tests.rootzone/tests/00dnssec-grabkeys/description
@@ -0,0 +1 @@
+Grab DNSKEY records for validation testing.
diff --git a/regression-tests.rootzone/tests/00dnssec-grabkeys/expected_result b/regression-tests.rootzone/tests/00dnssec-grabkeys/expected_result
new file mode 100644
index 0000000000..573541ac97
--- /dev/null
+++ b/regression-tests.rootzone/tests/00dnssec-grabkeys/expected_result
@@ -0,0 +1 @@
+0
diff --git a/regression-tests.rootzone/tests/00dnssec-grabkeys/expected_result.dnssec b/regression-tests.rootzone/tests/00dnssec-grabkeys/expected_result.dnssec
new file mode 100644
index 0000000000..d00491fd7e
--- /dev/null
+++ b/regression-tests.rootzone/tests/00dnssec-grabkeys/expected_result.dnssec
@@ -0,0 +1 @@
+1
diff --git a/regression-tests.rootzone/tests/direct-ns/command b/regression-tests.rootzone/tests/direct-ns/command
new file mode 100755
index 0000000000..3051e14ce4
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ns/command
@@ -0,0 +1 @@
+cleandig net NS
diff --git a/regression-tests.rootzone/tests/direct-ns/description b/regression-tests.rootzone/tests/direct-ns/description
new file mode 100644
index 0000000000..05a3732b82
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ns/description
@@ -0,0 +1 @@
+NS query for an existing TLD should get an answer
diff --git a/regression-tests.rootzone/tests/direct-ns/expected_result b/regression-tests.rootzone/tests/direct-ns/expected_result
new file mode 100644
index 0000000000..80ae0833b2
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ns/expected_result
@@ -0,0 +1,29 @@
+1	net.	IN	NS	172800	a.gtld-servers.net.
+1	net.	IN	NS	172800	b.gtld-servers.net.
+1	net.	IN	NS	172800	c.gtld-servers.net.
+1	net.	IN	NS	172800	d.gtld-servers.net.
+1	net.	IN	NS	172800	e.gtld-servers.net.
+1	net.	IN	NS	172800	f.gtld-servers.net.
+1	net.	IN	NS	172800	g.gtld-servers.net.
+1	net.	IN	NS	172800	h.gtld-servers.net.
+1	net.	IN	NS	172800	i.gtld-servers.net.
+1	net.	IN	NS	172800	j.gtld-servers.net.
+1	net.	IN	NS	172800	k.gtld-servers.net.
+1	net.	IN	NS	172800	l.gtld-servers.net.
+1	net.	IN	NS	172800	m.gtld-servers.net.
+2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
+2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
+2	b.gtld-servers.net.	IN	A	172800	192.33.14.30
+2	b.gtld-servers.net.	IN	AAAA	172800	2001:503:231d::2:30
+2	c.gtld-servers.net.	IN	A	172800	192.26.92.30
+2	d.gtld-servers.net.	IN	A	172800	192.31.80.30
+2	e.gtld-servers.net.	IN	A	172800	192.12.94.30
+2	f.gtld-servers.net.	IN	A	172800	192.35.51.30
+2	g.gtld-servers.net.	IN	A	172800	192.42.93.30
+2	h.gtld-servers.net.	IN	A	172800	192.54.112.30
+2	i.gtld-servers.net.	IN	A	172800	192.43.172.30
+2	j.gtld-servers.net.	IN	A	172800	192.48.79.30
+2	k.gtld-servers.net.	IN	A	172800	192.52.178.30
+2	l.gtld-servers.net.	IN	A	172800	192.41.162.30
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='net.', qtype=NS
diff --git a/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec b/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec
new file mode 100644
index 0000000000..c9dd9fe3a4
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec
@@ -0,0 +1,27 @@
+1	net.	IN	DS	86400	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
+1	net.	IN	NS	172800	a.gtld-servers.net.
+1	net.	IN	NS	172800	b.gtld-servers.net.
+1	net.	IN	NS	172800	c.gtld-servers.net.
+1	net.	IN	NS	172800	d.gtld-servers.net.
+1	net.	IN	NS	172800	e.gtld-servers.net.
+1	net.	IN	NS	172800	f.gtld-servers.net.
+1	net.	IN	NS	172800	g.gtld-servers.net.
+1	net.	IN	NS	172800	h.gtld-servers.net.
+1	net.	IN	NS	172800	i.gtld-servers.net.
+1	net.	IN	NS	172800	j.gtld-servers.net.
+1	net.	IN	NS	172800	k.gtld-servers.net.
+1	net.	IN	NS	172800	l.gtld-servers.net.
+1	net.	IN	NS	172800	m.gtld-servers.net.
+2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
+2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
+2	b.gtld-servers.net.	IN	A	172800	192.33.14.30
+2	b.gtld-servers.net.	IN	AAAA	172800	2001:503:231d::2:30
+2	c.gtld-servers.net.	IN	A	172800	192.26.92.30
+2	d.gtld-servers.net.	IN	A	172800	192.31.80.30
+2	e.gtld-servers.net.	IN	A	172800	192.12.94.30
+2	f.gtld-servers.net.	IN	A	172800	192.35.51.30
+2	g.gtld-servers.net.	IN	A	172800	192.42.93.30
+2	h.gtld-servers.net.	IN	A	172800	192.54.112.30
+2	i.gtld-servers.net.	IN	A	172800	192.43.172.30
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='net.', qtype=NS
diff --git a/regression-tests.rootzone/tests/direct-root/command b/regression-tests.rootzone/tests/direct-root/command
new file mode 100755
index 0000000000..8d46ebf918
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-root/command
@@ -0,0 +1 @@
+cleandig . NS | LC_ALL=C sort
diff --git a/regression-tests.rootzone/tests/direct-root/description b/regression-tests.rootzone/tests/direct-root/description
new file mode 100644
index 0000000000..fe0b4a3f5f
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-root/description
@@ -0,0 +1 @@
+An NS query for the root should get a proper referral
diff --git a/regression-tests.rootzone/tests/direct-root/expected_result b/regression-tests.rootzone/tests/direct-root/expected_result
new file mode 100644
index 0000000000..865b5d1ff6
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-root/expected_result
@@ -0,0 +1,27 @@
+0	.	IN	NS	518400	a.root-servers.net.
+0	.	IN	NS	518400	b.root-servers.net.
+0	.	IN	NS	518400	c.root-servers.net.
+0	.	IN	NS	518400	d.root-servers.net.
+0	.	IN	NS	518400	e.root-servers.net.
+0	.	IN	NS	518400	f.root-servers.net.
+0	.	IN	NS	518400	g.root-servers.net.
+0	.	IN	NS	518400	h.root-servers.net.
+0	.	IN	NS	518400	i.root-servers.net.
+0	.	IN	NS	518400	j.root-servers.net.
+0	.	IN	NS	518400	k.root-servers.net.
+0	.	IN	NS	518400	l.root-servers.net.
+0	.	IN	NS	518400	m.root-servers.net.
+2	a.root-servers.net.	IN	A	518400	198.41.0.4
+2	a.root-servers.net.	IN	AAAA	518400	2001:503:ba3e::2:30
+2	b.root-servers.net.	IN	A	518400	192.228.79.201
+2	b.root-servers.net.	IN	AAAA	518400	2001:500:84::b
+2	c.root-servers.net.	IN	A	518400	192.33.4.12
+2	c.root-servers.net.	IN	AAAA	518400	2001:500:2::c
+2	d.root-servers.net.	IN	A	518400	199.7.91.13
+2	d.root-servers.net.	IN	AAAA	518400	2001:500:2d::d
+2	e.root-servers.net.	IN	A	518400	192.203.230.10
+2	f.root-servers.net.	IN	A	518400	192.5.5.241
+2	f.root-servers.net.	IN	AAAA	518400	2001:500:2f::f
+2	g.root-servers.net.	IN	A	518400	192.112.36.4
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='.', qtype=NS
diff --git a/regression-tests.rootzone/tests/nx-2ld/command b/regression-tests.rootzone/tests/nx-2ld/command
new file mode 100755
index 0000000000..1830ecdb9d
--- /dev/null
+++ b/regression-tests.rootzone/tests/nx-2ld/command
@@ -0,0 +1 @@
+cleandig com NS
diff --git a/regression-tests.rootzone/tests/nx-2ld/description b/regression-tests.rootzone/tests/nx-2ld/description
new file mode 100644
index 0000000000..ad79cd7c37
--- /dev/null
+++ b/regression-tests.rootzone/tests/nx-2ld/description
@@ -0,0 +1 @@
+An NS query for a non-existing second-level domain should be NXDOMAIN
diff --git a/regression-tests.rootzone/tests/nx-2ld/expected_result b/regression-tests.rootzone/tests/nx-2ld/expected_result
new file mode 100644
index 0000000000..270b1028e9
--- /dev/null
+++ b/regression-tests.rootzone/tests/nx-2ld/expected_result
@@ -0,0 +1,3 @@
+1	.	IN	SOA	86400	a.root-servers.net. nstld.verisign-grs.com. 2016021600 1800 900 604800 86400
+Rcode: 3 (Non-Existent domain), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='com.', qtype=NS
diff --git a/regression-tests.rootzone/tests/ref-3ld/command b/regression-tests.rootzone/tests/ref-3ld/command
new file mode 100755
index 0000000000..9284a40dea
--- /dev/null
+++ b/regression-tests.rootzone/tests/ref-3ld/command
@@ -0,0 +1 @@
+cleandig some-host.domain.net A
diff --git a/regression-tests.rootzone/tests/ref-3ld/description b/regression-tests.rootzone/tests/ref-3ld/description
new file mode 100644
index 0000000000..a8e683acd0
--- /dev/null
+++ b/regression-tests.rootzone/tests/ref-3ld/description
@@ -0,0 +1 @@
+An A query for a 3rd level domain name should result in a referral
diff --git a/regression-tests.rootzone/tests/ref-3ld/expected_result b/regression-tests.rootzone/tests/ref-3ld/expected_result
new file mode 100644
index 0000000000..985face41f
--- /dev/null
+++ b/regression-tests.rootzone/tests/ref-3ld/expected_result
@@ -0,0 +1,28 @@
+1	net.	IN	NS	172800	a.gtld-servers.net.
+1	net.	IN	NS	172800	b.gtld-servers.net.
+1	net.	IN	NS	172800	c.gtld-servers.net.
+1	net.	IN	NS	172800	d.gtld-servers.net.
+1	net.	IN	NS	172800	e.gtld-servers.net.
+1	net.	IN	NS	172800	f.gtld-servers.net.
+1	net.	IN	NS	172800	g.gtld-servers.net.
+1	net.	IN	NS	172800	h.gtld-servers.net.
+1	net.	IN	NS	172800	i.gtld-servers.net.
+1	net.	IN	NS	172800	j.gtld-servers.net.
+1	net.	IN	NS	172800	k.gtld-servers.net.
+1	net.	IN	NS	172800	l.gtld-servers.net.
+1	net.	IN	NS	172800	m.gtld-servers.net.
+2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
+2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
+2	b.gtld-servers.net.	IN	A	172800	192.33.14.30
+2	b.gtld-servers.net.	IN	AAAA	172800	2001:503:231d::2:30
+2	c.gtld-servers.net.	IN	A	172800	192.26.92.30
+2	d.gtld-servers.net.	IN	A	172800	192.31.80.30
+2	e.gtld-servers.net.	IN	A	172800	192.12.94.30
+2	f.gtld-servers.net.	IN	A	172800	192.35.51.30
+2	g.gtld-servers.net.	IN	A	172800	192.42.93.30
+2	h.gtld-servers.net.	IN	A	172800	192.54.112.30
+2	i.gtld-servers.net.	IN	A	172800	192.43.172.30
+2	j.gtld-servers.net.	IN	A	172800	192.48.79.30
+2	k.gtld-servers.net.	IN	A	172800	192.52.178.30
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='some-host.domain.net.', qtype=A
diff --git a/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec b/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec
new file mode 100644
index 0000000000..0e240a7ac3
--- /dev/null
+++ b/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec
@@ -0,0 +1,26 @@
+1	net.	IN	DS	86400	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
+1	net.	IN	NS	172800	a.gtld-servers.net.
+1	net.	IN	NS	172800	b.gtld-servers.net.
+1	net.	IN	NS	172800	c.gtld-servers.net.
+1	net.	IN	NS	172800	d.gtld-servers.net.
+1	net.	IN	NS	172800	e.gtld-servers.net.
+1	net.	IN	NS	172800	f.gtld-servers.net.
+1	net.	IN	NS	172800	g.gtld-servers.net.
+1	net.	IN	NS	172800	h.gtld-servers.net.
+1	net.	IN	NS	172800	i.gtld-servers.net.
+1	net.	IN	NS	172800	j.gtld-servers.net.
+1	net.	IN	NS	172800	k.gtld-servers.net.
+1	net.	IN	NS	172800	l.gtld-servers.net.
+1	net.	IN	NS	172800	m.gtld-servers.net.
+2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
+2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
+2	b.gtld-servers.net.	IN	A	172800	192.33.14.30
+2	b.gtld-servers.net.	IN	AAAA	172800	2001:503:231d::2:30
+2	c.gtld-servers.net.	IN	A	172800	192.26.92.30
+2	d.gtld-servers.net.	IN	A	172800	192.31.80.30
+2	e.gtld-servers.net.	IN	A	172800	192.12.94.30
+2	f.gtld-servers.net.	IN	A	172800	192.35.51.30
+2	g.gtld-servers.net.	IN	A	172800	192.42.93.30
+2	h.gtld-servers.net.	IN	A	172800	192.54.112.30
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='some-host.domain.net.', qtype=A
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/command b/regression-tests.rootzone/tests/verify-dnssec-zone/command
new file mode 100755
index 0000000000..70fe36d31e
--- /dev/null
+++ b/regression-tests.rootzone/tests/verify-dnssec-zone/command
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$')
+do
+	TFILE=$(mktemp tmp.XXXXXXXXXX)
+	drill -p $port axfr $zone @$nameserver | ldns-read-zone -z > $TFILE
+	for validator in "ldns-verify-zone -V2" named-checkzone
+	do
+		echo --- $validator $zone
+		if [ "$validator" = "named-checkzone" ]
+		then
+			named-checkzone -i local $zone $TFILE 2>&1 | grep -v 'addnode: NSEC node already exists'
+		else
+			if [ ! -e ${testsdir}/${testname}/allow-missing ] || [[ $(type -P "$validator") ]]
+			then
+				$validator $TFILE 2>&1
+			else
+				#fake output for missing validators
+				if [ "$validator" = "jdnssec-verifyzone" ]
+				then
+					echo zone verified.
+				fi
+			fi
+		fi
+		RETVAL=$?
+		echo RETVAL: $RETVAL
+		if [ $RETVAL -gt 0 ] && { [[ $validator != ldns-verify-zone* ]] || { [[ $skipreasons != *nsec3* ]] && [[ $skipreasons != *optout* ]]; }; }
+		then
+			echo $validator reported error, full zone content:
+			echo ---
+			cat $TFILE
+			echo --- end of zone content
+		fi
+		echo
+	done
+	
+	rm -f $TFILE
+done
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/description b/regression-tests.rootzone/tests/verify-dnssec-zone/description
new file mode 100644
index 0000000000..0e96b687e4
--- /dev/null
+++ b/regression-tests.rootzone/tests/verify-dnssec-zone/description
@@ -0,0 +1 @@
+AXFR all zones except the big example.com, and test them with ldns-verify-zone
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/expected_result b/regression-tests.rootzone/tests/verify-dnssec-zone/expected_result
new file mode 100644
index 0000000000..707f17d149
--- /dev/null
+++ b/regression-tests.rootzone/tests/verify-dnssec-zone/expected_result
@@ -0,0 +1,8 @@
+--- ldns-verify-zone -V2 .
+RETVAL: 0
+
+--- named-checkzone .
+zone ./IN: loaded serial 2016021600 (DNSSEC signed)
+OK
+RETVAL: 0
+
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/skip.narrow b/regression-tests.rootzone/tests/verify-dnssec-zone/skip.narrow
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/skip.nodnssec b/regression-tests.rootzone/tests/verify-dnssec-zone/skip.nodnssec
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/skip.oracle-nsec b/regression-tests.rootzone/tests/verify-dnssec-zone/skip.oracle-nsec
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests.rootzone/tests/verify-dnssec-zone/skip.oracle-nsec3 b/regression-tests.rootzone/tests/verify-dnssec-zone/skip.oracle-nsec3
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests.rootzone/timestamp b/regression-tests.rootzone/timestamp
new file mode 120000
index 0000000000..04073d98d1
--- /dev/null
+++ b/regression-tests.rootzone/timestamp
@@ -0,0 +1 @@
+../regression-tests/timestamp
\ No newline at end of file
diff --git a/regression-tests.rootzone/totar b/regression-tests.rootzone/totar
new file mode 120000
index 0000000000..1b62347edd
--- /dev/null
+++ b/regression-tests.rootzone/totar
@@ -0,0 +1 @@
+../regression-tests/totar
\ No newline at end of file
diff --git a/regression-tests.rootzone/toxml b/regression-tests.rootzone/toxml
new file mode 120000
index 0000000000..683d375a11
--- /dev/null
+++ b/regression-tests.rootzone/toxml
@@ -0,0 +1 @@
+../regression-tests/toxml
\ No newline at end of file
diff --git a/regression-tests.rootzone/zones/.gitignore b/regression-tests.rootzone/zones/.gitignore
new file mode 100644
index 0000000000..82dc9a0b3a
--- /dev/null
+++ b/regression-tests.rootzone/zones/.gitignore
@@ -0,0 +1 @@
+*-slave
diff --git a/regression-tests.rootzone/zones/ROOT b/regression-tests.rootzone/zones/ROOT
new file mode 100644
index 0000000000..7dbcc89263
--- /dev/null
+++ b/regression-tests.rootzone/zones/ROOT
@@ -0,0 +1,70 @@
+.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2016021600 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.net.
+.			518400	IN	NS	b.root-servers.net.
+.			518400	IN	NS	c.root-servers.net.
+.			518400	IN	NS	d.root-servers.net.
+.			518400	IN	NS	e.root-servers.net.
+.			518400	IN	NS	f.root-servers.net.
+.			518400	IN	NS	g.root-servers.net.
+.			518400	IN	NS	h.root-servers.net.
+.			518400	IN	NS	i.root-servers.net.
+.			518400	IN	NS	j.root-servers.net.
+.			518400	IN	NS	k.root-servers.net.
+.			518400	IN	NS	l.root-servers.net.
+.			518400	IN	NS	m.root-servers.net.
+
+a.root-servers.net.	518400	IN	A	198.41.0.4
+a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e:0:0:0:2:30
+b.root-servers.net.	518400	IN	A	192.228.79.201
+b.root-servers.net.	518400	IN	AAAA	2001:500:84:0:0:0:0:b
+c.root-servers.net.	518400	IN	A	192.33.4.12
+c.root-servers.net.	518400	IN	AAAA	2001:500:2:0:0:0:0:c
+d.root-servers.net.	518400	IN	A	199.7.91.13
+d.root-servers.net.	518400	IN	AAAA	2001:500:2d:0:0:0:0:d
+e.root-servers.net.	518400	IN	A	192.203.230.10
+f.root-servers.net.	518400	IN	A	192.5.5.241
+f.root-servers.net.	518400	IN	AAAA	2001:500:2f:0:0:0:0:f
+g.root-servers.net.	518400	IN	A	192.112.36.4
+h.root-servers.net.	518400	IN	A	198.97.190.53
+h.root-servers.net.	518400	IN	AAAA	2001:500:1:0:0:0:0:53
+i.root-servers.net.	518400	IN	A	192.36.148.17
+i.root-servers.net.	518400	IN	AAAA	2001:7fe:0:0:0:0:0:53
+j.root-servers.net.	518400	IN	A	192.58.128.30
+j.root-servers.net.	518400	IN	AAAA	2001:503:c27:0:0:0:2:30
+k.root-servers.net.	518400	IN	A	193.0.14.129
+k.root-servers.net.	518400	IN	AAAA	2001:7fd:0:0:0:0:0:1
+l.root-servers.net.	518400	IN	A	199.7.83.42
+l.root-servers.net.	518400	IN	AAAA	2001:500:3:0:0:0:0:42
+m.root-servers.net.	518400	IN	A	202.12.27.33
+m.root-servers.net.	518400	IN	AAAA	2001:dc3:0:0:0:0:0:35
+
+net.			172800	IN	NS	a.gtld-servers.net.
+net.			172800	IN	NS	b.gtld-servers.net.
+net.			172800	IN	NS	c.gtld-servers.net.
+net.			172800	IN	NS	d.gtld-servers.net.
+net.			172800	IN	NS	e.gtld-servers.net.
+net.			172800	IN	NS	f.gtld-servers.net.
+net.			172800	IN	NS	g.gtld-servers.net.
+net.			172800	IN	NS	h.gtld-servers.net.
+net.			172800	IN	NS	i.gtld-servers.net.
+net.			172800	IN	NS	j.gtld-servers.net.
+net.			172800	IN	NS	k.gtld-servers.net.
+net.			172800	IN	NS	l.gtld-servers.net.
+net.			172800	IN	NS	m.gtld-servers.net.
+net.			86400	IN	DS	35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D8BD973EE
+
+a.gtld-servers.net.	172800	IN	A	192.5.6.30
+a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e:0:0:0:2:30
+b.gtld-servers.net.	172800	IN	A	192.33.14.30
+b.gtld-servers.net.	172800	IN	AAAA	2001:503:231d:0:0:0:2:30
+c.gtld-servers.net.	172800	IN	A	192.26.92.30
+d.gtld-servers.net.	172800	IN	A	192.31.80.30
+e.gtld-servers.net.	172800	IN	A	192.12.94.30
+f.gtld-servers.net.	172800	IN	A	192.35.51.30
+g.gtld-servers.net.	172800	IN	A	192.42.93.30
+h.gtld-servers.net.	172800	IN	A	192.54.112.30
+i.gtld-servers.net.	172800	IN	A	192.43.172.30
+j.gtld-servers.net.	172800	IN	A	192.48.79.30
+k.gtld-servers.net.	172800	IN	A	192.52.178.30
+l.gtld-servers.net.	172800	IN	A	192.41.162.30
+m.gtld-servers.net.	172800	IN	A	192.55.83.30
diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master
index 19ed1620c2..04c9d125ed 100644
--- a/regression-tests/backends/bind-master
+++ b/regression-tests/backends/bind-master
@@ -65,6 +65,10 @@ __EOF__
 			then
 				$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
 			fi
+			if [ "$zone" = "tsig.com" ]; then
+				$PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
+				$PDNSUTIL --config-dir=. --config-name=bind activate-tsig-key tsig.com test master
+			fi
 		done
 
 		if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-hybrid-nsec3 ]
@@ -84,9 +88,6 @@ __EOF__
 			skipreasons="nodyndns"
 		fi
 
-		$PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
-		$PDNSUTIL --config-dir=. --config-name=bind activate-tsig-key tsig.com test master
-
 		$RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \
 			--config-name=bind --socket-dir=./ --no-shuffle \
 			--cache-ttl=$cachettl --dname-processing \
diff --git a/regression-tests/backends/bind-slave b/regression-tests/backends/bind-slave
index 91d36040f6..c9a7992727 100644
--- a/regression-tests/backends/bind-slave
+++ b/regression-tests/backends/bind-slave
@@ -3,6 +3,9 @@
 
 	for zone in $(grep 'zone ' named.conf  | cut -f2 -d\")
 	do
+		if [ "$zone" = "." ]; then
+			zone="ROOT"
+		fi
 		rm -rf zones/$zone-slave
 	done
 
@@ -14,8 +17,11 @@
 	echo $skipreasons | grep -q nodnssec
 	if [ $? -ne 0 ]
 	then
-		sqlite3 dnssec-slave.sqlite3 "INSERT INTO tsigkeys (name, algorithm,secret) VALUES('test', '$ALGORITHM', '$KEY')"
-		sqlite3 dnssec-slave.sqlite3 "INSERT INTO domainmetadata (domain, kind, content) SELECT 'tsig.com', 'AXFR-MASTER-TSIG', 'test'"
+		sqlite3 dnssec-slave.sqlite3 "select name from domains where name = 'tsig.com'" | grep -q tsig.com
+		if [ $? -ne 0 ]; then
+			sqlite3 dnssec-slave.sqlite3 "INSERT INTO tsigkeys (name, algorithm,secret) VALUES('test', '$ALGORITHM', '$KEY')"
+			sqlite3 dnssec-slave.sqlite3 "INSERT INTO domainmetadata (domain, kind, content) SELECT 'tsig.com', 'AXFR-MASTER-TSIG', 'test'"
+		fi
 		echo $skipreasons | grep -q nolua
 		if [ $? -ne 0 ]
 		then
diff --git a/regression-tests/backends/gmysql-slave b/regression-tests/backends/gmysql-slave
index 5f4856f172..3ce84f19da 100644
--- a/regression-tests/backends/gmysql-slave
+++ b/regression-tests/backends/gmysql-slave
@@ -29,15 +29,17 @@ __EOF__
 	do
 		mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
 			"$GMYSQL2DB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
+		if [ "$zone" = "tsig.com" ]; then
+			$PDNSUTIL --config-dir=. --config-name=gmysql2 import-tsig-key test $ALGORITHM $KEY
+			$PDNSUTIL --config-dir=. --config-name=gmysql2 activate-tsig-key tsig.com test slave
+		fi
+		if [ "$zone" = "stest.com" ]; then
+			if [[ $skipreasons != *nolua* ]]; then
+				$PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+			fi
+		fi
 	done
 
-	$PDNSUTIL --config-dir=. --config-name=gmysql2 import-tsig-key test $ALGORITHM $KEY
-	$PDNSUTIL --config-dir=. --config-name=gmysql2 activate-tsig-key tsig.com test slave
-	if [[ $skipreasons != *nolua* ]]
-	then
-		$PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
-	fi
-
 	port=$((port+100))
 
 	$RUNWRAPPER $PDNS2 --daemon=no --local-port=$port --config-dir=. \
diff --git a/regression-tests/backends/godbc_mssql-slave b/regression-tests/backends/godbc_mssql-slave
index 7905dd76c5..8a16b1bc66 100644
--- a/regression-tests/backends/godbc_mssql-slave
+++ b/regression-tests/backends/godbc_mssql-slave
@@ -16,15 +16,17 @@ __EOF__
 	for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | tac)
 	do
 		echo "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port');" | $ISQL -b
+		if [ "$zone" = "tsig.com" ]; then
+			../pdns/pdnssec --config-dir=. --config-name=godbc2 import-tsig-key test $ALGORITHM $KEY
+			../pdns/pdnssec --config-dir=. --config-name=godbc2 activate-tsig-key tsig.com test slave
+		fi
+		if [ "$zone" = "stest.com" ]; then
+			if [[ $skipreasons != *nolua* ]]; then
+				$PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+			fi
+		fi
 	done
 
-	../pdns/pdnssec --config-dir=. --config-name=godbc2 import-tsig-key test $ALGORITHM $KEY
-	../pdns/pdnssec --config-dir=. --config-name=godbc2 activate-tsig-key tsig.com test slave
-	if [[ $skipreasons != *nolua* ]]
-	then
-		../pdns/pdnssec --config-dir=. --config-name=godbc2 set-meta stest.com AXFR-SOURCE 127.0.0.2
-	fi
-
 	port=$((port+100))
 
 	$RUNWRAPPER $PDNS2 --daemon=no --local-port=$port --config-dir=. \
diff --git a/regression-tests/backends/gpgsql-slave b/regression-tests/backends/gpgsql-slave
index 903c3dbc80..bbeb81298f 100644
--- a/regression-tests/backends/gpgsql-slave
+++ b/regression-tests/backends/gpgsql-slave
@@ -23,15 +23,17 @@ __EOF__
 		psql --user="$GPGSQL2USER" \
 		-c "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')" \
 		"$GPGSQL2DB"
+		if [ "$zone" = "tsig.com" ]; then
+			$PDNSUTIL --config-dir=. --config-name=gpgsql2 import-tsig-key test $ALGORITHM $KEY
+			$PDNSUTIL --config-dir=. --config-name=gpgsql2 activate-tsig-key tsig.com test slave
+		fi
+		if [ "$zone" = "stest.com" ]; then
+			if [[ $skipreasons != *nolua* ]]; then
+				$PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+			fi
+		fi
 	done
 
-	$PDNSUTIL --config-dir=. --config-name=gpgsql2 import-tsig-key test $ALGORITHM $KEY
-	$PDNSUTIL --config-dir=. --config-name=gpgsql2 activate-tsig-key tsig.com test slave
-	if [[ $skipreasons != *nolua* ]]
-	then
-		$PDNSUTIL --config-dir=. --config-name=gpgsql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
-	fi
-
 	port=$((port+100))
 
 	$RUNWRAPPER $PDNS2 --daemon=no --local-port=$port --config-dir=. \
diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common
index 99f1d3d4de..a2e3b45ba6 100644
--- a/regression-tests/backends/gsql-common
+++ b/regression-tests/backends/gsql-common
@@ -28,10 +28,12 @@ gsql_master()
 		else
 			$PDNSUTIL --config-dir=. --config-name=$backend rectify-zone $zone 2>&1
 		fi
+		if [ "$zone" = "tsig.com" ]; then
+			$PDNSUTIL --config-dir=. --config-name=$backend import-tsig-key test $ALGORITHM $KEY
+			$PDNSUTIL --config-dir=. --config-name=$backend activate-tsig-key tsig.com test master
+		fi
 	done
 
-	$PDNSUTIL --config-dir=. --config-name=$backend import-tsig-key test $ALGORITHM $KEY
-	$PDNSUTIL --config-dir=. --config-name=$backend activate-tsig-key tsig.com test master
 
 	$RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \
 		--config-name=$backend --socket-dir=./ --no-shuffle \
diff --git a/regression-tests/backends/gsqlite3-slave b/regression-tests/backends/gsqlite3-slave
index f7f8c450b5..cfa7ffaa76 100644
--- a/regression-tests/backends/gsqlite3-slave
+++ b/regression-tests/backends/gsqlite3-slave
@@ -17,15 +17,17 @@ __EOF__
 	for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | perl -e 'print reverse <STDIN>')
 	do
 		sqlite3 pdns.sqlite32 "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port');"
+		if [ "$zone" = "tsig.com" ]; then
+			$PDNSUTIL --config-dir=. --config-name=gsqlite32 import-tsig-key test $ALGORITHM $KEY
+			$PDNSUTIL --config-dir=. --config-name=gsqlite32 activate-tsig-key tsig.com test slave
+		fi
+		if [ "$zone" = "stest.com" ]; then
+			if [[ $skipreasons != *nolua* ]]; then
+				$PDNSUTIL --config-dir=. --config-name=gmysql2 set-meta stest.com AXFR-SOURCE 127.0.0.2
+			fi
+		fi
 	done
 
-	$PDNSUTIL --config-dir=. --config-name=gsqlite32 import-tsig-key test $ALGORITHM $KEY
-	$PDNSUTIL --config-dir=. --config-name=gsqlite32 activate-tsig-key tsig.com test slave
-	if [[ $skipreasons != *nolua* ]]
-	then
-		$PDNSUTIL --config-dir=. --config-name=gsqlite32 set-meta stest.com AXFR-SOURCE 127.0.0.2
-	fi
-
 	port=$((port+100))
 
 	$RUNWRAPPER $PDNS2 --daemon=no --local-port=$port --config-dir=. \