From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Mon, 29 Oct 2012 11:15:09 +0000 (+0000)
Subject: various fixes related to the interaction between CNAMEs, wilcards, ANY queries and... 
X-Git-Tag: auth-3.2-rc1~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5c4fbdcfb172bec1803d4dbcdceb622c965c385;p=thirdparty%2Fpdns.git

various fixes related to the interaction between CNAMEs, wilcards, ANY queries and NSEC(3), by Kees Monshouwer

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2825 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data
index 382eeacd60..27fac43f5b 100644
--- a/modules/tinydnsbackend/data
+++ b/modules/tinydnsbackend/data
@@ -20029,6 +20029,7 @@ Cloop3.example.com:loop1.example.com.:120
 :multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120
 +ns1.example.com:192.168.1.1:120
 +ns2.example.com:192.168.1.2:120
+Cnxd.example.com:nxdomain.example.com.:120
 +outpost.example.com:192.168.2.1:120
 Csemi-external.example.com:bla.something.wtest.com.:120
 Cserver1.example.com:server1.france.example.com.:120
@@ -20036,6 +20037,7 @@ Cserver1.example.com:server1.france.example.com.:120
 +smtp-servers.example.com:192.168.0.3:120
 +smtp-servers.example.com:192.168.0.4:120
 Csmtp1.example.com:outpost.example.com.:120
+Cstart.example.com:x.y.z.w1.example.com.:120
 Cstart1.example.com:start2.example.com.:120
 Cstart2.example.com:start3.example.com.:120
 Cstart3.example.com:start4.example.com.:120
@@ -20118,10 +20120,16 @@ Cstart3.example.com:start4.example.com.:120
 +toomuchinfo-b.example.com:192.168.99.88:120
 +toomuchinfo-b.example.com:192.168.99.89:120
 +toomuchinfo-b.example.com:192.168.99.90:120
+Cunauth.example.com:no-idea.example.org.:120
 &usa.example.com::usa-ns1.usa.example.com.:120
 &usa.example.com::usa-ns2.usa.example.com.:120
 +usa-ns1.usa.example.com:192.168.4.1:120
 +usa-ns2.usa.example.com:192.168.4.2:120
+C\052.w1.example.com:x.y.z.w2.example.com.:120
+C\052.w2.example.com:x.y.z.w3.example.com.:120
+C\052.w3.example.com:x.y.z.w4.example.com.:120
+C\052.w4.example.com:x.y.z.w5.example.com.:120
++\052.w5.example.com:1.2.3.5:120
 Cwww.example.com:outpost.example.com.:120
 #2005092501 auto axfr-get
 Ztest.com:ns1.test.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb
index e73ef68fd2..e77a5dfde8 100644
Binary files a/modules/tinydnsbackend/data.cdb and b/modules/tinydnsbackend/data.cdb differ
diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
index 44fde37fe7..f732ec4bb8 100644
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -304,7 +304,7 @@ void DNSPacket::wrapup()
               drc->toPacket(pw);
         if(pw.size() + 20U > (d_tcp ? 65535 : getMaxReplyLen())) { // 20 = room for EDNS0
           pw.rollback();
-          if(pos->d_place == DNSResourceRecord::ANSWER) {
+          if(pos->d_place == DNSResourceRecord::ANSWER || pos->d_place == DNSResourceRecord::AUTHORITY) {
             pw.getHeader()->tc=1;
           }
           goto noCommit;
diff --git a/pdns/nsec3dig.cc b/pdns/nsec3dig.cc
index ac7ec94337..dd5c58da79 100644
--- a/pdns/nsec3dig.cc
+++ b/pdns/nsec3dig.cc
@@ -82,12 +82,32 @@ try
   pw.addOpt(2800, 0, EDNSOpts::DNSSECOK);
   pw.commit();
 
-  Socket sock(InterNetwork, Datagram);
+  Socket sock(InterNetwork, Stream);
   ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
-  sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest);
+  sock.connect(dest);
+  uint16_t len;
+  len = htons(packet.size());
+  if(sock.write((char *) &len, 2) != 2)
+    throw AhuException("tcp write failed");
+
+  sock.writen(string((char*)&*packet.begin(), (char*)&*packet.end()));
   
-  string reply;
-  sock.recvFrom(reply, dest);
+  if(sock.read((char *) &len, 2) != 2)
+    throw AhuException("tcp read failed");
+
+  len=ntohs(len);
+  char *creply = new char[len];
+  int n=0;
+  int numread;
+  while(n<len) {
+    numread=sock.read(creply+n, len-n);
+    if(numread<0)
+      throw AhuException("tcp read failed");
+    n+=numread;
+  }
+
+  string reply(creply, len);
+  delete[] creply;
 
   MOADNSParser mdp(reply);
   cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
@@ -117,8 +137,13 @@ try
     else
     {
       // cerr<<"namesseen.insert('"<<i->first.d_label<<"')"<<endl;
-      names.insert(i->first.d_label);
-      namesseen.insert(i->first.d_label);
+      names.insert(stripDot(i->first.d_label));
+      namesseen.insert(stripDot(i->first.d_label));
+    }
+
+    if(i->first.d_type == QType::CNAME)
+    {
+      namesseen.insert(stripDot(i->first.d_content->getZoneRepresentation()));
     }
 
     cout<<i->first.d_place-1<<"\t"<<i->first.d_label<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type);
@@ -139,6 +164,7 @@ try
   cout<<"== nsec3 prove/deny report follows =="<<endl;
   set<string> proven;
   set<string> denied;
+  namesseen.insert(stripDot(qname));
   BOOST_FOREACH(string n, namesseen)
   {
     string shorter(n);
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 05237c6df9..fa282f3088 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -486,18 +486,18 @@ void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const SOADa
    mode 4 = Name Error Responses
    mode 5 = ANY or direct NSEC request
 */
-void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& target3, const string& auth, int mode)
+void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, int mode)
 {
   NSEC3PARAMRecordContent ns3rc;
   // cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"|"<<p->qtype.getName()<<": ";
   bool narrow;
   if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow))  {
     // cerr<<"Present, narrow="<<narrow<<endl;
-    addNSEC3(p, r, target3, auth, ns3rc, narrow, mode);
+    addNSEC3(p, r, target, wildcard, auth, ns3rc, narrow, mode);
   }
   else {
     // cerr<<"Not present"<<endl;
-    addNSEC(p, r, target, auth, mode);
+    addNSEC(p, r, target, wildcard, auth, mode);
   }
 }
 
@@ -554,9 +554,9 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
   return ret;
 }
 
-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
-  // L<<"mode="<<mode<<" target="<<target<<" auth="<<auth<<endl;
+  // L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl;
   
   SOAData sd;
   sd.db = (DNSBackend*)-1;
@@ -565,8 +565,9 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     return;
   }
   // cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"', narrow="<<narrow<<endl;
+  
   string unhashed, hashed, before, after;
-  string closest(target);
+  string closest=(mode == 3 || mode == 4) ? wildcard : target;
   
   if (mode == 2 || mode == 3 || mode == 4) {
     chopOff(closest);
@@ -585,12 +586,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   
   // add matching NSEC3 RR
   if (mode != 3) {
-    if (mode == 0 || mode == 5) {
-      unhashed=target;
-    }
-    else {
-      unhashed=closest;
-    }
+    unhashed=(mode == 0 || mode == 5) ? target : closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
     // L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
@@ -602,7 +598,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
   // add covering NSEC3 RR
   if (mode != 0 && mode != 5) {
-    string next(p->qdomain);
+    string next(target);
     do {
       unhashed=next;
     }
@@ -629,7 +625,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   }
 }
 
-void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
+void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, int mode)
 {
   if(!p->d_dnssecOk)
     return;
@@ -651,15 +647,14 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
 
   if (mode == 2) {
     // wildcard NO-DATA
-    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, p->qdomain, before, after);
-    emitNSEC(before, after, target, sd, r, mode);
     sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
+    emitNSEC(before, after, target, sd, r, mode);
+    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, wildcard, before, after);
   }
-  else {
+  else
     sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
-  }
   emitNSEC(before, after, target, sd, r, mode);
-  
+
   if (mode == 4) {
       // this one does wildcard denial, if applicable
       sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after);
@@ -892,7 +887,7 @@ void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
   }
 }
 
-void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& nextcloser, SOAData& sd)
+void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd)
 {
   DNSResourceRecord rr;
   rr.qname=sd.qname;
@@ -907,13 +902,13 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string&
   r->addRecord(rr);
   
   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
-    addNSECX(p, r, target, nextcloser, sd.qname, 4);
+    addNSECX(p, r, target, wildcard, sd.qname, 4);
   
   r->setRcode(RCode::NXDomain);  
   S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName());
 }
 
-void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd, int mode)
+void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd, int mode)
 {
   DNSResourceRecord rr;
   rr.qname=sd.qname;
@@ -928,7 +923,7 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& t
   r->addRecord(rr);
 
   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
-    addNSECX(p, r, target, target, sd.qname, mode);
+    addNSECX(p, r, target, wildcard, sd.qname, mode);
 
   S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
 }
@@ -964,7 +959,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const st
   r->setA(false);
 
   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
-    addNSECX(p, r, rrset.begin()->qname, rrset.begin()->qname, sd.qname, 1);
+    addNSECX(p, r, rrset.begin()->qname, "", sd.qname, 1);
   
   return true;
 }
@@ -978,7 +973,7 @@ void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, c
   if(!d_dk.isSecuredZone(sd.qname))
     return;
     
-  addNSECX(p, r, target, target, sd.qname, 5); 
+  addNSECX(p, r, target, "", sd.qname, 5); 
   if(pdns_iequals(sd.qname, p->qdomain)) {
     addDNSKEY(p, r, sd);
     addNSEC3PARAM(p, r, sd);
@@ -988,6 +983,7 @@ void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, c
 bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &target, string &wildcard, bool& retargeted, bool& nodata)
 {
   retargeted = nodata = false;
+  string bestmatch;
 
   vector<DNSResourceRecord> rrset;
   if(!getBestWildcard(p, sd, target, wildcard, &rrset))
@@ -1001,7 +997,7 @@ bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &
     DLOG(L<<"The best wildcard match: "<<rrset.begin()->qname<<endl);
     BOOST_FOREACH(DNSResourceRecord rr, rrset) {
       rr.wildcardname = rr.qname;
-      rr.qname=target;
+      rr.qname=bestmatch=target;
 
       if(rr.qtype.getCode() == QType::CNAME)  {
         retargeted=true;
@@ -1014,7 +1010,7 @@ bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &
     }
   }
   if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !nodata) {
-    addNSECX(p, r, p->qdomain, wildcard, sd.qname, 3);
+    addNSECX(p, r, bestmatch, wildcard, sd.qname, 3);
   }
   return true;
 }
@@ -1176,7 +1172,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
 
     // this TRUMPS a cname!
     if(p->qtype.getCode() == QType::NSEC && p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !d_dk.getNSEC3PARAM(sd.qname, 0)) {
-      addNSEC(p, r, target, sd.qname, 5); // only NSEC please
+      addNSEC(p, r, target, "", sd.qname, 5); // only NSEC please
       goto sendit;
     }
 
@@ -1226,7 +1222,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     DLOG(L<<"After first ANY query for '"<<target<<"', id="<<sd.domain_id<<": weDone="<<weDone<<", weHaveUnauth="<<weHaveUnauth<<", weRedirected="<<weRedirected<<endl);
     if(p->qtype.getCode() == QType::DS && weHaveUnauth &&  !weDone && !weRedirected && d_dk.isSecuredZone(sd.qname)) {
       DLOG(L<<"Q for DS of a name for which we do have NS, but for which we don't have on a zone with DNSSEC need to provide an AUTH answer that proves we don't"<<endl);
-      makeNOError(p, r, target, sd, 1);
+      makeNOError(p, r, target, "", sd, 1);
       goto sendit;
     }
 
@@ -1250,15 +1246,15 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
           retargetcount++;
           goto retargeted;
         }
-        if(nodata) {
-          target=wildcard;
-          makeNOError(p, r, target, sd, 2);
-        }
+        if(nodata) 
+          makeNOError(p, r, target, wildcard, sd, 2);
+
         goto sendit;
       }
       else
       {        
-        makeNXDomain(p, r, target, wildcard, sd);
+        if (!(((p->qtype.getCode() == QType::CNAME) || (p->qtype.getCode() == QType::ANY)) && retargetcount > 0))
+          makeNXDomain(p, r, target, wildcard, sd);
       }
       
       goto sendit;
@@ -1288,7 +1284,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
           completeANYRecords(p, r, sd, target);
       }
       else
-        makeNOError(p, r, rr.qname, sd, 0);
+        makeNOError(p, r, rr.qname, "", sd, 0);
 
       goto sendit;
     }
@@ -1300,7 +1296,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
     else {
       DLOG(L<<"Have some data, but not the right data"<<endl);
-      makeNOError(p, r, target, sd, 0);
+      makeNOError(p, r, target, "", sd, 0);
     }
     
   sendit:;
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 51b2c0966e..cb5be884c6 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -98,16 +98,16 @@ private:
   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd);
   bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
-  void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const string& target3, const std::string& auth, int mode);
-  void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
-  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
+  void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string &auth, int mode);
+  void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string& auth, int mode);
+  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
   void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const SOAData& sd, DNSPacket *r, int mode);
   void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
   
 
   void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r);
-  void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& nextcloser, SOAData& sd);
-  void makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd, int mode);
+  void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd);
+  void makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd, int mode);
   vector<DNSResourceRecord> getBestReferralNS(DNSPacket *p, SOAData& sd, const string &target);
   bool tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target);
 
diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index 9878f47dcd..7462adf73a 100644
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -4,6 +4,7 @@
 #include "dnswriter.hh"
 #include "dnsrecords.hh"
 #include "statbag.hh"
+#include <boost/array.hpp>
 StatBag S;
 
 int main(int argc, char** argv)
@@ -11,6 +12,7 @@ try
 {
   bool dnssec=false;
   bool recurse=false;
+  bool tcp=false;
 
   reportAllTypes();
 
@@ -24,6 +26,12 @@ try
   {
     dnssec=true;
   }
+  
+  if(argc > 5 && strcmp(argv[5], "dnssec-tcp")==0)
+  {
+    dnssec=true;
+    tcp=true;
+  }
 
   if(argc > 5 && strcmp(argv[5], "recurse")==0)
   {
@@ -72,13 +80,44 @@ try
   // pw.addOpt(5200, 0, 0);
   // pw.commit();
   
-  Socket sock(InterNetwork, Datagram);
-  ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
-  sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest);
-  
   string reply;
-  sock.recvFrom(reply, dest);
 
+  if(tcp) {
+    Socket sock(InterNetwork, Stream);
+    ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
+    sock.connect(dest);
+    uint16_t len;
+    len = htons(packet.size());
+    if(sock.write((char *) &len, 2) != 2)
+      throw AhuException("tcp write failed");
+
+    sock.writen(string((char*)&*packet.begin(), (char*)&*packet.end()));
+    
+    if(sock.read((char *) &len, 2) != 2)
+      throw AhuException("tcp read failed");
+
+    len=ntohs(len);
+    char *creply = new char[len];
+    int n=0;
+    int numread;
+    while(n<len) {
+      numread=sock.read(creply+n, len-n);
+      if(numread<0)
+        throw AhuException("tcp read failed");
+      n+=numread;
+    }
+
+    reply=string(creply, len);
+    delete[] creply;
+  }
+  else //udp
+  {
+    Socket sock(InterNetwork, Datagram);
+    ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
+    sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest);
+    
+    sock.recvFrom(reply, dest);
+  }
   MOADNSParser mdp(reply);
   cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
   cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result
index a7e62f4f3d..9987390416 100644
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -1,7 +1,7 @@
-b6d1c64a890e3f3ce40970724a12eb0b  ../regression-tests/example.com
+237fd1b570f3a2361ded22427754e57e  ../regression-tests/example.com
 66e79fb95029616572d1a100489d6b92  ../regression-tests/test.com
 7d726bc367bf5e6ee5f1689994c6b6d4  ../regression-tests/wtest.com
 a0670eef8fba3e16908057af8de2c2f2  ../regression-tests/dnssec-parent.com
 42dd3a56c7d268e75836371878819ec4  ../regression-tests/delegated.dnssec-parent.com
 24514dc104b22206daeb973ff9303545  ../regression-tests/minimal.com
-8c74a6295048b826a3cfcb15d0c72644  ../modules/tinydnsbackend/data.cdb
+77e4eaed54f3fee0fa8006c7a190750d  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/any-nxdomain/command b/regression-tests/any-nxdomain/command
new file mode 100755
index 0000000000..e24ef3ac13
--- /dev/null
+++ b/regression-tests/any-nxdomain/command
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cleandig nxdomain.example.com ANY dnssec
+
diff --git a/regression-tests/any-nxdomain/description b/regression-tests/any-nxdomain/description
new file mode 100644
index 0000000000..43ebe3f12a
--- /dev/null
+++ b/regression-tests/any-nxdomain/description
@@ -0,0 +1 @@
+Make sure a ANY query generates the correct statuscode and NSEC(3) denial.
diff --git a/regression-tests/any-nxdomain/expected_result b/regression-tests/any-nxdomain/expected_result
new file mode 100644
index 0000000000..a89d2a09df
--- /dev/null
+++ b/regression-tests/any-nxdomain/expected_result
@@ -0,0 +1,4 @@
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
diff --git a/regression-tests/any-nxdomain/expected_result.dnssec b/regression-tests/any-nxdomain/expected_result.dnssec
new file mode 100644
index 0000000000..dba5a1d0c3
--- /dev/null
+++ b/regression-tests/any-nxdomain/expected_result.dnssec
@@ -0,0 +1,9 @@
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	nxd.example.com.	IN	NSEC	86400	outpost.example.com. CNAME RRSIG NSEC
+1	nxd.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
diff --git a/regression-tests/any-nxdomain/expected_result.narrow b/regression-tests/any-nxdomain/expected_result.narrow
new file mode 100644
index 0000000000..b491f36ff5
--- /dev/null
+++ b/regression-tests/any-nxdomain/expected_result.narrow
@@ -0,0 +1,11 @@
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
diff --git a/regression-tests/any-nxdomain/expected_result.nsec3 b/regression-tests/any-nxdomain/expected_result.nsec3
new file mode 100644
index 0000000000..f14bfaef14
--- /dev/null
+++ b/regression-tests/any-nxdomain/expected_result.nsec3
@@ -0,0 +1,11 @@
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-nxdomain-any/command b/regression-tests/cname-to-nxdomain-any/command
new file mode 100755
index 0000000000..fa100ad4dc
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain-any/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig nxd.example.com ANY dnssec
+
diff --git a/regression-tests/cname-to-nxdomain-any/description b/regression-tests/cname-to-nxdomain-any/description
new file mode 100644
index 0000000000..7fb8dba090
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain-any/description
@@ -0,0 +1 @@
+ANY query for a CNAME to a local NXDOMAIN.
diff --git a/regression-tests/cname-to-nxdomain-any/expected_result b/regression-tests/cname-to-nxdomain-any/expected_result
new file mode 100644
index 0000000000..8ee9d4db01
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain-any/expected_result
@@ -0,0 +1,4 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-nxdomain-any/expected_result.dnssec b/regression-tests/cname-to-nxdomain-any/expected_result.dnssec
new file mode 100644
index 0000000000..3fc66445c7
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain-any/expected_result.dnssec
@@ -0,0 +1,5 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-nxdomain-any/expected_result.narrow b/regression-tests/cname-to-nxdomain-any/expected_result.narrow
new file mode 100644
index 0000000000..3fc66445c7
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain-any/expected_result.narrow
@@ -0,0 +1,5 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-nxdomain-any/expected_result.nsec3 b/regression-tests/cname-to-nxdomain-any/expected_result.nsec3
new file mode 100644
index 0000000000..3fc66445c7
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain-any/expected_result.nsec3
@@ -0,0 +1,5 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-nxdomain/command b/regression-tests/cname-to-nxdomain/command
new file mode 100755
index 0000000000..bd104d557a
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig nxd.example.com A dnssec
+
diff --git a/regression-tests/cname-to-nxdomain/description b/regression-tests/cname-to-nxdomain/description
new file mode 100644
index 0000000000..b54c81d9fa
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain/description
@@ -0,0 +1 @@
+CNAME to a local NXDOMAIN.
diff --git a/regression-tests/cname-to-nxdomain/expected_result b/regression-tests/cname-to-nxdomain/expected_result
new file mode 100644
index 0000000000..09bcc2f252
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain/expected_result
@@ -0,0 +1,5 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
diff --git a/regression-tests/cname-to-nxdomain/expected_result.dnssec b/regression-tests/cname-to-nxdomain/expected_result.dnssec
new file mode 100644
index 0000000000..257438e215
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain/expected_result.dnssec
@@ -0,0 +1,11 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	nxd.example.com.	IN	NSEC	86400	outpost.example.com. CNAME RRSIG NSEC
+1	nxd.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
diff --git a/regression-tests/cname-to-nxdomain/expected_result.narrow b/regression-tests/cname-to-nxdomain/expected_result.narrow
new file mode 100644
index 0000000000..f94d05dc93
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain/expected_result.narrow
@@ -0,0 +1,13 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
diff --git a/regression-tests/cname-to-nxdomain/expected_result.nsec3 b/regression-tests/cname-to-nxdomain/expected_result.nsec3
new file mode 100644
index 0000000000..cb50420a35
--- /dev/null
+++ b/regression-tests/cname-to-nxdomain/expected_result.nsec3
@@ -0,0 +1,13 @@
+0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
+0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
diff --git a/regression-tests/cname-to-unauth-any/command b/regression-tests/cname-to-unauth-any/command
new file mode 100755
index 0000000000..9800f3b4db
--- /dev/null
+++ b/regression-tests/cname-to-unauth-any/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig unauth.example.com ANY dnssec
+
diff --git a/regression-tests/cname-to-unauth-any/description b/regression-tests/cname-to-unauth-any/description
new file mode 100644
index 0000000000..9908ec5b0f
--- /dev/null
+++ b/regression-tests/cname-to-unauth-any/description
@@ -0,0 +1 @@
+CNAME to a name we are not authoritative for. (ANY query)
diff --git a/regression-tests/cname-to-unauth-any/expected_result b/regression-tests/cname-to-unauth-any/expected_result
new file mode 100644
index 0000000000..3cc5567376
--- /dev/null
+++ b/regression-tests/cname-to-unauth-any/expected_result
@@ -0,0 +1,30 @@
+0	unauth.example.com.	IN	CNAME	120	no-idea.example.org.
+1	.	IN	NS	518400	a.root-servers.net.
+1	.	IN	NS	518400	b.root-servers.net.
+1	.	IN	NS	518400	c.root-servers.net.
+1	.	IN	NS	518400	d.root-servers.net.
+1	.	IN	NS	518400	e.root-servers.net.
+1	.	IN	NS	518400	f.root-servers.net.
+1	.	IN	NS	518400	g.root-servers.net.
+1	.	IN	NS	518400	h.root-servers.net.
+1	.	IN	NS	518400	i.root-servers.net.
+1	.	IN	NS	518400	j.root-servers.net.
+1	.	IN	NS	518400	k.root-servers.net.
+1	.	IN	NS	518400	l.root-servers.net.
+1	.	IN	NS	518400	m.root-servers.net.
+2	.	IN	OPT	32768	
+2	a.root-servers.net.	IN	A	3600000	198.41.0.4
+2	b.root-servers.net.	IN	A	3600000	192.228.79.201
+2	c.root-servers.net.	IN	A	3600000	192.33.4.12
+2	d.root-servers.net.	IN	A	3600000	128.8.10.90
+2	e.root-servers.net.	IN	A	3600000	192.203.230.10
+2	f.root-servers.net.	IN	A	3600000	192.5.5.241
+2	g.root-servers.net.	IN	A	3600000	192.112.36.4
+2	h.root-servers.net.	IN	A	3600000	128.63.2.53
+2	i.root-servers.net.	IN	A	3600000	192.36.148.17
+2	j.root-servers.net.	IN	A	3600000	192.58.128.30
+2	k.root-servers.net.	IN	A	3600000	193.0.14.129
+2	l.root-servers.net.	IN	A	3600000	198.32.64.12
+2	m.root-servers.net.	IN	A	3600000	202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-unauth-any/expected_result.dnssec b/regression-tests/cname-to-unauth-any/expected_result.dnssec
new file mode 100644
index 0000000000..8d7cfbc43e
--- /dev/null
+++ b/regression-tests/cname-to-unauth-any/expected_result.dnssec
@@ -0,0 +1,31 @@
+0	unauth.example.com.	IN	CNAME	120	no-idea.example.org.
+0	unauth.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	.	IN	NS	518400	a.root-servers.net.
+1	.	IN	NS	518400	b.root-servers.net.
+1	.	IN	NS	518400	c.root-servers.net.
+1	.	IN	NS	518400	d.root-servers.net.
+1	.	IN	NS	518400	e.root-servers.net.
+1	.	IN	NS	518400	f.root-servers.net.
+1	.	IN	NS	518400	g.root-servers.net.
+1	.	IN	NS	518400	h.root-servers.net.
+1	.	IN	NS	518400	i.root-servers.net.
+1	.	IN	NS	518400	j.root-servers.net.
+1	.	IN	NS	518400	k.root-servers.net.
+1	.	IN	NS	518400	l.root-servers.net.
+1	.	IN	NS	518400	m.root-servers.net.
+2	.	IN	OPT	32768	
+2	a.root-servers.net.	IN	A	3600000	198.41.0.4
+2	b.root-servers.net.	IN	A	3600000	192.228.79.201
+2	c.root-servers.net.	IN	A	3600000	192.33.4.12
+2	d.root-servers.net.	IN	A	3600000	128.8.10.90
+2	e.root-servers.net.	IN	A	3600000	192.203.230.10
+2	f.root-servers.net.	IN	A	3600000	192.5.5.241
+2	g.root-servers.net.	IN	A	3600000	192.112.36.4
+2	h.root-servers.net.	IN	A	3600000	128.63.2.53
+2	i.root-servers.net.	IN	A	3600000	192.36.148.17
+2	j.root-servers.net.	IN	A	3600000	192.58.128.30
+2	k.root-servers.net.	IN	A	3600000	193.0.14.129
+2	l.root-servers.net.	IN	A	3600000	198.32.64.12
+2	m.root-servers.net.	IN	A	3600000	202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=ANY
diff --git a/regression-tests/cname-to-unauth/command b/regression-tests/cname-to-unauth/command
new file mode 100755
index 0000000000..5439da7e3f
--- /dev/null
+++ b/regression-tests/cname-to-unauth/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig unauth.example.com A dnssec
+
diff --git a/regression-tests/cname-to-unauth/description b/regression-tests/cname-to-unauth/description
new file mode 100644
index 0000000000..42fd2b7684
--- /dev/null
+++ b/regression-tests/cname-to-unauth/description
@@ -0,0 +1 @@
+CNAME to a name we are not authoritative for.
diff --git a/regression-tests/cname-to-unauth/expected_result b/regression-tests/cname-to-unauth/expected_result
new file mode 100644
index 0000000000..f6c2fb8047
--- /dev/null
+++ b/regression-tests/cname-to-unauth/expected_result
@@ -0,0 +1,30 @@
+0	unauth.example.com.	IN	CNAME	120	no-idea.example.org.
+1	.	IN	NS	518400	a.root-servers.net.
+1	.	IN	NS	518400	b.root-servers.net.
+1	.	IN	NS	518400	c.root-servers.net.
+1	.	IN	NS	518400	d.root-servers.net.
+1	.	IN	NS	518400	e.root-servers.net.
+1	.	IN	NS	518400	f.root-servers.net.
+1	.	IN	NS	518400	g.root-servers.net.
+1	.	IN	NS	518400	h.root-servers.net.
+1	.	IN	NS	518400	i.root-servers.net.
+1	.	IN	NS	518400	j.root-servers.net.
+1	.	IN	NS	518400	k.root-servers.net.
+1	.	IN	NS	518400	l.root-servers.net.
+1	.	IN	NS	518400	m.root-servers.net.
+2	.	IN	OPT	32768	
+2	a.root-servers.net.	IN	A	3600000	198.41.0.4
+2	b.root-servers.net.	IN	A	3600000	192.228.79.201
+2	c.root-servers.net.	IN	A	3600000	192.33.4.12
+2	d.root-servers.net.	IN	A	3600000	128.8.10.90
+2	e.root-servers.net.	IN	A	3600000	192.203.230.10
+2	f.root-servers.net.	IN	A	3600000	192.5.5.241
+2	g.root-servers.net.	IN	A	3600000	192.112.36.4
+2	h.root-servers.net.	IN	A	3600000	128.63.2.53
+2	i.root-servers.net.	IN	A	3600000	192.36.148.17
+2	j.root-servers.net.	IN	A	3600000	192.58.128.30
+2	k.root-servers.net.	IN	A	3600000	193.0.14.129
+2	l.root-servers.net.	IN	A	3600000	198.32.64.12
+2	m.root-servers.net.	IN	A	3600000	202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=A
diff --git a/regression-tests/cname-to-unauth/expected_result.dnssec b/regression-tests/cname-to-unauth/expected_result.dnssec
new file mode 100644
index 0000000000..c68e58ae70
--- /dev/null
+++ b/regression-tests/cname-to-unauth/expected_result.dnssec
@@ -0,0 +1,31 @@
+0	unauth.example.com.	IN	CNAME	120	no-idea.example.org.
+0	unauth.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	.	IN	NS	518400	a.root-servers.net.
+1	.	IN	NS	518400	b.root-servers.net.
+1	.	IN	NS	518400	c.root-servers.net.
+1	.	IN	NS	518400	d.root-servers.net.
+1	.	IN	NS	518400	e.root-servers.net.
+1	.	IN	NS	518400	f.root-servers.net.
+1	.	IN	NS	518400	g.root-servers.net.
+1	.	IN	NS	518400	h.root-servers.net.
+1	.	IN	NS	518400	i.root-servers.net.
+1	.	IN	NS	518400	j.root-servers.net.
+1	.	IN	NS	518400	k.root-servers.net.
+1	.	IN	NS	518400	l.root-servers.net.
+1	.	IN	NS	518400	m.root-servers.net.
+2	.	IN	OPT	32768	
+2	a.root-servers.net.	IN	A	3600000	198.41.0.4
+2	b.root-servers.net.	IN	A	3600000	192.228.79.201
+2	c.root-servers.net.	IN	A	3600000	192.33.4.12
+2	d.root-servers.net.	IN	A	3600000	128.8.10.90
+2	e.root-servers.net.	IN	A	3600000	192.203.230.10
+2	f.root-servers.net.	IN	A	3600000	192.5.5.241
+2	g.root-servers.net.	IN	A	3600000	192.112.36.4
+2	h.root-servers.net.	IN	A	3600000	128.63.2.53
+2	i.root-servers.net.	IN	A	3600000	192.36.148.17
+2	j.root-servers.net.	IN	A	3600000	192.58.128.30
+2	k.root-servers.net.	IN	A	3600000	193.0.14.129
+2	l.root-servers.net.	IN	A	3600000	198.32.64.12
+2	m.root-servers.net.	IN	A	3600000	202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=A
diff --git a/regression-tests/cname-wildcard-chain/command b/regression-tests/cname-wildcard-chain/command
new file mode 100755
index 0000000000..f48f0a46da
--- /dev/null
+++ b/regression-tests/cname-wildcard-chain/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig start.example.com A dnssec-tcp
+
diff --git a/regression-tests/cname-wildcard-chain/description b/regression-tests/cname-wildcard-chain/description
new file mode 100644
index 0000000000..e100c59e6d
--- /dev/null
+++ b/regression-tests/cname-wildcard-chain/description
@@ -0,0 +1 @@
+A five-long CNAME chain involving wildcards at every step
diff --git a/regression-tests/cname-wildcard-chain/expected_result b/regression-tests/cname-wildcard-chain/expected_result
new file mode 100644
index 0000000000..23325a12a2
--- /dev/null
+++ b/regression-tests/cname-wildcard-chain/expected_result
@@ -0,0 +1,9 @@
+0	start.example.com.	IN	CNAME	120	x.y.z.w1.example.com.
+0	x.y.z.w1.example.com.	IN	CNAME	120	x.y.z.w2.example.com.
+0	x.y.z.w2.example.com.	IN	CNAME	120	x.y.z.w3.example.com.
+0	x.y.z.w3.example.com.	IN	CNAME	120	x.y.z.w4.example.com.
+0	x.y.z.w4.example.com.	IN	CNAME	120	x.y.z.w5.example.com.
+0	x.y.z.w5.example.com.	IN	A	120	1.2.3.5
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
diff --git a/regression-tests/cname-wildcard-chain/expected_result.dnssec b/regression-tests/cname-wildcard-chain/expected_result.dnssec
new file mode 100644
index 0000000000..499cb90d32
--- /dev/null
+++ b/regression-tests/cname-wildcard-chain/expected_result.dnssec
@@ -0,0 +1,25 @@
+0	start.example.com.	IN	CNAME	120	x.y.z.w1.example.com.
+0	start.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w1.example.com.	IN	CNAME	120	x.y.z.w2.example.com.
+0	x.y.z.w1.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w2.example.com.	IN	CNAME	120	x.y.z.w3.example.com.
+0	x.y.z.w2.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w3.example.com.	IN	CNAME	120	x.y.z.w4.example.com.
+0	x.y.z.w3.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w4.example.com.	IN	CNAME	120	x.y.z.w5.example.com.
+0	x.y.z.w4.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w5.example.com.	IN	A	120	1.2.3.5
+0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	*.w1.example.com.	IN	NSEC	86400	*.w2.example.com. CNAME RRSIG NSEC
+1	*.w1.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	*.w2.example.com.	IN	NSEC	86400	*.w3.example.com. CNAME RRSIG NSEC
+1	*.w2.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	*.w3.example.com.	IN	NSEC	86400	*.w4.example.com. CNAME RRSIG NSEC
+1	*.w3.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	*.w4.example.com.	IN	NSEC	86400	*.w5.example.com. CNAME RRSIG NSEC
+1	*.w4.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	*.w5.example.com.	IN	NSEC	86400	www.example.com. A RRSIG NSEC
+1	*.w5.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
diff --git a/regression-tests/cname-wildcard-chain/expected_result.narrow b/regression-tests/cname-wildcard-chain/expected_result.narrow
new file mode 100644
index 0000000000..0d97f8585d
--- /dev/null
+++ b/regression-tests/cname-wildcard-chain/expected_result.narrow
@@ -0,0 +1,25 @@
+0	start.example.com.	IN	CNAME	120	x.y.z.w1.example.com.
+0	start.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w1.example.com.	IN	CNAME	120	x.y.z.w2.example.com.
+0	x.y.z.w1.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w2.example.com.	IN	CNAME	120	x.y.z.w3.example.com.
+0	x.y.z.w2.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w3.example.com.	IN	CNAME	120	x.y.z.w4.example.com.
+0	x.y.z.w3.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w4.example.com.	IN	CNAME	120	x.y.z.w5.example.com.
+0	x.y.z.w4.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w5.example.com.	IN	A	120	1.2.3.5
+0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	NSEC3	86400	1 1 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
+1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	NSEC3	86400	1 1 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
+1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	NSEC3	86400	1 1 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
+1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	NSEC3	86400	1 1 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
+1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	NSEC3	86400	1 1 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
+1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
diff --git a/regression-tests/cname-wildcard-chain/expected_result.nsec3 b/regression-tests/cname-wildcard-chain/expected_result.nsec3
new file mode 100644
index 0000000000..ebe96a8f45
--- /dev/null
+++ b/regression-tests/cname-wildcard-chain/expected_result.nsec3
@@ -0,0 +1,25 @@
+0	start.example.com.	IN	CNAME	120	x.y.z.w1.example.com.
+0	start.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w1.example.com.	IN	CNAME	120	x.y.z.w2.example.com.
+0	x.y.z.w1.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w2.example.com.	IN	CNAME	120	x.y.z.w3.example.com.
+0	x.y.z.w2.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w3.example.com.	IN	CNAME	120	x.y.z.w4.example.com.
+0	x.y.z.w3.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w4.example.com.	IN	CNAME	120	x.y.z.w5.example.com.
+0	x.y.z.w4.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	x.y.z.w5.example.com.	IN	A	120	1.2.3.5
+0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	NSEC3	86400	1 1 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
+1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	NSEC3	86400	1 1 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
+1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	NSEC3	86400	1 1 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
+1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	NSEC3	86400	1 1 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
+1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	NSEC3	86400	1 1 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
+1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result b/regression-tests/ds-at-unsecure-delegation/expected_result
index 13ff285d63..5ae00f1825 100644
--- a/regression-tests/ds-at-unsecure-delegation/expected_result
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result
@@ -1,6 +1,6 @@
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	usa.example.com.	IN	NSEC	86400	www.example.com. NS RRSIG NSEC
+1	usa.example.com.	IN	NSEC	86400	*.w1.example.com. NS RRSIG NSEC
 1	usa.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/ds-inside-delegation/expected_result.dnssec b/regression-tests/ds-inside-delegation/expected_result.dnssec
index 5e39b33a1e..8214b9ef74 100644
--- a/regression-tests/ds-inside-delegation/expected_result.dnssec
+++ b/regression-tests/ds-inside-delegation/expected_result.dnssec
@@ -1,6 +1,6 @@
 1	usa.example.com.	IN	NS	120	usa-ns1.usa.example.com.
 1	usa.example.com.	IN	NS	120	usa-ns2.usa.example.com.
-1	usa.example.com.	IN	NSEC	86400	www.example.com. NS RRSIG NSEC
+1	usa.example.com.	IN	NSEC	86400	*.w1.example.com. NS RRSIG NSEC
 2	.	IN	OPT	32768	
 2	usa-ns1.usa.example.com.	IN	A	120	192.168.4.1
 2	usa-ns2.usa.example.com.	IN	A	120	192.168.4.2
diff --git a/regression-tests/example.com b/regression-tests/example.com
index cb0ea7e530..3a216b2598 100644
--- a/regression-tests/example.com
+++ b/regression-tests/example.com
@@ -28,6 +28,10 @@ location		IN	LOC	51 56 0.123 N 5 54 0.000 E 4.00m 1.00m 10000.00m 10.00m
 			IN	LOC	51 56 2.789 N 5 54 0.000 W 4.00m 3.00m 10000.00m 10.00m
 			IN	LOC	51 56 3.012 S 5 54 0.000 W 4.00m 4.00m 10000.00m 10.00m
 ;
+unauth			IN	CNAME	no-idea.example.org.
+;
+nxd			IN	CNAME	nxdomain.example.com.
+;
 hwinfo			IN	HINFO	"abc" "def"
 ;
 smtp-servers		IN	A	192.168.0.2
@@ -35,6 +39,14 @@ smtp-servers		IN	A	192.168.0.3
 smtp-servers		IN	A	192.168.0.4
 ;
 outpost			IN	A	192.168.2.1
+
+start                   IN      CNAME   x.y.z.w1
+*.w1                    IN      CNAME   x.y.z.w2
+*.w2                    IN      CNAME   x.y.z.w3
+*.w3                    IN      CNAME   x.y.z.w4
+*.w4                    IN      CNAME   x.y.z.w5
+*.w5                    IN      A       1.2.3.5
+
 ;
 start1			IN	CNAME	start2
 start2			IN	CNAME	start3
diff --git a/regression-tests/nsec-glue/expected_result b/regression-tests/nsec-glue/expected_result
index 21a68a262b..79c314f121 100644
--- a/regression-tests/nsec-glue/expected_result
+++ b/regression-tests/nsec-glue/expected_result
@@ -2,7 +2,7 @@
 1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	usa.example.com.	IN	NSEC	86400	www.example.com. NS RRSIG NSEC
+1	usa.example.com.	IN	NSEC	86400	*.w1.example.com. NS RRSIG NSEC
 1	usa.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-middle/expected_result b/regression-tests/nsec-middle/expected_result
index 0b7e2a1172..9045b0c274 100644
--- a/regression-tests/nsec-middle/expected_result
+++ b/regression-tests/nsec-middle/expected_result
@@ -2,8 +2,8 @@
 1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	ns2.example.com.	IN	NSEC	86400	outpost.example.com. A RRSIG NSEC
-1	ns2.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	nxd.example.com.	IN	NSEC	86400	outpost.example.com. CNAME RRSIG NSEC
+1	nxd.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='outerpost.example.com.', qtype=A
diff --git a/regression-tests/two-level-nxdomain/expected_result b/regression-tests/two-level-nxdomain/expected_result
index 74e4fd04d1..19b83daee3 100644
--- a/regression-tests/two-level-nxdomain/expected_result
+++ b/regression-tests/two-level-nxdomain/expected_result
@@ -2,7 +2,7 @@
 1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	ns2.example.com.	IN	NSEC	86400	outpost.example.com. A RRSIG NSEC
+1	ns2.example.com.	IN	NSEC	86400	nxd.example.com. A RRSIG NSEC
 1	ns2.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0