From 0f074be5c1b0b283d33de603d1ca92d914a15b33 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 13 Apr 2023 00:50:08 +0200
Subject: [PATCH] auth: add nsec at delegation point test

---
 modules/tinydnsbackend/data                   |   1 +
 modules/tinydnsbackend/data.cdb               | Bin 1356255 -> 1356349 bytes
 .../tinydns-data-check/command                |   1 +
 .../tinydns-data-check/expected_result        |   5 +++--
 regression-tests/tests/axfr/expected_result   |   1 +
 .../tests/axfr/expected_result.dnssec         |   6 +++++-
 .../tests/axfr/expected_result.nsec3          |   4 ++++
 .../tests/axfr/expected_result.nsec3-optout   |   4 ++++
 .../expected_result.nsec3-optout              |   2 +-
 .../expected_result.dnssec                    |   4 ++--
 .../tests/nsec-at-delegation/command          |   2 ++
 .../tests/nsec-at-delegation/description      |   1 +
 .../tests/nsec-at-delegation/expected_result  |   9 +++++++++
 .../nsec-at-delegation/expected_result.narrow |   9 +++++++++
 .../nsec-at-delegation/expected_result.nsec3  |   9 +++++++++
 .../expected_result.nsec3-optout              |   9 +++++++++
 .../tests/nsec-at-delegation/skip.nodnssec    |   0
 regression-tests/zones/dnssec-parent.com      |   1 +
 18 files changed, 62 insertions(+), 6 deletions(-)
 create mode 100755 regression-tests/tests/nsec-at-delegation/command
 create mode 100644 regression-tests/tests/nsec-at-delegation/description
 create mode 100644 regression-tests/tests/nsec-at-delegation/expected_result
 create mode 100644 regression-tests/tests/nsec-at-delegation/expected_result.narrow
 create mode 100644 regression-tests/tests/nsec-at-delegation/expected_result.nsec3
 create mode 100644 regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout
 create mode 100644 regression-tests/tests/nsec-at-delegation/skip.nodnssec

diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data
index a668509735..7a262b3eda 100644
--- a/modules/tinydnsbackend/data
+++ b/modules/tinydnsbackend/data
@@ -20271,6 +20271,7 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:
 +ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600
 +something1.auth-ent.dnssec-parent.com:1.1.2.3:3600
 :secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600
+C\052.dnssec-parent.com:secure-delegated.dnssec-parent.com.:3600
 Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600
 Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
 #2000081501 auto axfr-get
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb
index e70be8d883affea4a2ecc871b705679efb0befe5..b71ae2d51ecda7103f1a61fb5fa10ea28aebb0ab 100644
GIT binary patch
delta 3491
zc-n1N3s{rq75<U{;gaOPe7{zxvBg?1)hL1kZ_zr`)=Shf3*9uX7H?yXI<(58#3*gC
zQ=@3rC^pCxt+)oIlKvLWw8~JcflY?LJ~L=s)hdK}ud;&szVF1^XU}+^?|C`re3$dS
z=bRs|{42xvU4|oYghK@gq0lkF_LCf1LG4o<`iP+Z9Eb9$UC*JF6dS^*gyWYvw2z=A
z$e}WVwi_J!jM~i{Dy4WQ?0?9i3W9+)@CTl<a}H#T<k4p0@Wt?`n4r_Zqiysc=GjH2
zE)e&3<<TaB)<p1|d&0i<*LZZCVp14WdGswkZ{|@Qy*HglC+PWcJUUGio&tV*CPfEf
zGM#6P1Ml)^Jv}&^N6QErf5$VXMjP0ng*;QjzZh(H9-MRLL*mv|JX6A52npKP0$PiB
z#@M=rXG++M!~UJb@1Vbw@n|c}tQ;7+Jv>@RnN$Kp-&bK}j(`%T<FL<H6ZW6sQ4K*)
zJt*L5<WV(!=%2te6ok0`dr-pI3h~f=9y#a+Ya1{!bpRuyT41P;5|}>_BcLVpA-#as
zP+NewzZ1mW@d7HL@ooZRW_tx}Yj3d4CO~7dzz79W1?Yicf`bKouM3Qsb&LQ?j2BQ5
zy>ODiO46PIeoq!$V4Dv6^)n%EpDi%v_TLMPsrwIrzNG>>O#Sw-|3iT(;Q6C~j?()#
zI0Pnzbqg@EY!_IKO>TirgZWPaliI&WKzZ~)ImB%qfpx#L63*GZ0@_9GYDmy>On|Ph
z2`h0%VBPPp1KZaC3iuos!@mT8vH2P>4c&l^fo5Q6xdU<k1Blz7z&U#dC}Gry=r2@}
z7!hjBiLCa{P9kG!dr@Qx*%C#jgtHgK9qlIA5J(XjqxLir=6{$7--D5W`q3h*z4c9z
zDPf!l`}9*FZk#Hjy)@BZ1KMYZY#MyoA`qM>qJxy+eDK>BF~0-Z^F)x&E;6Z&1%RGH
z5o*0w1PO~o=#4ER^u~4(rlABLFzpu6IaVT2!hS$x^X~JC=pwa`g5P!m6tbTd$#=p*
zYXVZ38$~wn=1aiH5&(wgVA#G6XuTz(PiQlRK#|a0*cW&xvT^jZfdYZ2A~bgdW(55)
znAsi!X1!pPh)w6ey$fv6cY_U~?wBcH?}gcSAkY^xCEQ6E#_SguJ~%@$Br*asWi08K
z)z&r+1H;Lfb-(#-%#?9YgSc-dX1(B>i;;tkhYhn&rhgHJd0vX)%eEXd#%>2jEi}<W
z%(_3Y1~a7s>tUaN6Zkz_Au;<7NZ4G8S!v9BfS7SVB<imSD{%-r7$f&#aM*nqy7>fL
z5U9nh*4DFtfqJ;W`47w__FV$o)&z>RUjyd)Tfo%xZ%`og0MOHhSx<zJglg$KT8G2}
z0iDFY10GRARaD9@5_|``N^B}DFH4NErH8~MclL(3tsmH)BncJLdj?5t?%Rh*ObP!8
zi7DVumw@q`66^kuMPiA&9T~8}oh3nSr%TY)GhstuHu(KH5>vpk0MNe(_Sy0zrj*Gp
z!QX^c64Z7zFbp{*R$B9BAgC{v;QLT2v1y3W@0D0{*gkxsUHwF>B1=t{hO7v(BFTy(
zi^ihKiXkhOtT?iCWa-H=$WOGKX?G+h*QB_F&$$;|7q@c;*S!N=54q=`IsH3*dw;<p
z&ZBFtz7d1C)&GfqpW3}TdaNlmFuR%Bm9u`?7L0anJi^7xOEtU{)93M591=b)Q~oXk
znyLw2NKT!at46|u5qY(PBADMJSLyg;YR$Wq930=k@e-#xESGiTM~;q<A^+nfHg2C6
zY&D?7#~VHvPi=zB<saYUZw^ooJS<<|#P?jDIMu_UG556hYP@l1jJC0)oZ19C!dT(z
zXAoXeO_L`Ygt^_-!@iciNkaczVZxUj%5FVAWn~z>@`GK%O9`r6S@H?JH1XUa4&@y0
zn7w~e9LhO6A$1hB2`-YS9v6O_sX8cEbryd}*X%gRxklaQ`pC*}#97g*CV6<a=;)%_
zEgxMj&h7W&CsiEU)|w*Mhq1F4u+kf*owZNwF;ul!&c7x;jnU**gWKh55s#`)%2PvP
zT7=kmfJ1xBYx4&m1Wc@y-FL;pzN#F#hY|nKNt6HVwzL#HNE7!X(cbIn*1YuVXWFLX
znppK4Uis}&xb^k86cRsKJ9Jfn9FET|z@s~B?!fj$xqcgNiB+do$iCe;cc`oWDvp_R
zs=@2L6N{9*Zgq1;s*qB-A?ch(jg&76cPG3Yfs}dC`*fdkNGY8;epemX7HSiGxR0Q+
z|K^exw9F>`g_N@&udlU5Gy4R!-R{QMcny2sb)X4HM=4Tr|E_Pj0zuq;fKv2vLt8d^
zwdKsl1ev`0=%X+D2hmSIiljFbmqa0D)Q&Z4nj#pfk;<OU!#DobfRwi4t=(Iq(Et7@
z(>8v8`W5YSd-D4mE@YFG<|J&2&58<N!e`$3?!M~zrig*Adnp>E{HkD4i<$7uNm^32
zQvE!h-`Lz5BAI%}PAaH~a#dWx35G+LJ0<jtM9Q}NhGcUTYnK7aidC-h=l@SuSC-z|
zUrdC0^lD3!lN@TuC`um3Ml3N+**yGiZ4Tkz=bo@+8+m2q`L#22(a#Tesp(rZg5WLv
z?Zee1%P|@IGOtI1s##Yt?<zjR@mj^4p7Lm&+O_^Fj(3$3PnwcF<F@WG5pbC<G<qU=
zHEYPmguz6M_~4Mp@kGNuZ(VF#pn3jKec*a>y4Kad2`6fm&-VAr^&;2&Adc^>=w|o3
zm{0OQRk!fM1R_wuU~kPgu1X6(bh2`7Q&#Q~l6HEi%CwHqI8{C+_8Wqx@&O%V3Emvt
z+&cef73sQs+}K;>4o}*p?wLP(J-D+%w=mLGM;_EF!<G%2*c?e;7^qd=%U*nWx|-FF
zQ*=Aem#p}yc5=xzY_$mS<O6lX8SBUj;}%($BpuU;-;x2px#Mqdw1+XNN)Dt*nF*=}
mdC(+jfk6}fY?_Wum&&wpQDi9Ze$ao;*&wuvyn2@Oj^)3U2Hcqd

delta 3494
zc-m!E2~bo=8t$0^hGUq1@AY#LJSKP%<1q-Vw@xBzqDCjdET&2$CTO(Sm~k-*rRWP9
zaTlWxk2s3QxQJOGfsrUaM9runs3GNSN%WabbR6Q%G2V%6BHOS3F;;D;>iXtCy5IkO
z{r}Cet7*QU(j@r^Myn7)E)SslD~wiZ_9=`$qUdSFC{MG!7=5T=QxMf){0EH6D0W`K
zsFb4RIz~G+`!+^<Gz<j&4>78uD0hHg?qvHU<PG7_7V2<BaHyD~&CH=~+D3t62l-+k
zE_LV7CW<&7{DHoZ=YD}h$2Ck0;!qBKqwOEfp|je#sT?|~?VrS<(^|oH@LSV0lqi!~
z9Ahlc;m`(c<6I6cqv&10F{a-4z;-R-m=e+lVB2$HpDhmx$N3yn!d?IcTGs*MB91Y}
zpKweGYjM!;qJByHQOcpMT4iOx&|b-*k2NOMz|e6hsLT;i!smfJM}5$LhC}rfGrXWc
z#(56aX&?Fln7aHB_uK#_yloJ7-RF>`CEyNV<ogX6d38KPPbkm)as-c-Y9ET`QK4q@
z5SO|@+#buL-CDdS&zM<ygN>gDJ1`K?JA`M1<e@zDz$ji~0mq9xV}>X2pu{8|6=?@f
z<JpzC)4-oG0}imvf_%>$h+F6JjJfr%JY#DA8=xbHN41)NMbN*RX9{HegGWcT^JR%=
zQs7U3QRg<E-LY>c&!!=;hi6ht`*@VAZ77GhrIKgeZ>xrV)*2p_Xm%YG*!d+7U0)wm
z;tbEaUpfo6qX`snNEd@YE&=0!ADFtXL!#UQ3_Al5mmWae`WW_EpMVlxy@0;d6bTpL
zj?DtQds`QQF|~9Pm_n9#fhl22fVkuy1POAoz!<rQ2{8Yo1b7c@fSy!=-93IqU`lwW
zK%U1Aaqn~ieX14uCZKh;z^1{GDFDF*0@|+;TnK*aV&<2SHCF)XRtQXLZ$4l~fdF^C
zP5=pu1n7+|0`$gq0j6OWe85*Cpl{g~ff81?z~<diBcO|#eH8qblc13Gv_RhpNxKt}
zBJiES<~?u`7<K*#3<Fn!_EkW9OF)0unyC#GaovSH`JuqZF{1+%kUIrv?hwKVN)d$F
z8D_$I!Aq#E&A+=VBzSs2f~yx{3Rn{edk5qJgehT9Brs-wCh*{lBv8m$!j$P8N7&t3
zCJ|t0C#?GeZxE)8eI~>mZxhxFj`;*hY&;ec_GC(n3Cwd2ftPJLVT|n(L9JS$1%!3K
zTu7Kw@&?G0Hi185D->qk0R;zKgk4Rb6o`4tp-`zRsKfyxF-G=Ua9EEK=;jk}fZRaX
zUE@YT*$W5Qz9URx$M;}cE<@ba49wj(fvLA06p$YP+B*pA2^oo~K~p?T5?MepiR>M)
z3nDtGRU9KSM&52Bn~H!%gx=^aGRdvaLmUqT+ny+*0_~g>k<GnpgvgX|j1{5#Q$<G5
z{)))DU!E!g5h)E4Y%@frgmsn(3e157X&(3;St7g-?*lp(Lmti*nNr?75vC?zg#Q6+
zfuX!!WLN9k3<TZVMW&F)C9-LVaPJdYbKupFjcXqpb#&?JGSC%5S14U!bZN10x+3U`
zq$`Rp6J61CnU%*zJZP^eMysDLLrzYP^Pd%1bSAp7**SeZeoi_08TQN=@So2x!j-0$
zy6X`Lul;Xq&(Eoy@T5=S9y7CdX?FG8aUK3}r{9ZXm9Gt)7}3At5JvpwQgyWg=sQgD
zLekJTvh|36FgCX#C4~7i6n!-3(Hn$n4BIbZPQ<z_<z7$DHa_-99Y*ozw=eLwn^F8P
z@{(UQo8lm4awd1fs{ct*k~eexmdA%xVl?5N@m_sR6q;Z>zk8-;Q`{fKInHHf-lB_E
zip~7|Ui!9L#V~{)oX!7MjZtR%@z;{R0GzLk+sj+xbbXX}j`0bG*b~&Bb^OV^ifK_O
zt8vQE`<hL$uTpZH&q&w3qv&IVpHmG}_hV-~$MskG&J^Z`>xz`ZOhM|Z`->8pC(Iw%
zZRA0WwzVfK`9VA##LSu??R{lJpOLzL$~VnIXM~|o9k`v>T7{#!B}z$~Ff2q^>&EEQ
z@`k+IL2TNuwA>X62I#sg**(b5T?~Vtp0*~Lq!^;AsP;9LJzM%8eyZ(IQXi>*d{Ei@
z5@~-i>KeVHuNp??rzpXA%_=hfPlggmk5_tZC#{kCo0UpbDajt`yyL~;&V7E;mHo1*
zr_L_AFeL=3xjoOmYttch#)yq^!^6?jKXufylvi6qk!o_C+r5&;ThDBaQ}jr!9QJ*$
zbOZ2<_K|SQ?>oe#!QEdsK0D#jM_&x~Bj-^ciM6U(iAzgAq}w}+xAtlcL+Z|of!Q@Q
zX-sPJqmQY7=Ej?+dmE8zJGXAO33}0}Hl-CMO$ui>V^sUUezC)0(2Nx4{=+!bsJ^tL
zu<&w-v-=ei*RN*cv{hAM&pxhJ+*lez&+A%0plB?$``_c2Zqo&ivcD%^$b^qzb^5Bs
ztz)PVTSnh)$kIDQ{3Jd>jrETRooq(xGE>|5S3{p2`+33MxaVlHY2Lt#c}C}GKZ!M~
zepi)g5tVAy@S6G)&c<dE=Uj1_L`XNrx3s@cYuI+*oHT}VKGjsS{!S!P7lfCY{)Lg+
zxMoAc!f>SKoo{Jx(=q>4%}?=R8Q=$WepN30&ei)m^#6bAfgiiX^$Y!@|54x8%j-jt
zMLkviTI31+v%szB+qHEDq@EdGespgrYm;HB_tLebR9fYpw<njJrPQkB#BUAsMw&Ox
z$UZ`=N^LthNV_31+FZPwvdEl$+w@DAGq0J%I{W%a*M#4X-?i)f3!LGP^%SjX>d4eF
zxntCjA<lcrw1x?3W$D+bX#2K|-uShdU5rKTzI@WeTeOBj<<=(?={HyAJ13u`-}L3&
zswg%pzc!P%rt*z77+qf<DMcItd|Am#6g>tZ?*K+OcKrKgcMzKoD5Fxu^f=ubWz#g#
jVK&s&1}CM*TVkm(s<sNFyGsVY+vpDi_qDm=n^XS>TQt+}

diff --git a/regression-tests.nobackend/tinydns-data-check/command b/regression-tests.nobackend/tinydns-data-check/command
index 81e2dcd516..0139d4987d 100755
--- a/regression-tests.nobackend/tinydns-data-check/command
+++ b/regression-tests.nobackend/tinydns-data-check/command
@@ -8,4 +8,5 @@ for zone in `cat ../regression-tests/named.conf | grep 'zone ' | cut -f 2 -d \"`
 do
 	${MD5SUM} ../regression-tests/zones/$zone
 done
+${MD5SUM} ../modules/tinydnsbackend/data
 ${MD5SUM} ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result
index bba64c82c8..71c0ebda7a 100644
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -4,7 +4,7 @@ e5e3ee998d151fe194b98997eaa36c53  ../regression-tests/zones/test.dyndns
 dee3e8b568549d9450134b555ca73990  ../regression-tests/zones/sub.test.dyndns
 e7c0fd528e8aaedb1ea3b6daaead4de2  ../regression-tests/zones/wtest.com
 42b442de632686e94bde75acf66cf524  ../regression-tests/zones/nztest.com
-b06133eb32c5bdf346223563501ba8f8  ../regression-tests/zones/dnssec-parent.com
+7f79c98efdb1d3d2318ac666d2fb5642  ../regression-tests/zones/dnssec-parent.com
 e9be89b6e5e0da8910c69e46f35d20ab  ../regression-tests/zones/insecure.dnssec-parent.com
 6510bf48aa3ca3501b73a1f510852a34  ../regression-tests/zones/delegated.dnssec-parent.com
 a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/zones/secure-delegated.dnssec-parent.com
@@ -15,4 +15,5 @@ a98864b315f16bcf49ce577426063c42  ../regression-tests/zones/cdnskey-cds-test.com
 9aeed2c26d0c3ba3baf22dfa9568c451  ../regression-tests/zones/2.0.192.in-addr.arpa
 99c73e8b5db5781fec1ac3fa6a2662a9  ../regression-tests/zones/cryptokeys.org
 1f9e19be0cff67330f3a0a5347654f91  ../regression-tests/zones/hiddencryptokeys.org
-ab699fca1a52598202a1494cddd192ff  ../modules/tinydnsbackend/data.cdb
+964425367cec0d828222b144c4e1c540  ../modules/tinydnsbackend/data
+f3932b1df41d683f47516455b571c358  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/tests/axfr/expected_result b/regression-tests/tests/axfr/expected_result
index d831426e48..09e9dfaeb3 100644
--- a/regression-tests/tests/axfr/expected_result
+++ b/regression-tests/tests/axfr/expected_result
@@ -1,3 +1,4 @@
+*.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
 delegated.dnssec-parent.com.	3600	IN	NS	ns1.delegated.dnssec-parent.com.
 delegated.dnssec-parent.com.	3600	IN	NS	ns2.delegated.dnssec-parent.com.
 dnssec-parent.com.	3600	IN	A	9.9.9.9
diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec
index 4aac677664..6930c4ce25 100644
--- a/regression-tests/tests/axfr/expected_result.dnssec
+++ b/regression-tests/tests/axfr/expected_result.dnssec
@@ -1,3 +1,7 @@
+*.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+*.dnssec-parent.com.	3600	IN	NSEC	insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. CNAME RRSIG NSEC
+*.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+*.dnssec-parent.com.	3600	IN	RRSIG	NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 delegated.dnssec-parent.com.	3600	IN	NS	ns1.delegated.dnssec-parent.com.
 delegated.dnssec-parent.com.	3600	IN	NS	ns2.delegated.dnssec-parent.com.
 delegated.dnssec-parent.com.	3600	IN	NSEC	insecure.dnssec-parent.com. NS RRSIG NSEC
@@ -5,7 +9,7 @@ delegated.dnssec-parent.com.	3600	IN	RRSIG	NSEC 13 3 3600 [expiry] [inception] [
 dnssec-parent.com.	3600	IN	A	9.9.9.9
 dnssec-parent.com.	3600	IN	NS	ns1.dnssec-parent.com.
 dnssec-parent.com.	3600	IN	NS	ns2.dnssec-parent.com.
-dnssec-parent.com.	3600	IN	NSEC	insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY
+dnssec-parent.com.	3600	IN	NSEC	*.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY
 dnssec-parent.com.	3600	IN	RRSIG	A 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	3600	IN	RRSIG	NS 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	3600	IN	RRSIG	NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3
index 8b9d290b3b..15b8162179 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3
+++ b/regression-tests/tests/axfr/expected_result.nsec3
@@ -1,3 +1,7 @@
+*.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+*.dnssec-parent.com.	3600	IN	NSEC3	1 0 1 abcd [next owner] CNAME RRSIG
+*.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+*.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 auth-ent.dnssec-parent.com.	3600	IN	NSEC3	1 0 1 abcd [next owner]
 auth-ent.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 delegated.dnssec-parent.com.	3600	IN	NS	ns1.delegated.dnssec-parent.com.
diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout
index c4da9a3352..ad6ce2201f 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3-optout
+++ b/regression-tests/tests/axfr/expected_result.nsec3-optout
@@ -1,3 +1,7 @@
+*.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+*.dnssec-parent.com.	3600	IN	NSEC3	1 1 1 abcd [next owner] CNAME RRSIG
+*.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+*.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 auth-ent.dnssec-parent.com.	3600	IN	NSEC3	1 1 1 abcd [next owner]
 auth-ent.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 delegated.dnssec-parent.com.	3600	IN	NS	ns1.delegated.dnssec-parent.com.
diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
index 96aff471d8..680fef8692 100644
--- a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
+++ b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
@@ -2,7 +2,7 @@
 1	7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	3600	IN	RRSIG	SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	3600	IN	NSEC3	1 1 1 abcd NIH4L3ODLUG7EN20PENJ8DGNU4OHC98F A NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	3600	IN	NSEC3	1 1 1 abcd K25OPIULTRKGKRMR3UC09CSK20QHT1LJ A NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
 1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 2	.	32768	IN	OPT	
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec b/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec
index 6a7cb56858..c9444d0f6c 100644
--- a/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec
+++ b/regression-tests/tests/ent-unsigned-delegation/expected_result.dnssec
@@ -1,5 +1,5 @@
-1	dnssec-parent.com.	3600	IN	NSEC	insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. A NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY
-1	dnssec-parent.com.	3600	IN	RRSIG	NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	*.dnssec-parent.com.	3600	IN	NSEC	insecure-delegated.ent.ent.auth-ent.dnssec-parent.com. CNAME RRSIG NSEC
+1	*.dnssec-parent.com.	3600	IN	RRSIG	NSEC 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	3600	IN	RRSIG	SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 2	.	32768	IN	OPT	
diff --git a/regression-tests/tests/nsec-at-delegation/command b/regression-tests/tests/nsec-at-delegation/command
new file mode 100755
index 0000000000..58ee8e88e1
--- /dev/null
+++ b/regression-tests/tests/nsec-at-delegation/command
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig secure-delegated1.dnssec-parent.com A dnssec
diff --git a/regression-tests/tests/nsec-at-delegation/description b/regression-tests/tests/nsec-at-delegation/description
new file mode 100644
index 0000000000..d59bcc5845
--- /dev/null
+++ b/regression-tests/tests/nsec-at-delegation/description
@@ -0,0 +1 @@
+Check that we generate the right NSECs when the NSEC name is a delegation point.
diff --git a/regression-tests/tests/nsec-at-delegation/expected_result b/regression-tests/tests/nsec-at-delegation/expected_result
new file mode 100644
index 0000000000..19f980e090
--- /dev/null
+++ b/regression-tests/tests/nsec-at-delegation/expected_result
@@ -0,0 +1,9 @@
+0	secure-delegated.dnssec-parent.com.	3600	IN	A	9.9.9.9
+0	secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
+0	secure-delegated1.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+0	secure-delegated1.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	secure-delegated.dnssec-parent.com.	3600	IN	NSEC	www.dnssec-parent.com. NS DS RRSIG NSEC
+1	secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	NSEC 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	32768	IN	OPT	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/nsec-at-delegation/expected_result.narrow b/regression-tests/tests/nsec-at-delegation/expected_result.narrow
new file mode 100644
index 0000000000..dafbed6491
--- /dev/null
+++ b/regression-tests/tests/nsec-at-delegation/expected_result.narrow
@@ -0,0 +1,9 @@
+0	secure-delegated.dnssec-parent.com.	3600	IN	A	9.9.9.9
+0	secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
+0	secure-delegated1.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+0	secure-delegated1.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	1an9kidorpirlabrh3be2n8k5taoe1v0.dnssec-parent.com.	3600	IN	NSEC3	1 [flags] 1 abcd 1AN9KIDORPIRLABRH3BE2N8K5TAOE1V2
+1	1an9kidorpirlabrh3be2n8k5taoe1v0.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	32768	IN	OPT	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/nsec-at-delegation/expected_result.nsec3 b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3
new file mode 100644
index 0000000000..e65ad7a677
--- /dev/null
+++ b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3
@@ -0,0 +1,9 @@
+0	secure-delegated.dnssec-parent.com.	3600	IN	A	9.9.9.9
+0	secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
+0	secure-delegated1.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+0	secure-delegated1.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	u97st412oa8b4bgjc1dgtb4qi5di8dmv.dnssec-parent.com.	3600	IN	NSEC3	1 [flags] 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54
+1	u97st412oa8b4bgjc1dgtb4qi5di8dmv.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	32768	IN	OPT	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout
new file mode 100644
index 0000000000..aee66ded27
--- /dev/null
+++ b/regression-tests/tests/nsec-at-delegation/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+0	secure-delegated.dnssec-parent.com.	3600	IN	A	9.9.9.9
+0	secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
+0	secure-delegated1.dnssec-parent.com.	3600	IN	CNAME	secure-delegated.dnssec-parent.com.
+0	secure-delegated1.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	qoqsriqrvi1g1ql3tpph2248q9ldpepf.dnssec-parent.com.	3600	IN	NSEC3	1 [flags] 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A RRSIG
+1	qoqsriqrvi1g1ql3tpph2248q9ldpepf.dnssec-parent.com.	3600	IN	RRSIG	NSEC3 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	32768	IN	OPT	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated1.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/nsec-at-delegation/skip.nodnssec b/regression-tests/tests/nsec-at-delegation/skip.nodnssec
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests/zones/dnssec-parent.com b/regression-tests/zones/dnssec-parent.com
index 0800ccf1eb..f32469bbf7 100644
--- a/regression-tests/zones/dnssec-parent.com
+++ b/regression-tests/zones/dnssec-parent.com
@@ -25,3 +25,4 @@ insecure-delegated.ent.ent.auth-ent	IN	NS	ns.example.com.
 something1.auth-ent	IN	A	1.1.2.3
 insecure		IN	NS	ns.example.com.
 www			IN	CNAME	www.insecure
+*			IN	CNAME	secure-delegated
-- 
2.47.2