From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Mon, 17 Sep 2012 08:46:18 +0000 (+0000)
Subject: Add presigned tests. Improve DNSKEY and NSEC3PARAM query handling, including
X-Git-Tag: auth-3.2-rc1~173
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=794c2f9267376a304256dd87a150959e90385f11;p=thirdparty%2Fpdns.git

Add presigned tests. Improve DNSKEY and NSEC3PARAM query handling, including
for ANY queries (this fixes some presigned BOGUS validations). Fix TTLs on
NSEC, NSEC3, SOA, RRSIG SOA and inside RRSIG SOA. Add bufsize support to sdig.
Update all relevant testcases.



git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2709 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data
index c6465897fc..0be23c24d4 100644
--- a/modules/tinydnsbackend/data
+++ b/modules/tinydnsbackend/data
@@ -1,10 +1,9 @@
 #2000081501 auto axfr-get
-Zexample.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120
+Zexample.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:100000
 &example.com::ns1.example.com.:120
 &example.com::ns2.example.com.:120
 @example.com::smtp-servers.example.com.:10:120
 @example.com::smtp-servers.test.com.:15:120
-:example.com:48:\001\000\003\005\003\001\000\001\252\323\210xO\202\360\366\361\140\215\361\100WpG\037\361\377\216\027\347\177lJ\015\3534\356\036\137\350V\266\271\376\247\350\236\026\012\375\030\310\357\204s\035\315\260\226\057S\245s\226\311\304\025\335\204\237\244V\175\317\341\201\375\266\354\274\032\047\325s25\376J\136\343\260E\321\331\134\206a\325\311.\334\007\010\310\332\350\017n\214\076F\305\054v4\373\024H\373\273\273\072\304\072\235\207\017\006\232\203\210\231\301\330\023\041:120
 :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120
 Cexternal.example.com:somewhere.else.net.:120
 @external-mail.example.com::server1.test.com.:25:120
@@ -20130,7 +20129,7 @@ Ztest.com:ns1.test.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
 &test.com::ns2.test.com.:3600
 @test.com::smtp-servers.example.com.:10:3600
 @test.com::smtp-servers.test.com.:15:3600
-+blah.test.com:9.9.9.9:3600
++blah.test.com:192.168.6.1:3600
 &blah.test.com::blah.test.com.:3600
 +counter.test.com:1.1.1.5:3600
 :_double._tcp.dc.test.com:33:\000\000\000d\001\205\007server1\004test\003com\000:3600
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb
index 9cdfa96c9c..f1a6a1d4a8 100644
Binary files a/modules/tinydnsbackend/data.cdb and b/modules/tinydnsbackend/data.cdb differ
diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 31dcfb6a75..d774a53eb5 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -353,18 +353,21 @@ bool DNSSECKeeper::secureZone(const std::string& name, int algorithm)
 
 bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, 
 	const std::string& wildcardname, const QType& qtype, 
-	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs)
+	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
 {
   // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
 	db.lookup(QType(QType::RRSIG), wildcardname.empty() ? qname : wildcardname);
 	DNSResourceRecord rr;
 	while(db.get(rr)) { 
 		// cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
-		if(boost::starts_with(rr.content, qtype.getName()+" ")) {
+		vector<string> parts;
+		stringtok(parts, rr.content);
+		if(parts[0] == qtype.getName() && pdns_iequals(parts[7], signer+".")) {
 			// cerr<<"Got it"<<endl;
 			if (!wildcardname.empty())
 				rr.qname = qname;
 			rr.d_place = (DNSResourceRecord::Place)signPlace;
+      rr.ttl = signTTL;
 			rrsigs.push_back(rr);
 		}
 		else ; // cerr<<"Skipping!"<<endl;
diff --git a/pdns/dns.hh b/pdns/dns.hh
index 142c33fb89..fa926b479e 100644
--- a/pdns/dns.hh
+++ b/pdns/dns.hh
@@ -68,7 +68,7 @@ public:
 class DNSResourceRecord
 {
 public:
-  DNSResourceRecord() : qclass(1), priority(0), last_modified(0), d_place(ANSWER), auth(1), scopeMask(0) {};
+  DNSResourceRecord() : qclass(1), priority(0), signttl(0), last_modified(0), d_place(ANSWER), auth(1), scopeMask(0) {};
   ~DNSResourceRecord(){};
 
   // data
@@ -80,6 +80,7 @@ public:
   string content; //!< what this record points to. Example: 10.1.2.3
   uint16_t priority; //!< For qtypes that support a priority or preference (MX, SRV)
   uint32_t ttl; //!< Time To Live of this record
+  uint32_t signttl; //!< If non-zero, use this TTL as original TTL in the RRSIG
   int domain_id; //!< If a backend implements this, the domain_id of the zone this record is in
   time_t last_modified; //!< For autocalculating SOA serial numbers - the backend needs to fill this in
   enum Place {QUESTION=0, ANSWER=1, AUTHORITY=2, ADDITIONAL=3}; //!< Type describing the positioning of a DNSResourceRecord within, say, a DNSPacket
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 0d9042da57..9de60fbbcc 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -119,7 +119,7 @@ struct DNSSECPrivateKey;
 void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign);
 uint32_t getCurrentInception();
 void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string signQName, const std::string& wildcardname, uint16_t signQType, uint32_t signTTL, DNSPacketWriter::Place signPlace, 
-  vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned);
+  vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL);
 int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
 		     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc, bool ksk);
 
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 08b02c3df8..b84fea7df5 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -82,7 +82,7 @@ public:
   void unsetNSEC3PARAM(const std::string& zname);
   void clearAllCaches();
   void clearCaches(const std::string& name);
-  bool getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, const std::string& wildcardname, const QType& qtype, DNSPacketWriter::Place, vector<DNSResourceRecord>& rrsigs);
+  bool getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, const std::string& wildcardname, const QType& qtype, DNSPacketWriter::Place, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL);
   bool isPresigned(const std::string& zname);
   void setPresigned(const std::string& zname);
   void unsetPresigned(const std::string& zname);
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index f41bbb7c06..a77693e5fd 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -76,7 +76,7 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
 // this is the entrypoint from DNSPacket
 void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, const std::string signQName, const std::string& wildcardname, uint16_t signQType, 
   uint32_t signTTL, DNSPacketWriter::Place signPlace, 
-  vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned)
+  vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL)
 {
   //cerr<<"Asked to sign '"<<signQName<<"'|"<<DNSRecordContent::NumberToType(signQType)<<", "<<toSign.size()<<" records\n";
   if(toSign.empty())
@@ -84,7 +84,7 @@ void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, c
   vector<RRSIGRecordContent> rrcs;
   if(dk.isPresigned(signer)) {
     //cerr<<"Doing presignatures"<<endl;
-    dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned); // does it all
+    dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned, origTTL); // does it all
   }
   else {
     if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0)  {
@@ -95,7 +95,10 @@ void addSignature(DNSSECKeeper& dk, DNSBackend& db, const std::string& signer, c
     DNSResourceRecord rr;
     rr.qname=signQName;
     rr.qtype=QType::RRSIG;
-    rr.ttl=signTTL;
+    if(origTTL)
+      rr.ttl=origTTL;
+    else
+      rr.ttl=signTTL;
     rr.auth=false;
     rr.d_place = (DNSResourceRecord::Place) signPlace;
     BOOST_FOREACH(RRSIGRecordContent& rrc, rrcs) {
@@ -171,6 +174,7 @@ void addRRSigs(DNSSECKeeper& dk, DNSBackend& db, const set<string, CIStringCompa
   string signQName, wildcardQName;
   uint16_t signQType=0;
   uint32_t signTTL=0;
+  uint32_t origTTL=0;
   
   DNSPacketWriter::Place signPlace=DNSPacketWriter::ANSWER;
   vector<shared_ptr<DNSRecordContent> > toSign;
@@ -181,13 +185,17 @@ void addRRSigs(DNSSECKeeper& dk, DNSBackend& db, const set<string, CIStringCompa
   for(vector<DNSResourceRecord>::const_iterator pos = rrs.begin(); pos != rrs.end(); ++pos) {
     if(pos != rrs.begin() && (signQType != pos->qtype.getCode()  || signQName != pos->qname)) {
       if(getBestAuthFromSet(authSet, signQName, signer))
-        addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords);
+        addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL);
     }
     signedRecords.push_back(*pos);
     signQName= pos->qname;
     wildcardQName = pos->wildcardname;
     signQType = pos ->qtype.getCode();
-    signTTL = pos->ttl;
+    if(pos->signttl)
+      signTTL = pos->signttl;
+    else
+      signTTL = pos->ttl;
+    origTTL = pos->ttl;
     signPlace = (DNSPacketWriter::Place) pos->d_place;
     if(pos->auth || pos->qtype.getCode() == QType::DS) {
       string content = pos->content;
@@ -205,6 +213,6 @@ void addRRSigs(DNSSECKeeper& dk, DNSBackend& db, const set<string, CIStringCompa
     }
   }
   if(getBestAuthFromSet(authSet, signQName, signer))
-    addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords);
+    addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL);
   rrs.swap(signedRecords);
 }
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 9b2bd79545..87434d01e4 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -204,12 +204,9 @@ int PacketHandler::doFancyRecords(DNSPacket *p, DNSPacket *r, string &target)
   return 0;
 }
 
-/** This catches DNSKEY requests. Returns 1 if it was handled, 0 if it wasn't */
-int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r, const SOAData& sd)
+/** This adds DNSKEY records. Returns true if one was added */
+bool PacketHandler::addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd)
 {
-  if(p->qtype.getCode()!=QType::DNSKEY) 
-    return false;
-    
   DNSResourceRecord rr;
   bool haveOne=false;
   DNSSECPrivateKey dpk;
@@ -228,12 +225,9 @@ int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r, const SOAData& sd
 }
 
 
-/** This catches DNSKEY requests. Returns 1 if it was handled, 0 if it wasn't */
-int PacketHandler::doNSEC3PARAMRequest(DNSPacket *p, DNSPacket *r, const SOAData& sd)
+/** This adds NSEC3PARAM records. Returns true if one was added */
+bool PacketHandler::addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd)
 {
-  if(p->qtype.getCode()!=QType::NSEC3PARAM) 
-    return false;
-
   DNSResourceRecord rr;
 
   NSEC3PARAMRecordContent ns3prc;
@@ -331,7 +325,7 @@ bool PacketHandler::getBestWildcard(DNSPacket *p, SOAData& sd, const string &tar
   while ( chopOff( subdomain ) && !haveSomething ) {
     B.lookup(QType(QType::ANY), "*."+subdomain, p, sd.domain_id);
     while(B.get(rr)) {
-      if(rr.qtype == p->qtype ||rr.qtype.getCode() == QType::CNAME || p->qtype.getCode() == QType::ANY)
+      if(rr.qtype == p->qtype ||rr.qtype.getCode() == QType::CNAME || (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() != QType::RRSIG))
         ret->push_back(rr);
       wildcard="*."+subdomain;
       haveSomething=true;
@@ -382,12 +376,14 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, c
         //	i->d_place=DNSResourceRecord::AUTHORITY; // XXX FIXME
       }
 
+      string content = stripDot(i->content);
+
       QType qtypes[2];
       qtypes[0]="A"; qtypes[1]="AAAA";
       for(int n=0 ; n < d_doIPv6AdditionalProcessing + 1; ++n) {
         if (i->qtype.getCode()==QType::SRV) {
           vector<string>parts;
-          stringtok(parts,i->content);
+          stringtok(parts, content);
           if (parts.size() >= 3) {
             B.lookup(qtypes[n],parts[2],p);
           }
@@ -395,7 +391,7 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, c
             continue;
         }
         else {
-          B.lookup(qtypes[n],i->content,p);
+          B.lookup(qtypes[n], content, p);
         }
         bool foundOne=false;
         while(B.get(rr)) {
@@ -426,15 +422,16 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
     nrc.d_set.insert(QType::DNSKEY);
 
   DNSResourceRecord rr;
-  rr.ttl = sd.default_ttl;
   B.lookup(QType(QType::ANY), begin);
   while(B.get(rr)) {
-    if(rr.domain_id == sd.domain_id) 
+    if(rr.domain_id == sd.domain_id && (rr.qtype.getCode() == QType::NS || rr.auth)) 
       nrc.d_set.insert(rr.qtype.getCode());    
   }
   
   nrc.d_next=end;
 
+  rr.ttl = sd.default_ttl;
+
   rr.qname=begin;
   // we can leave ttl untouched, either it is the default, or it is what we retrieved above
   rr.qtype=QType::NSEC;
@@ -455,8 +452,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
   n3rc.d_iterations = ns3prc.d_iterations;
   n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now
 
-  DNSResourceRecord rr;
-  rr.ttl = sd.default_ttl;
+  DNSResourceRecord nsec3rr, rr;
   B.lookup(QType(QType::ANY), unhashed);
   while(B.get(rr)) {
     n3rc.d_set.insert(rr.qtype.getCode());    
@@ -469,6 +465,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
   
   n3rc.d_nexthash=end;
 
+  rr.ttl = sd.default_ttl;
   rr.qname=dotConcat(toLower(toBase32Hex(begin)), sd.qname);
   
   rr.qtype=QType::NSEC3;
@@ -686,42 +683,6 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
   return;
 }
 
-bool PacketHandler::doDNSSECProcessing(DNSPacket *p, DNSPacket *r)
-{
-  if(!p->d_dnssecOk)
-    return false;
-
-  vector<DNSResourceRecord *> arrs=r->getAnswerRecords();
-  if(arrs.empty()) 
-    return false;
-  
-  DLOG(L<<"Have arrs "<<arrs.size()<<" records to sign"<<endl);
-  vector<DNSResourceRecord> crrs;
-  
-  for(vector<DNSResourceRecord *>::const_iterator i=arrs.begin();
-      i!=arrs.end();	++i) 
-    crrs.push_back(**i);
-  
-  // we now have a copy, push_back on packet might reallocate!
-  
-  for(vector<DNSResourceRecord>::const_iterator i=crrs.begin();
-      i!=crrs.end();
-      ++i) {
-    if(i->d_place!=DNSResourceRecord::ANSWER) 
-      continue;
-    
-    B.lookup(QType(QType::RRSIG),i->qname,p);  
-    DNSResourceRecord rr;
-    while(B.get(rr)) {
-      rr.d_place=DNSResourceRecord::ANSWER;
-      if(splitField(rr.content, ' ').first==i->qtype.getName())
-        r->addRecord(rr);
-    }
-  }
-  
-  return false;
-}
-
 /* Semantics:
    
 - only one backend owns the SOA of a zone
@@ -951,7 +912,8 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string&
   rr.qname=sd.qname;
   rr.qtype=QType::SOA;
   rr.content=serializeSOAData(sd);
-  rr.ttl=sd.ttl;
+  rr.ttl=min(sd.ttl, sd.default_ttl);
+  rr.signttl=sd.ttl;
   rr.domain_id=sd.domain_id;
   rr.d_place=DNSResourceRecord::AUTHORITY;
   rr.auth = 1;
@@ -972,6 +934,8 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& t
   rr.qtype=QType::SOA;
   rr.content=serializeSOAData(sd);
   rr.ttl=sd.ttl;
+  rr.ttl=min(sd.ttl, sd.default_ttl);
+  rr.signttl=sd.ttl;
   rr.domain_id=sd.domain_id;
   rr.d_place=DNSResourceRecord::AUTHORITY;
   rr.auth = 1;
@@ -1030,16 +994,8 @@ void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, c
     
   addNSECX(p, r, target, target, sd.qname, 5); 
   if(pdns_iequals(sd.qname, p->qdomain)) {
-    DNSSECKeeper::keyset_t zskset = d_dk.getKeys(p->qdomain);
-    DNSResourceRecord rr;
-    BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, zskset) {
-      rr.qtype=QType::DNSKEY;
-      rr.ttl=sd.default_ttl;
-      rr.qname=p->qdomain;
-      rr.content=value.first.getDNSKEY().getZoneRepresentation();
-      rr.auth = true;
-      r->addRecord(rr);
-    }
+    addDNSKEY(p, r, sd);
+    addNSEC3PARAM(p, r, sd);
   }
 }
 
@@ -1208,11 +1164,16 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     authSet.insert(sd.qname); 
 
     if(pdns_iequals(sd.qname, p->qdomain)) {
-      if(doDNSKEYRequest(p,r, sd))  
-        goto sendit;
-  
-      if(doNSEC3PARAMRequest(p,r, sd)) 
-        goto sendit;
+      if(p->qtype.getCode() == QType::DNSKEY)
+      {
+        if(addDNSKEY(p, r, sd))
+          goto sendit;
+      }
+      else if(p->qtype.getCode() == QType::NSEC3PARAM)
+      {
+        if(addNSEC3PARAM(p,r, sd))
+          goto sendit;
+      }
     }
 
     if(p->qtype.getCode() == QType::SOA && pdns_iequals(sd.qname, p->qdomain)) {
@@ -1251,6 +1212,9 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     weDone = weRedirected = weHaveUnauth = 0;
     
     while(B.get(rr)) {
+      if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+        continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
+
       if(rr.qtype.getCode() == QType::DS)
         rr.auth = 1;
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
@@ -1353,7 +1317,6 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       return 0;
     }
 
-    //    doDNSSECProcessing(p, r);
     editSOA(d_dk, sd.qname, r);
     
     if(p->d_dnssecOk)
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index c9d5f2b0e6..51b2c0966e 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -92,8 +92,8 @@ private:
   int findUrl(DNSPacket *p, DNSPacket *r, string &target);
   int doFancyRecords(DNSPacket *p, DNSPacket *r, string &target);
   int doVersionRequest(DNSPacket *p, DNSPacket *r, string &target);
-  int doDNSKEYRequest(DNSPacket *p, DNSPacket *r, const SOAData& sd);
-  int doNSEC3PARAMRequest(DNSPacket *p, DNSPacket *r, const SOAData& sd);
+  bool addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd);
+  bool addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd);
   bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd);
diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index f758656f68..34a7c1f246 100644
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -34,9 +34,16 @@ try
   
   DNSPacketWriter pw(packet, argv[3], DNSRecordContent::TypeToNumber(argv[4]));
 
-  if(dnssec)
+  if(dnssec || getenv("SDIGBUFSIZE"))
   {
-    pw.addOpt(2800, 0, EDNSOpts::DNSSECOK);
+    char *sbuf=getenv("SDIGBUFSIZE");
+    int bufsize;
+    if(sbuf)
+      bufsize=atoi(sbuf);
+    else
+      bufsize=2800;
+
+    pw.addOpt(2800, 0, dnssec ? EDNSOpts::DNSSECOK : 0);
     pw.commit();
   }
 
@@ -79,7 +86,25 @@ try
 
   for(MOADNSParser::answers_t::const_iterator i=mdp.d_answers.begin(); i!=mdp.d_answers.end(); ++i) {          
     cout<<i->first.d_place-1<<"\t"<<i->first.d_label<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type);
-    cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n";
+    if(i->first.d_type == QType::RRSIG) 
+    {
+      string zoneRep = i->first.d_content->getZoneRepresentation();
+      vector<string> parts;
+      stringtok(parts, zoneRep);
+      cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" "<<parts[1]<<" "<<parts[2]<<" "<<parts[3]<<" [expiry] [inception] [keytag] "<<parts[7]<<" ...\n";
+    }
+    else if(i->first.d_type == QType::DNSKEY)
+    {
+      string zoneRep = i->first.d_content->getZoneRepresentation();
+      vector<string> parts;
+      stringtok(parts, zoneRep);
+      cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" "<<parts[1]<<" "<<parts[2]<<" ...\n";
+    }
+    else
+    {
+      cout<<"\t"<<i->first.d_ttl<<"\t"<< i->first.d_content->getZoneRepresentation()<<"\n";
+    }
+
   }
 
   EDNSOpts edo;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 140e4b2430..b3d20723fa 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -593,17 +593,18 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   
   DNSResourceRecord rr;
   
+  rr.qname = target;
+  rr.ttl = sd.default_ttl;
+  rr.auth = 1; // please sign!
+
   BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) {
-    rr.qname = target;
     rr.qtype = QType(QType::DNSKEY);
-    rr.ttl = sd.default_ttl;
-    rr.auth = 1; // please sign! 
     rr.content = value.first.getDNSKEY().getZoneRepresentation();
     string keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname);
     NSECXEntry& ne = nsecxrepo[keyname];
     
     ne.d_set.insert(rr.qtype.getCode());
-    ne.d_ttl = rr.ttl;
+    ne.d_ttl = sd.default_ttl;
     csp.submit(rr);
   }
   
@@ -634,12 +635,14 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   dt.set();
   int records=0;
   while(sd.db->get(rr)) {
+    if (rr.qtype.getCode() == QType::RRSIG)
+      continue;
     records++;
     if(securedZone && (rr.auth || (!NSEC3Zone && rr.qtype.getCode() == QType::NS) || rr.qtype.getCode() == QType::DS)) { // this is probably NSEC specific, NSEC3 is different
       keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname);
       NSECXEntry& ne = nsecxrepo[keyname];
       ne.d_set.insert(rr.qtype.getCode());
-      ne.d_ttl = rr.ttl;
+      ne.d_ttl = sd.default_ttl;
     }
     if(rr.qtype.getCode() == QType::SOA)
       continue; // skip SOA - would indicate end of AXFR
@@ -722,7 +725,6 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
       rr.qtype = QType::NSEC;
       rr.d_place = DNSResourceRecord::ANSWER;
       rr.auth=true;
-      
       if(csp.submit(rr)) {
         for(;;) {
           outpacket->getRRS() = csp.getChunk();
diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result
index 3dcd7874e5..84ca360b5f 100644
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -1,7 +1,7 @@
-9235756d96b6ad0af7936419248c3ed5  ../regression-tests/example.com
-33e43585aeed4eb9af10a83c72a04d14  ../regression-tests/test.com
+b6d1c64a890e3f3ce40970724a12eb0b  ../regression-tests/example.com
+6bddbc2cb32ff88988a75f0eba563e7c  ../regression-tests/test.com
 7d726bc367bf5e6ee5f1689994c6b6d4  ../regression-tests/wtest.com
 a0670eef8fba3e16908057af8de2c2f2  ../regression-tests/dnssec-parent.com
 42dd3a56c7d268e75836371878819ec4  ../regression-tests/delegated.dnssec-parent.com
 24514dc104b22206daeb973ff9303545  ../regression-tests/minimal.com
-c37c1e26294ecf705295aa0f0d866fd6  ../modules/tinydnsbackend/data.cdb
+a27444846fa36a04bf0da82303b80cb4  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/any-query/command b/regression-tests/any-query/command
index b251ef1285..8422193a86 100755
--- a/regression-tests/any-query/command
+++ b/regression-tests/any-query/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig example.com ANY
+SDIGBUFSIZE=32768 cleandig example.com ANY
 
diff --git a/regression-tests/any-query/expected_result b/regression-tests/any-query/expected_result
index 35494019fc..b7c8acd4cf 100644
--- a/regression-tests/any-query/expected_result
+++ b/regression-tests/any-query/expected_result
@@ -1,9 +1,9 @@
-0	example.com.	IN	DNSKEY	120	256 3 5 AwEAAarTiHhPgvD28WCN8UBXcEcf8f+OF+d/bEoN6zTuHl/oVra5/qfonhYK/RjI74RzHc2wli9TpXOWycQV3YSfpFZ9z+GB/bbsvBon1XMyNf5KXuOwRdHZXIZh1cku3AcIyNroD26MPkbFLHY0+xRI+7u7OsQ6nYcPBpqDiJnB2BMh
 0	example.com.	IN	MX	120	10 smtp-servers.example.com.
 0	example.com.	IN	MX	120	15 smtp-servers.test.com.
 0	example.com.	IN	NS	120	ns1.example.com.
 0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	0	
 2	ns1.example.com.	IN	A	120	192.168.1.1
 2	ns2.example.com.	IN	A	120	192.168.1.2
 2	smtp-servers.example.com.	IN	A	120	192.168.0.2
diff --git a/regression-tests/any-query/expected_result.dnssec b/regression-tests/any-query/expected_result.dnssec
index a5088133f7..0294db1935 100644
--- a/regression-tests/any-query/expected_result.dnssec
+++ b/regression-tests/any-query/expected_result.dnssec
@@ -1,8 +1,16 @@
-0	example.com.	IN	DNSKEY	120	256 3 5 AwEAAarTiHhPgvD28WCN8UBXcEcf8f+OF+d/bEoN6zTuHl/oVra5/qfonhYK/RjI74RzHc2wli9TpXOWycQV3YSfpFZ9z+GB/bbsvBon1XMyNf5KXuOwRdHZXIZh1cku3AcIyNroD26MPkbFLHY0+xRI+7u7OsQ6nYcPBpqDiJnB2BMh
+0	example.com.	IN	DNSKEY	86400	256 3 8 ...
+0	example.com.	IN	DNSKEY	86400	256 3 8 ...
+0	example.com.	IN	DNSKEY	86400	257 3 8 ...
 0	example.com.	IN	MX	120	10 smtp-servers.example.com.
 0	example.com.	IN	MX	120	15 smtp-servers.test.com.
 0	example.com.	IN	NS	120	ns1.example.com.
 0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-Rcode: 0, RD: 0, QR: 1, TC: 1, AA: 1, opcode: 0
+0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	0	
+2	ns1.example.com.	IN	A	120	192.168.1.1
+2	ns2.example.com.	IN	A	120	192.168.1.2
+2	smtp-servers.example.com.	IN	A	120	192.168.0.2
+2	smtp-servers.example.com.	IN	A	120	192.168.0.3
+2	smtp-servers.example.com.	IN	A	120	192.168.0.4
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='example.com.', qtype=ANY
diff --git a/regression-tests/any-query/expected_result.narrow b/regression-tests/any-query/expected_result.narrow
index 49e3c0d754..09d8a60b08 100644
--- a/regression-tests/any-query/expected_result.narrow
+++ b/regression-tests/any-query/expected_result.narrow
@@ -1,9 +1,18 @@
-0	example.com.	IN	DNSKEY	120	256 3 5 AwEAAarTiHhPgvD28WCN8UBXcEcf8f+OF+d/bEoN6zTuHl/oVra5/qfonhYK/RjI74RzHc2wli9TpXOWycQV3YSfpFZ9z+GB/bbsvBon1XMyNf5KXuOwRdHZXIZh1cku3AcIyNroD26MPkbFLHY0+xRI+7u7OsQ6nYcPBpqDiJnB2BMh
+0	example.com.	IN	DNSKEY	86400	256 3 8 ...
+0	example.com.	IN	DNSKEY	86400	256 3 8 ...
+0	example.com.	IN	DNSKEY	86400	257 3 8 ...
 0	example.com.	IN	MX	120	10 smtp-servers.example.com.
 0	example.com.	IN	MX	120	15 smtp-servers.test.com.
 0	example.com.	IN	NS	120	ns1.example.com.
 0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-0	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-Rcode: 0, RD: 0, QR: 1, TC: 1, AA: 1, opcode: 0
+0	example.com.	IN	NSEC3PARAM	86400	1 0 1 abcd
+0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+0	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+2	.	IN	OPT	0	
+2	ns1.example.com.	IN	A	120	192.168.1.1
+2	ns2.example.com.	IN	A	120	192.168.1.2
+2	smtp-servers.example.com.	IN	A	120	192.168.0.2
+2	smtp-servers.example.com.	IN	A	120	192.168.0.3
+2	smtp-servers.example.com.	IN	A	120	192.168.0.4
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='example.com.', qtype=ANY
diff --git a/regression-tests/any-query/expected_result.nsec3 b/regression-tests/any-query/expected_result.nsec3
index 300c3aaba2..b75a964149 100644
--- a/regression-tests/any-query/expected_result.nsec3
+++ b/regression-tests/any-query/expected_result.nsec3
@@ -1,9 +1,18 @@
-0	example.com.	IN	DNSKEY	120	256 3 5 AwEAAarTiHhPgvD28WCN8UBXcEcf8f+OF+d/bEoN6zTuHl/oVra5/qfonhYK/RjI74RzHc2wli9TpXOWycQV3YSfpFZ9z+GB/bbsvBon1XMyNf5KXuOwRdHZXIZh1cku3AcIyNroD26MPkbFLHY0+xRI+7u7OsQ6nYcPBpqDiJnB2BMh
+0	example.com.	IN	DNSKEY	86400	256 3 8 ...
+0	example.com.	IN	DNSKEY	86400	256 3 8 ...
+0	example.com.	IN	DNSKEY	86400	257 3 8 ...
 0	example.com.	IN	MX	120	10 smtp-servers.example.com.
 0	example.com.	IN	MX	120	15 smtp-servers.test.com.
 0	example.com.	IN	NS	120	ns1.example.com.
 0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-0	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-Rcode: 0, RD: 0, QR: 1, TC: 1, AA: 1, opcode: 0
+0	example.com.	IN	NSEC3PARAM	86400	1 0 1 abcd
+0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+0	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+2	.	IN	OPT	0	
+2	ns1.example.com.	IN	A	120	192.168.1.1
+2	ns2.example.com.	IN	A	120	192.168.1.2
+2	smtp-servers.example.com.	IN	A	120	192.168.0.2
+2	smtp-servers.example.com.	IN	A	120	192.168.0.3
+2	smtp-servers.example.com.	IN	A	120	192.168.0.4
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='example.com.', qtype=ANY
diff --git a/regression-tests/any-wildcard-dnssec/command b/regression-tests/any-wildcard-dnssec/command
new file mode 100644
index 0000000000..3106093dc7
--- /dev/null
+++ b/regression-tests/any-wildcard-dnssec/command
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+cleandig www.something.wtest.com ANY dnssec
+
diff --git a/regression-tests/any-wildcard-dnssec/expected_result b/regression-tests/any-wildcard-dnssec/expected_result
new file mode 100644
index 0000000000..3b01499330
--- /dev/null
+++ b/regression-tests/any-wildcard-dnssec/expected_result
@@ -0,0 +1,7 @@
+0	www.something.wtest.com.	IN	A	3600	4.3.2.1
+0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	a.something.wtest.com.	IN	NSEC	86400	wtest.com. A RRSIG NSEC
+1	a.something.wtest.com.	IN	RRSIG	86400	NSEC 8 4 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.something.wtest.com.', qtype=ANY
diff --git a/regression-tests/any-wildcard-dnssec/expected_result.narrow b/regression-tests/any-wildcard-dnssec/expected_result.narrow
new file mode 100644
index 0000000000..ac42409769
--- /dev/null
+++ b/regression-tests/any-wildcard-dnssec/expected_result.narrow
@@ -0,0 +1,7 @@
+0	www.something.wtest.com.	IN	A	3600	4.3.2.1
+0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A RRSIG
+1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.something.wtest.com.', qtype=ANY
diff --git a/regression-tests/any-wildcard-dnssec/expected_result.nsec3 b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
new file mode 100644
index 0000000000..779c6ab8ba
--- /dev/null
+++ b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
@@ -0,0 +1,7 @@
+0	www.something.wtest.com.	IN	A	3600	4.3.2.1
+0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
+1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.something.wtest.com.', qtype=ANY
diff --git a/regression-tests/basic-soa-resolution/expected_result b/regression-tests/basic-soa-resolution/expected_result
index 54a0b23b89..1c424403fe 100644
--- a/regression-tests/basic-soa-resolution/expected_result
+++ b/regression-tests/basic-soa-resolution/expected_result
@@ -1,3 +1,3 @@
-0	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='example.com.', qtype=SOA
diff --git a/regression-tests/cleandig b/regression-tests/cleandig
index bd6916631d..0789f1dd3b 100755
--- a/regression-tests/cleandig
+++ b/regression-tests/cleandig
@@ -12,3 +12,4 @@ then
 	unbound-host -v -C unbound-host.conf -t $2 $1 > $testname/unbound-host.out 2>&1
 	echo RETVAL: $? >> $testname/unbound-host.out
 fi
+grep -i bogus $testname/*.out
diff --git a/regression-tests/cname-but-no-correct-type/expected_result b/regression-tests/cname-but-no-correct-type/expected_result
index 85596ccece..39b513b852 100644
--- a/regression-tests/cname-but-no-correct-type/expected_result
+++ b/regression-tests/cname-but-no-correct-type/expected_result
@@ -1,4 +1,4 @@
 0	www.example.com.	IN	CNAME	120	outpost.example.com.
-1	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='www.example.com.', qtype=AAAA
diff --git a/regression-tests/ds-at-unsecure-delegation/command b/regression-tests/ds-at-unsecure-delegation/command
index cf92f42387..8eee2898cb 100755
--- a/regression-tests/ds-at-unsecure-delegation/command
+++ b/regression-tests/ds-at-unsecure-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig usa.example.com DS dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig usa.example.com DS dnssec
diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result b/regression-tests/ds-at-unsecure-delegation/expected_result
index 4efa69a4fc..13ff285d63 100644
--- a/regression-tests/ds-at-unsecure-delegation/expected_result
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result
@@ -1 +1,7 @@
-1	usa.example.com.	IN	NSEC	120	www.example.com. NS RRSIG NSEC
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	usa.example.com.	IN	NSEC	86400	www.example.com. NS RRSIG NSEC
+1	usa.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usa.example.com.', qtype=DS
diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.narrow b/regression-tests/ds-at-unsecure-delegation/expected_result.narrow
index b298af0c50..addd099613 100644
--- a/regression-tests/ds-at-unsecure-delegation/expected_result.narrow
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result.narrow
@@ -1,2 +1,9 @@
-1	t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com.	IN	NSEC3	120	1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com.	IN	NSEC3	86400	1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS RRSIG
+1	t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usa.example.com.', qtype=DS
diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
index 9b0397ac9d..6805539d8d 100644
--- a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
@@ -1,2 +1,9 @@
-1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	120	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	86400	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usa.example.com.', qtype=DS
diff --git a/regression-tests/ds-at-unsecure-zone-cut/command b/regression-tests/ds-at-unsecure-zone-cut/command
index 2523f9b50c..41c2cbd44b 100755
--- a/regression-tests/ds-at-unsecure-zone-cut/command
+++ b/regression-tests/ds-at-unsecure-zone-cut/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig delegated.dnssec-parent.com DS dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig delegated.dnssec-parent.com DS dnssec
 
diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result b/regression-tests/ds-at-unsecure-zone-cut/expected_result
index c95077d876..42a8352647 100644
--- a/regression-tests/ds-at-unsecure-zone-cut/expected_result
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result
@@ -1 +1,7 @@
-1	delegated.dnssec-parent.com.	IN	NSEC	3600	ns1.dnssec-parent.com. NS RRSIG NSEC
+1	delegated.dnssec-parent.com.	IN	NSEC	86400	ns1.dnssec-parent.com. NS RRSIG NSEC
+1	delegated.dnssec-parent.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow b/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow
index ebef2be51c..f1f8edd9b6 100644
--- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow
@@ -1,2 +1,9 @@
-1	be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com.	IN	NSEC3	3600	1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK A NS SOA RRSIG
-1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	3600	1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8V A NS SOA RRSIG DNSKEY NSEC3PARAM
+1	be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK A NS SOA RRSIG
+1	be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8V A NS SOA RRSIG DNSKEY NSEC3PARAM
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
index 1fe1947b92..78bf312329 100644
--- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
@@ -1,2 +1,9 @@
-1	29ceqcf4ekgl2gr9i0vjjtk62h5lqs40.dnssec-parent.com.	IN	NSEC3	3600	1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U A RRSIG
-1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	3600	1 1 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
+1	29ceqcf4ekgl2gr9i0vjjtk62h5lqs40.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U A RRSIG
+1	29ceqcf4ekgl2gr9i0vjjtk62h5lqs40.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
diff --git a/regression-tests/ds-inside-delegation/expected_result.dnssec b/regression-tests/ds-inside-delegation/expected_result.dnssec
index ffe373a206..5e39b33a1e 100644
--- a/regression-tests/ds-inside-delegation/expected_result.dnssec
+++ b/regression-tests/ds-inside-delegation/expected_result.dnssec
@@ -1,6 +1,6 @@
 1	usa.example.com.	IN	NS	120	usa-ns1.usa.example.com.
 1	usa.example.com.	IN	NS	120	usa-ns2.usa.example.com.
-1	usa.example.com.	IN	NSEC	120	www.example.com. NS RRSIG NSEC
+1	usa.example.com.	IN	NSEC	86400	www.example.com. NS RRSIG NSEC
 2	.	IN	OPT	32768	
 2	usa-ns1.usa.example.com.	IN	A	120	192.168.4.1
 2	usa-ns2.usa.example.com.	IN	A	120	192.168.4.2
diff --git a/regression-tests/ds-inside-delegation/expected_result.narrow b/regression-tests/ds-inside-delegation/expected_result.narrow
index 4c1fb8f68e..9f62772b37 100644
--- a/regression-tests/ds-inside-delegation/expected_result.narrow
+++ b/regression-tests/ds-inside-delegation/expected_result.narrow
@@ -1,7 +1,7 @@
-1	t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com.	IN	NSEC3	120	1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS RRSIG
+1	t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com.	IN	NSEC3	86400	1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS RRSIG
 1	usa.example.com.	IN	NS	120	usa-ns1.usa.example.com.
 1	usa.example.com.	IN	NS	120	usa-ns2.usa.example.com.
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 2	.	IN	OPT	32768	
 2	usa-ns1.usa.example.com.	IN	A	120	192.168.4.1
 2	usa-ns2.usa.example.com.	IN	A	120	192.168.4.2
diff --git a/regression-tests/ds-inside-delegation/expected_result.nsec3 b/regression-tests/ds-inside-delegation/expected_result.nsec3
index d62c2f1fe0..2afc10d8d9 100644
--- a/regression-tests/ds-inside-delegation/expected_result.nsec3
+++ b/regression-tests/ds-inside-delegation/expected_result.nsec3
@@ -1,7 +1,7 @@
-1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	120	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	86400	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
 1	usa.example.com.	IN	NS	120	usa-ns1.usa.example.com.
 1	usa.example.com.	IN	NS	120	usa-ns2.usa.example.com.
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 2	.	IN	OPT	32768	
 2	usa-ns1.usa.example.com.	IN	A	120	192.168.4.1
 2	usa-ns2.usa.example.com.	IN	A	120	192.168.4.2
diff --git a/regression-tests/example.com b/regression-tests/example.com
index 62f804371c..cb0ea7e530 100644
--- a/regression-tests/example.com
+++ b/regression-tests/example.com
@@ -1,6 +1,6 @@
 $TTL 120
 $ORIGIN example.com.
-@		IN	SOA	ns1.example.com.	ahu.example.com. (
+@	100000	IN	SOA	ns1.example.com.	ahu.example.com. (
 			2000081501
 			8H ; refresh
 			2H ; retry
@@ -12,7 +12,7 @@ $ORIGIN example.com.
 @			IN	NS	ns2.example.com.
 @			IN	MX	10	smtp-servers.example.com.
 @			IN	MX	15	smtp-servers.test.com.
-@			IN	DNSKEY  256 3 5 AwEAAarTiHhPgvD28WCN8UBXcEcf8f+OF+d/bEoN6zTuHl/oVra5/qfonhYK/RjI74RzHc2wli9TpXOWycQV3YSfpFZ9z+GB/bbsvBon1XMyNf5KXuOwRdHZXIZh1cku3AcIyNroD26MPkbFLHY0+xRI+7u7OsQ6nYcPBpqDiJnB2BMh
+;@			IN	DNSKEY  256 3 5 AwEAAarTiHhPgvD28WCN8UBXcEcf8f+OF+d/bEoN6zTuHl/oVra5/qfonhYK/RjI74RzHc2wli9TpXOWycQV3YSfpFZ9z+GB/bbsvBon1XMyNf5KXuOwRdHZXIZh1cku3AcIyNroD26MPkbFLHY0+xRI+7u7OsQ6nYcPBpqDiJnB2BMh
 ;
 ns1			IN	A	192.168.1.1
 ns2			IN	A	192.168.1.2
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/command b/regression-tests/five-levels-wildcard-one-below-apex/command
index a6030fdcd7..9d1606d1f1 100755
--- a/regression-tests/five-levels-wildcard-one-below-apex/command
+++ b/regression-tests/five-levels-wildcard-one-below-apex/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig www.a.b.c.d.e.something.wtest.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig www.a.b.c.d.e.something.wtest.com A dnssec
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result b/regression-tests/five-levels-wildcard-one-below-apex/expected_result
index cbcb94c674..f2dc0d28cb 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result
@@ -1 +1,7 @@
-1	a.something.wtest.com.	IN	NSEC	3600	wtest.com. A RRSIG NSEC
+0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
+0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	a.something.wtest.com.	IN	NSEC	86400	wtest.com. A RRSIG NSEC
+1	a.something.wtest.com.	IN	RRSIG	86400	NSEC 8 4 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.a.b.c.d.e.something.wtest.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
index 23f649bd9e..a3a2083fc7 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
@@ -1 +1,7 @@
+0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
+0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
 1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	NSEC3	86400	1 1 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0 RRSIG
+1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.a.b.c.d.e.something.wtest.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3 b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
index f5e0f61496..8407a981ba 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
@@ -1 +1,7 @@
-1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	3600	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
+0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.a.b.c.d.e.something.wtest.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard/command b/regression-tests/five-levels-wildcard/command
index 5037adfd73..8335364fcc 100755
--- a/regression-tests/five-levels-wildcard/command
+++ b/regression-tests/five-levels-wildcard/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig www.a.b.c.d.e.wtest.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig www.a.b.c.d.e.wtest.com A dnssec
diff --git a/regression-tests/five-levels-wildcard/expected_result b/regression-tests/five-levels-wildcard/expected_result
index 27b688b5ea..9d5a4fe24d 100644
--- a/regression-tests/five-levels-wildcard/expected_result
+++ b/regression-tests/five-levels-wildcard/expected_result
@@ -1 +1,7 @@
-1	*.a.b.c.d.e.wtest.com.	IN	NSEC	3600	secure.wtest.com. A RRSIG NSEC
+0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
+0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	*.a.b.c.d.e.wtest.com.	IN	NSEC	86400	secure.wtest.com. A RRSIG NSEC
+1	*.a.b.c.d.e.wtest.com.	IN	RRSIG	86400	NSEC 8 7 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.a.b.c.d.e.wtest.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard/expected_result.narrow b/regression-tests/five-levels-wildcard/expected_result.narrow
index 7bc473d215..42a06912ec 100644
--- a/regression-tests/five-levels-wildcard/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard/expected_result.narrow
@@ -1 +1,7 @@
+0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
+0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
 1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	NSEC3	86400	1 1 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI RRSIG
+1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.a.b.c.d.e.wtest.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard/expected_result.nsec3 b/regression-tests/five-levels-wildcard/expected_result.nsec3
index f5e0f61496..56bc239fab 100644
--- a/regression-tests/five-levels-wildcard/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard/expected_result.nsec3
@@ -1 +1,7 @@
-1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	3600	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
+0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.a.b.c.d.e.wtest.com.', qtype=A
diff --git a/regression-tests/minimal-noerror/expected_result b/regression-tests/minimal-noerror/expected_result
index b6b65ba3ed..5dd9d1226e 100644
--- a/regression-tests/minimal-noerror/expected_result
+++ b/regression-tests/minimal-noerror/expected_result
@@ -1 +1 @@
-1	minimal.com.	IN	NSEC	120	minimal.com. NS SOA RRSIG NSEC DNSKEY
+1	minimal.com.	IN	NSEC	86400	minimal.com. NS SOA RRSIG NSEC DNSKEY
diff --git a/regression-tests/minimal-noerror/expected_result.narrow b/regression-tests/minimal-noerror/expected_result.narrow
index ab9bcf73b1..c7c4ef9ecf 100644
--- a/regression-tests/minimal-noerror/expected_result.narrow
+++ b/regression-tests/minimal-noerror/expected_result.narrow
@@ -1 +1 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	120	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/regression-tests/minimal-noerror/expected_result.nsec3 b/regression-tests/minimal-noerror/expected_result.nsec3
index d00f89355b..d885980b1c 100644
--- a/regression-tests/minimal-noerror/expected_result.nsec3
+++ b/regression-tests/minimal-noerror/expected_result.nsec3
@@ -1 +1 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	120	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/regression-tests/minimal-nxdomain/expected_result b/regression-tests/minimal-nxdomain/expected_result
index b6b65ba3ed..5dd9d1226e 100644
--- a/regression-tests/minimal-nxdomain/expected_result
+++ b/regression-tests/minimal-nxdomain/expected_result
@@ -1 +1 @@
-1	minimal.com.	IN	NSEC	120	minimal.com. NS SOA RRSIG NSEC DNSKEY
+1	minimal.com.	IN	NSEC	86400	minimal.com. NS SOA RRSIG NSEC DNSKEY
diff --git a/regression-tests/minimal-nxdomain/expected_result.narrow b/regression-tests/minimal-nxdomain/expected_result.narrow
index fd35b6446d..f0c15c31da 100644
--- a/regression-tests/minimal-nxdomain/expected_result.narrow
+++ b/regression-tests/minimal-nxdomain/expected_result.narrow
@@ -1,3 +1,3 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	120	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
 1	8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR RRSIG
 1	9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ RRSIG
diff --git a/regression-tests/minimal-nxdomain/expected_result.nsec3 b/regression-tests/minimal-nxdomain/expected_result.nsec3
index d00f89355b..d885980b1c 100644
--- a/regression-tests/minimal-nxdomain/expected_result.nsec3
+++ b/regression-tests/minimal-nxdomain/expected_result.nsec3
@@ -1 +1 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	120	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/regression-tests/non-existing-record-other-types-exist-ns/expected_result b/regression-tests/non-existing-record-other-types-exist-ns/expected_result
index c9f9226dd2..a5cc1924da 100644
--- a/regression-tests/non-existing-record-other-types-exist-ns/expected_result
+++ b/regression-tests/non-existing-record-other-types-exist-ns/expected_result
@@ -1,3 +1,3 @@
-1	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='ns1.example.com.', qtype=AAAA
diff --git a/regression-tests/non-existing-record-other-types-exist/expected_result b/regression-tests/non-existing-record-other-types-exist/expected_result
index f0bbc3b503..a9aaa10ac7 100644
--- a/regression-tests/non-existing-record-other-types-exist/expected_result
+++ b/regression-tests/non-existing-record-other-types-exist/expected_result
@@ -1,3 +1,3 @@
-1	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='outpost.example.com.', qtype=AAAA
diff --git a/regression-tests/ns-with-identical-glue/expected_result b/regression-tests/ns-with-identical-glue/expected_result
index 292dedd68e..ea2775438c 100644
--- a/regression-tests/ns-with-identical-glue/expected_result
+++ b/regression-tests/ns-with-identical-glue/expected_result
@@ -1,4 +1,4 @@
 1	blah.test.com.	IN	NS	3600	blah.test.com.
-2	blah.test.com.	IN	A	3600	9.9.9.9
+2	blah.test.com.	IN	A	3600	192.168.6.1
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
 Reply to question for qname='blah.test.com.', qtype=MX
diff --git a/regression-tests/nsec-bitmap/command b/regression-tests/nsec-bitmap/command
index 312d4fcdd9..9190ecc7ce 100755
--- a/regression-tests/nsec-bitmap/command
+++ b/regression-tests/nsec-bitmap/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig hightype.example.com NSEC dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig hightype.example.com NSEC dnssec
diff --git a/regression-tests/nsec-bitmap/expected_result b/regression-tests/nsec-bitmap/expected_result
index 992d779aa7..5780b6994c 100644
--- a/regression-tests/nsec-bitmap/expected_result
+++ b/regression-tests/nsec-bitmap/expected_result
@@ -1 +1,5 @@
-0	hightype.example.com.	IN	NSEC	120	host-0.example.com. A RRSIG NSEC TYPE65534
+0	hightype.example.com.	IN	NSEC	86400	host-0.example.com. A RRSIG NSEC TYPE65534
+0	hightype.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='hightype.example.com.', qtype=NSEC
diff --git a/regression-tests/nsec-bitmap/expected_result.narrow b/regression-tests/nsec-bitmap/expected_result.narrow
index f7bc732379..d0460525a8 100644
--- a/regression-tests/nsec-bitmap/expected_result.narrow
+++ b/regression-tests/nsec-bitmap/expected_result.narrow
@@ -1 +1,7 @@
-1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	120	1 1 1 abcd 3V4IT454KFH142BI7AFAGNUVIGRPFPTU A RRSIG TYPE65534
+1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	86400	1 1 1 abcd 3V4IT454KFH142BI7AFAGNUVIGRPFPTU A RRSIG TYPE65534
+1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='hightype.example.com.', qtype=NSEC
diff --git a/regression-tests/nsec-bitmap/expected_result.nsec3 b/regression-tests/nsec-bitmap/expected_result.nsec3
index bd037df215..5bc4f6c20e 100644
--- a/regression-tests/nsec-bitmap/expected_result.nsec3
+++ b/regression-tests/nsec-bitmap/expected_result.nsec3
@@ -1 +1,7 @@
-1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	120	1 1 1 abcd 3V4S43RV1GT28N0F2PPJ8I8482ESMUOB A RRSIG TYPE65534
+1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	86400	1 1 1 abcd 3V4S43RV1GT28N0F2PPJ8I8482ESMUOB A RRSIG TYPE65534
+1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='hightype.example.com.', qtype=NSEC
diff --git a/regression-tests/nsec-glue-at-delegation/command b/regression-tests/nsec-glue-at-delegation/command
new file mode 100644
index 0000000000..b705a0b595
--- /dev/null
+++ b/regression-tests/nsec-glue-at-delegation/command
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig blah.test.com MX dnssec
diff --git a/regression-tests/nsec-glue-at-delegation/expected_result b/regression-tests/nsec-glue-at-delegation/expected_result
new file mode 100644
index 0000000000..6a223b6de6
--- /dev/null
+++ b/regression-tests/nsec-glue-at-delegation/expected_result
@@ -0,0 +1,7 @@
+1	blah.test.com.	IN	NS	3600	blah.test.com.
+1	blah.test.com.	IN	NSEC	86400	counter.test.com. NS RRSIG NSEC
+1	blah.test.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+2	.	IN	OPT	32768	
+2	blah.test.com.	IN	A	3600	192.168.6.1
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='blah.test.com.', qtype=MX
diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.narrow b/regression-tests/nsec-glue-at-delegation/expected_result.narrow
new file mode 100644
index 0000000000..88e1d7f564
--- /dev/null
+++ b/regression-tests/nsec-glue-at-delegation/expected_result.narrow
@@ -0,0 +1,9 @@
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	blah.test.com.	IN	NS	3600	blah.test.com.
+1	s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com.	IN	NSEC3	86400	1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC A NS RRSIG
+1	s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+2	.	IN	OPT	32768	
+2	blah.test.com.	IN	A	3600	192.168.6.1
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='blah.test.com.', qtype=MX
diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
new file mode 100644
index 0000000000..81624823bd
--- /dev/null
+++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
@@ -0,0 +1,9 @@
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 1 1 abcd 88F1BQRB2ISCVFEL2SQQCKSVFLNEKAP6 NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	blah.test.com.	IN	NS	3600	blah.test.com.
+1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA CNAME RRSIG
+1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+2	.	IN	OPT	32768	
+2	blah.test.com.	IN	A	3600	192.168.6.1
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='blah.test.com.', qtype=MX
diff --git a/regression-tests/nsec-glue/command b/regression-tests/nsec-glue/command
index f4266c454d..f976759df6 100755
--- a/regression-tests/nsec-glue/command
+++ b/regression-tests/nsec-glue/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig usazzz.example.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig usazzz.example.com A dnssec
 
diff --git a/regression-tests/nsec-glue/expected_result b/regression-tests/nsec-glue/expected_result
index 12fcd1420d..21a68a262b 100644
--- a/regression-tests/nsec-glue/expected_result
+++ b/regression-tests/nsec-glue/expected_result
@@ -1,2 +1,9 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1	usa.example.com.	IN	NSEC	120	www.example.com. NS RRSIG NSEC
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	usa.example.com.	IN	NSEC	86400	www.example.com. NS RRSIG NSEC
+1	usa.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usazzz.example.com.', qtype=A
diff --git a/regression-tests/nsec-glue/expected_result.narrow b/regression-tests/nsec-glue/expected_result.narrow
index f47c66a9c1..6a1c2d557f 100644
--- a/regression-tests/nsec-glue/expected_result.narrow
+++ b/regression-tests/nsec-glue/expected_result.narrow
@@ -1,3 +1,11 @@
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 RRSIG
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 1	kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.	IN	NSEC3	86400	1 1 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3 RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usazzz.example.com.', qtype=A
diff --git a/regression-tests/nsec-glue/expected_result.nsec3 b/regression-tests/nsec-glue/expected_result.nsec3
index 95b042ccc3..3fd9649f9e 100644
--- a/regression-tests/nsec-glue/expected_result.nsec3
+++ b/regression-tests/nsec-glue/expected_result.nsec3
@@ -1,3 +1,11 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	120	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
-1	kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.	IN	NSEC3	120	1 1 1 abcd KT832M4L92B5MCUCJI8QJF16MM2DU3MK A RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.	IN	NSEC3	86400	1 1 1 abcd KT832M4L92B5MCUCJI8QJF16MM2DU3MK A RRSIG
+1	kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usazzz.example.com.', qtype=A
diff --git a/regression-tests/nsec-middle/command b/regression-tests/nsec-middle/command
index ac281057f3..9745b8bb7b 100755
--- a/regression-tests/nsec-middle/command
+++ b/regression-tests/nsec-middle/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig outerpost.example.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig outerpost.example.com A dnssec
 
diff --git a/regression-tests/nsec-middle/expected_result b/regression-tests/nsec-middle/expected_result
index 54d407347f..0b7e2a1172 100644
--- a/regression-tests/nsec-middle/expected_result
+++ b/regression-tests/nsec-middle/expected_result
@@ -1,2 +1,9 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1	ns2.example.com.	IN	NSEC	120	outpost.example.com. A RRSIG NSEC
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	ns2.example.com.	IN	NSEC	86400	outpost.example.com. A RRSIG NSEC
+1	ns2.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='outerpost.example.com.', qtype=A
diff --git a/regression-tests/nsec-middle/expected_result.narrow b/regression-tests/nsec-middle/expected_result.narrow
index 6a5791733c..0db51e55c8 100644
--- a/regression-tests/nsec-middle/expected_result.narrow
+++ b/regression-tests/nsec-middle/expected_result.narrow
@@ -1,3 +1,11 @@
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 RRSIG
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 1	sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.	IN	NSEC3	86400	1 1 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='outerpost.example.com.', qtype=A
diff --git a/regression-tests/nsec-middle/expected_result.nsec3 b/regression-tests/nsec-middle/expected_result.nsec3
index 68f5fb0273..6cac84aaad 100644
--- a/regression-tests/nsec-middle/expected_result.nsec3
+++ b/regression-tests/nsec-middle/expected_result.nsec3
@@ -1,3 +1,11 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	120	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
-1	sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.	IN	NSEC3	120	1 1 1 abcd STKPKJBN0URUBBIM832MF33V5OGJR396 A RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.	IN	NSEC3	86400	1 1 1 abcd STKPKJBN0URUBBIM832MF33V5OGJR396 A RRSIG
+1	sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='outerpost.example.com.', qtype=A
diff --git a/regression-tests/nsec-wildcard/command b/regression-tests/nsec-wildcard/command
index bb6730d3f8..72029fc3b9 100755
--- a/regression-tests/nsec-wildcard/command
+++ b/regression-tests/nsec-wildcard/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig t.something.wtest.com TXT dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig t.something.wtest.com TXT dnssec
 
diff --git a/regression-tests/nsec-wildcard/expected_result b/regression-tests/nsec-wildcard/expected_result
index e144b089e2..f773699c79 100644
--- a/regression-tests/nsec-wildcard/expected_result
+++ b/regression-tests/nsec-wildcard/expected_result
@@ -1,2 +1,9 @@
-1	*.something.wtest.com.	IN	NSEC	3600	a.something.wtest.com. A RRSIG NSEC
-1	a.something.wtest.com.	IN	NSEC	3600	wtest.com. A RRSIG NSEC
+1	*.something.wtest.com.	IN	NSEC	86400	a.something.wtest.com. A RRSIG NSEC
+1	*.something.wtest.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	a.something.wtest.com.	IN	NSEC	86400	wtest.com. A RRSIG NSEC
+1	a.something.wtest.com.	IN	RRSIG	86400	NSEC 8 4 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='t.something.wtest.com.', qtype=TXT
diff --git a/regression-tests/nsec-wildcard/expected_result.narrow b/regression-tests/nsec-wildcard/expected_result.narrow
index 3d3b5b5bf4..da2aca7055 100644
--- a/regression-tests/nsec-wildcard/expected_result.narrow
+++ b/regression-tests/nsec-wildcard/expected_result.narrow
@@ -1,2 +1,9 @@
 1	368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM RRSIG
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	3600	1 1 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='t.something.wtest.com.', qtype=TXT
diff --git a/regression-tests/nsec-wildcard/expected_result.nsec3 b/regression-tests/nsec-wildcard/expected_result.nsec3
index 34342e9f4c..2ee8b774a1 100644
--- a/regression-tests/nsec-wildcard/expected_result.nsec3
+++ b/regression-tests/nsec-wildcard/expected_result.nsec3
@@ -1,2 +1,9 @@
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	3600	1 1 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
-1	shegk154n8362ag22ar9vddrf3127m6i.wtest.com.	IN	NSEC3	3600	1 1 1 abcd 53I5J7TGM8QG2GBV716RVQVARQCIJUE2 A NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	shegk154n8362ag22ar9vddrf3127m6i.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 53I5J7TGM8QG2GBV716RVQVARQCIJUE2 A NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	shegk154n8362ag22ar9vddrf3127m6i.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
+1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='t.something.wtest.com.', qtype=TXT
diff --git a/regression-tests/nsec-wraparound/command b/regression-tests/nsec-wraparound/command
index 4921a3aa30..7af813e5ef 100755
--- a/regression-tests/nsec-wraparound/command
+++ b/regression-tests/nsec-wraparound/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig zzz.example.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig zzz.example.com A dnssec
 
diff --git a/regression-tests/nsec-wraparound/expected_result b/regression-tests/nsec-wraparound/expected_result
index d99b62a399..3f6ac8b9f7 100644
--- a/regression-tests/nsec-wraparound/expected_result
+++ b/regression-tests/nsec-wraparound/expected_result
@@ -1,2 +1,9 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1	www.example.com.	IN	NSEC	120	example.com. CNAME RRSIG NSEC
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	www.example.com.	IN	NSEC	86400	example.com. CNAME RRSIG NSEC
+1	www.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='zzz.example.com.', qtype=A
diff --git a/regression-tests/nsec-wraparound/expected_result.nsec3 b/regression-tests/nsec-wraparound/expected_result.nsec3
index b35b714944..a20b5458d2 100644
--- a/regression-tests/nsec-wraparound/expected_result.nsec3
+++ b/regression-tests/nsec-wraparound/expected_result.nsec3
@@ -1,3 +1,11 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	120	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
-1	gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.	IN	NSEC3	120	1 1 1 abcd GNO4LESKG6U7HKEJ9UL71SF1HD7F1P96 A RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.	IN	NSEC3	86400	1 1 1 abcd GNO4LESKG6U7HKEJ9UL71SF1HD7F1P96 A RRSIG
+1	gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='zzz.example.com.', qtype=A
diff --git a/regression-tests/nsec-wrong-type-at-apex/command b/regression-tests/nsec-wrong-type-at-apex/command
index 42569b5279..4806fc9352 100755
--- a/regression-tests/nsec-wrong-type-at-apex/command
+++ b/regression-tests/nsec-wrong-type-at-apex/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig example.com TXT dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig example.com TXT dnssec
 
diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result b/regression-tests/nsec-wrong-type-at-apex/expected_result
index 48441ba51f..a4818c38c0 100644
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result
@@ -1 +1,7 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=TXT
diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow b/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
index 30d271ec5a..24164544db 100644
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
@@ -1 +1,7 @@
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=TXT
diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3 b/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
index ea63946bb8..c85202e45d 100644
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
@@ -1 +1,7 @@
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=TXT
diff --git a/regression-tests/nsec-wrong-type/command b/regression-tests/nsec-wrong-type/command
index 12b0e1989e..1a1624a8c9 100755
--- a/regression-tests/nsec-wrong-type/command
+++ b/regression-tests/nsec-wrong-type/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig outpost.example.com TXT dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig outpost.example.com TXT dnssec
 
diff --git a/regression-tests/nsec-wrong-type/expected_result b/regression-tests/nsec-wrong-type/expected_result
index 2580d61b43..16f8574511 100644
--- a/regression-tests/nsec-wrong-type/expected_result
+++ b/regression-tests/nsec-wrong-type/expected_result
@@ -1 +1,7 @@
-1	outpost.example.com.	IN	NSEC	120	semi-external.example.com. A RRSIG NSEC
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	outpost.example.com.	IN	NSEC	86400	semi-external.example.com. A RRSIG NSEC
+1	outpost.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='outpost.example.com.', qtype=TXT
diff --git a/regression-tests/nsec-wrong-type/expected_result.narrow b/regression-tests/nsec-wrong-type/expected_result.narrow
index 168b425971..3c8df4eb83 100644
--- a/regression-tests/nsec-wrong-type/expected_result.narrow
+++ b/regression-tests/nsec-wrong-type/expected_result.narrow
@@ -1 +1,7 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	120	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='outpost.example.com.', qtype=TXT
diff --git a/regression-tests/nsec-wrong-type/expected_result.nsec3 b/regression-tests/nsec-wrong-type/expected_result.nsec3
index 729d87c2fa..8d051e85fb 100644
--- a/regression-tests/nsec-wrong-type/expected_result.nsec3
+++ b/regression-tests/nsec-wrong-type/expected_result.nsec3
@@ -1 +1,7 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	120	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='outpost.example.com.', qtype=TXT
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/command b/regression-tests/nxdomain-below-nonempty-terminal/command
index 3ab6314fdf..71bd07d818 100755
--- a/regression-tests/nxdomain-below-nonempty-terminal/command
+++ b/regression-tests/nxdomain-below-nonempty-terminal/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig nx1.nx2.outpost.example.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig nx1.nx2.outpost.example.com A dnssec
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result b/regression-tests/nxdomain-below-nonempty-terminal/expected_result
index b9a61fa428..f25ff2abb6 100644
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result
@@ -1,2 +1,9 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1	outpost.example.com.	IN	NSEC	120	semi-external.example.com. A RRSIG NSEC
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	outpost.example.com.	IN	NSEC	86400	semi-external.example.com. A RRSIG NSEC
+1	outpost.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx1.nx2.outpost.example.com.', qtype=A
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
index c043e7f9ac..e48b9b515b 100644
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
@@ -1,3 +1,11 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	120	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 1	sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.	IN	NSEC3	86400	1 1 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT RRSIG
+1	sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	NSEC3	86400	1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR RRSIG
+1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx1.nx2.outpost.example.com.', qtype=A
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3 b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
index 560cf172ea..9d7140b23e 100644
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
@@ -1,3 +1,11 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	120	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
-1	sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.	IN	NSEC3	120	1 1 1 abcd SDH8FVJ6LQLSVCQCO8QP82I6JTR574H2 A RRSIG
-1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	120	1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.	IN	NSEC3	86400	1 1 1 abcd SDH8FVJ6LQLSVCQCO8QP82I6JTR574H2 A RRSIG
+1	sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	86400	1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx1.nx2.outpost.example.com.', qtype=A
diff --git a/regression-tests/nxdomain-for-unknown-record/expected_result b/regression-tests/nxdomain-for-unknown-record/expected_result
index 3862067496..d5b9e06f2b 100644
--- a/regression-tests/nxdomain-for-unknown-record/expected_result
+++ b/regression-tests/nxdomain-for-unknown-record/expected_result
@@ -1,3 +1,3 @@
-1	example.com.	IN	SOA	120	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='no-such-host.example.com.', qtype=A
diff --git a/regression-tests/second-level-nxdomain/command b/regression-tests/second-level-nxdomain/command
index 11949f812a..871795e36c 100755
--- a/regression-tests/second-level-nxdomain/command
+++ b/regression-tests/second-level-nxdomain/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig nx.outpost.example.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig nx.outpost.example.com A dnssec
diff --git a/regression-tests/second-level-nxdomain/expected_result b/regression-tests/second-level-nxdomain/expected_result
index b9a61fa428..711fd146bd 100644
--- a/regression-tests/second-level-nxdomain/expected_result
+++ b/regression-tests/second-level-nxdomain/expected_result
@@ -1,2 +1,9 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1	outpost.example.com.	IN	NSEC	120	semi-external.example.com. A RRSIG NSEC
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	outpost.example.com.	IN	NSEC	86400	semi-external.example.com. A RRSIG NSEC
+1	outpost.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx.outpost.example.com.', qtype=A
diff --git a/regression-tests/second-level-nxdomain/expected_result.narrow b/regression-tests/second-level-nxdomain/expected_result.narrow
index 20aee9db83..286acc6216 100644
--- a/regression-tests/second-level-nxdomain/expected_result.narrow
+++ b/regression-tests/second-level-nxdomain/expected_result.narrow
@@ -1,3 +1,11 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	120	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 1	k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.	IN	NSEC3	86400	1 1 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2 RRSIG
+1	k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	NSEC3	86400	1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR RRSIG
+1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx.outpost.example.com.', qtype=A
diff --git a/regression-tests/second-level-nxdomain/expected_result.nsec3 b/regression-tests/second-level-nxdomain/expected_result.nsec3
index 1f72d469db..d8b6253b3d 100644
--- a/regression-tests/second-level-nxdomain/expected_result.nsec3
+++ b/regression-tests/second-level-nxdomain/expected_result.nsec3
@@ -1,3 +1,11 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	120	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
-1	k6r6482mfo4upme9n407c2grb6opp1ip.example.com.	IN	NSEC3	120	1 1 1 abcd K6TDMVV7BP54FEFUIVR0BVABIBUN0AV9 A RRSIG
-1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	120	1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	k6r6482mfo4upme9n407c2grb6opp1ip.example.com.	IN	NSEC3	86400	1 1 1 abcd K6TDMVV7BP54FEFUIVR0BVABIBUN0AV9 A RRSIG
+1	k6r6482mfo4upme9n407c2grb6opp1ip.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	86400	1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx.outpost.example.com.', qtype=A
diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop
index f33ae95ba9..30bca3844f 100755
--- a/regression-tests/start-test-stop
+++ b/regression-tests/start-test-stop
@@ -1,4 +1,4 @@
-#!/bin/sh -ex
+#!/bin/bash -ex
 
 tosql ()
 {
@@ -28,17 +28,31 @@ gsqlite3-nodnssec gsqlite3 gsqlite3-nsec3
 opendbx-sqlite3
 tinydns
 
+add -presigned to any gmysql test (except narrow) to test 
+presigned operation
+
 add 'wait' (literally) after the context to not kill 
 pdns_server immediately after testing
 __EOF__
 	exit 1
 fi
 
+rm -f pdns*.pid
+
+presigned=no
+
+if [ ${context: -10} = "-presigned" ]
+then
+	presigned=yes
+	port=$((port-100))
+	context=${context%-presigned}
+fi
+
 case $context in
 		bind)
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=bind --bind-config=./named.conf                \
-				--fancy-records --query-logging --send-root-referral --loglevel=9    \
+				--fancy-records --send-root-referral    \
 				--cache-ttl=0 --no-config &
 			skipreasons=nodnssec
 			;;
@@ -57,7 +71,7 @@ case $context in
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=bind --bind-config=./named.conf       \
 				--bind-dnssec-db=./dnssec.sqlite3 \
-				--query-logging --send-root-referral --loglevel=9    \
+			 --send-root-referral    \
 				--cache-ttl=0 --no-config &
 			;;
 		gmysql-nodnssec)
@@ -77,7 +91,7 @@ case $context in
 
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=gmysql \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--gmysql-dbname="$GMYSQLDB" \
 				--gmysql-user="$GMYSQLUSER" \
@@ -129,7 +143,7 @@ __EOF__
 
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=gmysql --gmysql-dnssec \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--gmysql-dbname="$GMYSQLDB" \
 				--gmysql-user="$GMYSQLUSER" \
@@ -177,7 +191,7 @@ __EOF__
 
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=gpgsql --gpgsql-dnssec \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--gpgsql-dbname="$GPGSQLDB" \
 				--gpgsql-user="$GPGSQLUSER" &
@@ -209,7 +223,7 @@ gpgsql-user=$GPGSQLUSER
 __EOF__
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=gpgsql \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--gpgsql-dbname="$GPGSQLDB" \
 				--gpgsql-user="$GPGSQLUSER" &
@@ -225,7 +239,7 @@ __EOF__
 
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=gsqlite3 \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--gsqlite3-database=pdns.sqlite3 &
 			skipreasons=nodnssec
@@ -241,7 +255,7 @@ __EOF__
 
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=opendbx \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--opendbx-backend=sqlite3 --opendbx-host-read=./ --opendbx-host-write=./ \
 				--opendbx-database=pdns-opendbx.sqlite3 &
@@ -272,7 +286,7 @@ __EOF__
 
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=gsqlite3 --gsqlite3-dnssec \
-				--fancy-records --query-logging --send-root-referral --loglevel=9 \
+				--fancy-records --send-root-referral \
 				--cache-ttl=0 --no-config \
 				--gsqlite3-database=pdns.sqlite3 &
 			if [ $context = gsqlite3-nsec3 ]
@@ -285,7 +299,7 @@ __EOF__
 		tinydns)
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./ \
 				--no-shuffle --launch=tinydns \
-				--query-logging --loglevel=9 --cache-ttl=0 --no-config \
+			 --cache-ttl=0 --no-config \
 				--send-root-referral \
 				--tinydns-dbfile=../modules/tinydnsbackend/data.cdb & 
 			skipreasons=nodnssec
@@ -303,6 +317,52 @@ export context
 export extracontexts
 export skipreasons
 
+if [ $presigned = yes ] && [ ${context:0:6} = gmysql ]
+then
+	context=${context}-presigned
+	[ -z "$GMYSQL2DB" ] && GMYSQL2DB=pdnstest2
+	[ -z "$GMYSQL2USER" ] && GMYSQL2USER=root
+	[ -z "$GMYSQL2HOST" ] && GMYSQL2HOST=localhost
+	[ -z "$GMYSQL2PASSWD" ] && GMYSQL2PASSWD=''
+
+	mysqladmin --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" --force drop "$GMYSQL2DB" \
+		|| echo ignoring mysqladmin drop failure
+	mysqladmin --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" create "$GMYSQL2DB"
+	mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
+		"$GMYSQL2DB" < ../pdns/no-dnssec.schema.mysql.sql
+	mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
+		"$GMYSQL2DB" < ../pdns/dnssec.schema.mysql.sql
+
+	for zone in $(grep zone named.conf  | cut -f2 -d\")
+	do
+		mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
+		"$GMYSQL2DB" \
+		-e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
+	done
+
+	port=$((port+100))
+
+	$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
+		--no-shuffle --launch=gmysql --gmysql-dnssec \
+		--fancy-records --send-root-referral \
+		--cache-ttl=0 --query-cache-ttl=0 --no-config --slave --retrieval-threads=1 \
+		--gmysql-dbname="$GMYSQL2DB" \
+		--gmysql-user="$GMYSQL2USER" \
+		--gmysql-host="$GMYSQL2HOST" \
+		--gmysql-password="$GMYSQL2PASSWD" \
+		--config-name=gmysql2 |& egrep -v "update records set ordername|insert into records" &
+	echo 'waiting for zones to be slaved'
+	while sleep 10
+	do
+		todo=$(mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQl2HOST" \
+			   "$GMYSQL2DB" -ss -e 'SELECT COUNT(id) FROM domains WHERE last_check IS NULL')
+		if [ $todo = 0 ]
+		then
+			break
+		fi
+	done
+fi
+
 ## TODO: give pdns a few seconds to startup or fail, then check if it did not fail
 ## TODO: give sdig a timeout
 nameserver=127.0.0.1 ./runtests
@@ -313,4 +373,5 @@ then
 	echo tests done! push enter to terminate instance
 	read l
 fi
-kill $(cat pdns.pid)
+kill $(cat pdns*.pid)
+rm pdns*.pid
\ No newline at end of file
diff --git a/regression-tests/test.com b/regression-tests/test.com
index f93a86c275..482d2277de 100644
--- a/regression-tests/test.com
+++ b/regression-tests/test.com
@@ -23,8 +23,8 @@ _ldap._tcp.dc		IN	SRV 	0 100 389 server1
 _double._tcp.dc		IN	SRV 	0 100 389 server1
 _double._tcp.dc		IN	SRV 	1 100 389 server1
 blah			IN	NS	blah
-blah			IN	A	9.9.9.9
+blah			IN	A	192.168.6.1
 ;images			IN	URL	"http://www.ds9a.nl"
 ;bert@auto.test.com.			IN	MBOXFW	"bert@ds9a.nl"
 very-long-txt		IN	TXT	"A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long. A very long TXT record! boy you won't believe how long!"
-within-server		IN	CNAME	outpost.example.com.
\ No newline at end of file
+within-server		IN	CNAME	outpost.example.com.
diff --git a/regression-tests/two-level-nxdomain/command b/regression-tests/two-level-nxdomain/command
index a848cc1e3a..faf2f6a664 100755
--- a/regression-tests/two-level-nxdomain/command
+++ b/regression-tests/two-level-nxdomain/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig nx1.nx2.example.com A dnssec | egrep 'IN[[:space:]]+NSEC'
+cleandig nx1.nx2.example.com A dnssec
diff --git a/regression-tests/two-level-nxdomain/expected_result b/regression-tests/two-level-nxdomain/expected_result
index 54d407347f..74e4fd04d1 100644
--- a/regression-tests/two-level-nxdomain/expected_result
+++ b/regression-tests/two-level-nxdomain/expected_result
@@ -1,2 +1,9 @@
-1	example.com.	IN	NSEC	120	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
-1	ns2.example.com.	IN	NSEC	120	outpost.example.com. A RRSIG NSEC
+1	example.com.	IN	NSEC	86400	escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	ns2.example.com.	IN	NSEC	86400	outpost.example.com. A RRSIG NSEC
+1	ns2.example.com.	IN	RRSIG	86400	NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx1.nx2.example.com.', qtype=A
diff --git a/regression-tests/two-level-nxdomain/expected_result.narrow b/regression-tests/two-level-nxdomain/expected_result.narrow
index 311f92e100..46383544ff 100644
--- a/regression-tests/two-level-nxdomain/expected_result.narrow
+++ b/regression-tests/two-level-nxdomain/expected_result.narrow
@@ -1,3 +1,11 @@
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2 RRSIG
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.	IN	NSEC3	86400	1 1 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5 RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx1.nx2.example.com.', qtype=A
diff --git a/regression-tests/two-level-nxdomain/expected_result.nsec3 b/regression-tests/two-level-nxdomain/expected_result.nsec3
index 6101ba3802..f1d66fdb96 100644
--- a/regression-tests/two-level-nxdomain/expected_result.nsec3
+++ b/regression-tests/two-level-nxdomain/expected_result.nsec3
@@ -1,3 +1,11 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	120	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
-1	ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.	IN	NSEC3	120	1 1 1 abcd ECTPI4N8UNDE9GNVKHG28NJR512JBD4O A RRSIG
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	120	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.	IN	NSEC3	86400	1 1 1 abcd ECTPI4N8UNDE9GNVKHG28NJR512JBD4O A RRSIG
+1	ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nx1.nx2.example.com.', qtype=A