aboutsummaryrefslogtreecommitdiff
path: root/contrib/unbound/testdata
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/unbound/testdata')
-rw-r--r--contrib/unbound/testdata/00-lint.tdir/00-lint.pre14
-rw-r--r--contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials5
-rw-r--r--contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials5
-rw-r--r--contrib/unbound/testdata/auth_zonemd_anchor.rpl234
-rw-r--r--contrib/unbound/testdata/auth_zonemd_anchor_fail.rpl236
-rw-r--r--contrib/unbound/testdata/auth_zonemd_chain.rpl234
-rw-r--r--contrib/unbound/testdata/auth_zonemd_chain_fail.rpl236
-rw-r--r--contrib/unbound/testdata/auth_zonemd_file.rpl183
-rw-r--r--contrib/unbound/testdata/auth_zonemd_file_fail.rpl185
-rw-r--r--contrib/unbound/testdata/auth_zonemd_insecure.rpl215
-rw-r--r--contrib/unbound/testdata/auth_zonemd_insecure_absent.rpl217
-rw-r--r--contrib/unbound/testdata/auth_zonemd_insecure_absent_reject.rpl218
-rw-r--r--contrib/unbound/testdata/auth_zonemd_insecure_fail.rpl218
-rw-r--r--contrib/unbound/testdata/auth_zonemd_nokey.rpl212
-rw-r--r--contrib/unbound/testdata/auth_zonemd_permissive_mode.rpl187
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr.rpl238
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr_anchor.rpl285
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr_anchor_fail.rpl266
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr_chain.rpl310
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr_chain_fail.rpl321
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl315
-rw-r--r--contrib/unbound/testdata/auth_zonemd_xfr_fail.rpl241
-rw-r--r--contrib/unbound/testdata/cachedb_cached_ede.crpl91
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.conf (renamed from contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.conf)26
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.dsc16
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.post20
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.pre (renamed from contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.pre)11
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.servfail.testns8
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.test132
-rw-r--r--contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.testns9
-rw-r--r--contrib/unbound/testdata/cachedb_servfail_cname.crpl181
-rw-r--r--contrib/unbound/testdata/disable_edns_do.rpl (renamed from contrib/unbound/testdata/nsid_bogus.rpl)50
-rw-r--r--contrib/unbound/testdata/edns_attached_once_per_upstream.rpl90
-rw-r--r--contrib/unbound/testdata/edns_downstream_cookies.rpl235
-rw-r--r--contrib/unbound/testdata/fwd_error_retries.rpl27
-rw-r--r--contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf20
-rw-r--r--contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc16
-rw-r--r--contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post10
-rw-r--r--contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre31
-rw-r--r--contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test35
-rw-r--r--contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns25
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone3
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.dsc16
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.post11
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.pre37
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.test103
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/petal.key21
-rw-r--r--contrib/unbound/testdata/http_user_agent.tdir/petal.pem14
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.conf (renamed from contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf)15
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc16
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.post (renamed from contrib/unbound/testdata/ratelimit.tdir/ratelimit.post)3
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.pre (renamed from contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre)15
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.test165
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.key (renamed from contrib/unbound/testdata/http_user_agent.tdir/unbound_control.key)0
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.pem (renamed from contrib/unbound/testdata/http_user_agent.tdir/unbound_control.pem)0
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.key (renamed from contrib/unbound/testdata/http_user_agent.tdir/unbound_server.key)0
-rw-r--r--contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.pem (renamed from contrib/unbound/testdata/http_user_agent.tdir/unbound_server.pem)0
-rw-r--r--contrib/unbound/testdata/iter_cname_minimise_nx.rpl245
-rw-r--r--contrib/unbound/testdata/iter_dname_ttl.rpl310
-rw-r--r--contrib/unbound/testdata/iter_failreply.rpl132
-rw-r--r--contrib/unbound/testdata/iter_ignore_empty.rpl248
-rw-r--r--contrib/unbound/testdata/iter_nat64.rpl117
-rw-r--r--contrib/unbound/testdata/iter_nat64_prefix.rpl119
-rw-r--r--contrib/unbound/testdata/iter_nat64_prefix48.rpl118
-rw-r--r--contrib/unbound/testdata/iter_scrub_rr_length.rpl298
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc16
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/ratelimit.test183
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns13
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/unbound_control.key39
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem22
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/unbound_server.key39
-rw-r--r--contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem22
-rw-r--r--contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.conf34
-rw-r--r--contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.dsc16
-rw-r--r--contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.post (renamed from contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.post)2
-rw-r--r--contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.pre (renamed from contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre)29
-rw-r--r--contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.test63
-rw-r--r--contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.testns9
-rw-r--r--contrib/unbound/testdata/rpz_cached_cname.rpl122
-rw-r--r--contrib/unbound/testdata/rpz_clientip.rpl264
-rw-r--r--contrib/unbound/testdata/rpz_nsdname.rpl390
-rw-r--r--contrib/unbound/testdata/rpz_nsip.rpl408
-rw-r--r--contrib/unbound/testdata/rpz_qname_tcponly.rpl117
-rw-r--r--contrib/unbound/testdata/rpz_respip_tcponly.rpl207
-rw-r--r--contrib/unbound/testdata/rpz_rootwc.rpl162
-rw-r--r--contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl254
-rw-r--r--contrib/unbound/testdata/rrset_use_cached.rpl151
-rw-r--r--contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl154
-rw-r--r--contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl154
-rw-r--r--contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl129
-rw-r--r--contrib/unbound/testdata/serve_expired_cached_servfail.rpl130
-rw-r--r--contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl145
-rw-r--r--contrib/unbound/testdata/stat_values.tdir/stat_values_cachedb.conf36
-rw-r--r--contrib/unbound/testdata/stat_values.tdir/stat_values_downstream_cookies.conf (renamed from contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.conf)40
-rw-r--r--contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf19
-rw-r--r--contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc16
-rw-r--r--contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post10
-rw-r--r--contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test37
-rw-r--r--contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns48
-rw-r--r--contrib/unbound/testdata/subnet_cached_ede.crpl114
-rw-r--r--contrib/unbound/testdata/subnet_cached_servfail.crpl167
-rw-r--r--contrib/unbound/testdata/subnet_global_prefetch.crpl236
-rw-r--r--contrib/unbound/testdata/subnet_global_prefetch_always_forward.crpl167
-rw-r--r--contrib/unbound/testdata/subnet_global_prefetch_expired.crpl241
-rw-r--r--contrib/unbound/testdata/subnet_prezero.crpl155
-rw-r--r--contrib/unbound/testdata/subnet_scopezero_noedns.crpl441
-rw-r--r--contrib/unbound/testdata/svcb.tdir/crypto.cloudflare.com.zone9
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.dsc16
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-019
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-028
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-038
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-048
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone47
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone.cmp10
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.test97
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-pf.zone92
-rw-r--r--contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-wf.zone232
-rw-r--r--contrib/unbound/testdata/val_any_negcache.rpl243
-rw-r--r--contrib/unbound/testdata/val_scrub_rr_length.rpl164
-rw-r--r--contrib/unbound/testdata/zonemd.example1.zone4
-rw-r--r--contrib/unbound/testdata/zonemd.example10.zone35
-rw-r--r--contrib/unbound/testdata/zonemd.example11.zone33
-rw-r--r--contrib/unbound/testdata/zonemd.example12.zone35
-rw-r--r--contrib/unbound/testdata/zonemd.example13.zone33
-rw-r--r--contrib/unbound/testdata/zonemd.example14.zone35
-rw-r--r--contrib/unbound/testdata/zonemd.example15.zone35
-rw-r--r--contrib/unbound/testdata/zonemd.example16.zone11
-rw-r--r--contrib/unbound/testdata/zonemd.example17.zone11
-rw-r--r--contrib/unbound/testdata/zonemd.example2.zone15
-rw-r--r--contrib/unbound/testdata/zonemd.example3.zone34
-rw-r--r--contrib/unbound/testdata/zonemd.example4.zone36
-rw-r--r--contrib/unbound/testdata/zonemd.example5.zone34
-rw-r--r--contrib/unbound/testdata/zonemd.example6.zone36
-rw-r--r--contrib/unbound/testdata/zonemd.example7.zone31
-rw-r--r--contrib/unbound/testdata/zonemd.example8.zone34
-rw-r--r--contrib/unbound/testdata/zonemd.example9.zone35
-rw-r--r--contrib/unbound/testdata/zonemd.example_a1.zone6
-rw-r--r--contrib/unbound/testdata/zonemd.example_a2.zone25
-rw-r--r--contrib/unbound/testdata/zonemd.example_a3.zone30
-rw-r--r--contrib/unbound/testdata/zonemd.example_a4.zone127
-rw-r--r--contrib/unbound/testdata/zonemd.example_a5.zone48
-rw-r--r--contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.dsc16
-rw-r--r--contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.test74
-rw-r--r--contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.testns27
-rw-r--r--contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.zone8
145 files changed, 5655 insertions, 8751 deletions
diff --git a/contrib/unbound/testdata/00-lint.tdir/00-lint.pre b/contrib/unbound/testdata/00-lint.tdir/00-lint.pre
new file mode 100644
index 000000000000..507f5e1e9454
--- /dev/null
+++ b/contrib/unbound/testdata/00-lint.tdir/00-lint.pre
@@ -0,0 +1,14 @@
+# #-- 00-lint.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+
+if test -f $PRE/unbound_test_00-lint ; then
+ echo test enabled
+else
+ skip_test "test skipped; clang linter preferred over splint"
+fi
diff --git a/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials b/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials
new file mode 100644
index 000000000000..11a131130000
--- /dev/null
+++ b/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials
@@ -0,0 +1,5 @@
+remote-control:
+ server-key-file: bad_server.key
+ server-cert-file: bad_server.pem
+ control-key-file: bad_control.key
+ control-cert-file: bad_control.pem
diff --git a/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials b/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials
new file mode 100644
index 000000000000..25cb830dca4e
--- /dev/null
+++ b/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials
@@ -0,0 +1,5 @@
+remote-control:
+ server-key-file: unbound_server.key
+ server-cert-file: unbound_server.pem
+ control-key-file: bad_control.key
+ control-cert-file: bad_control.pem
diff --git a/contrib/unbound/testdata/auth_zonemd_anchor.rpl b/contrib/unbound/testdata/auth_zonemd_anchor.rpl
deleted file mode 100644
index c443f7d43f10..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_anchor.rpl
+++ /dev/null
@@ -1,234 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "example.com. DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD from zonefile with trust anchor
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_anchor_fail.rpl b/contrib/unbound/testdata/auth_zonemd_anchor_fail.rpl
deleted file mode 100644
index d055174dcbe7..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_anchor_fail.rpl
+++ /dev/null
@@ -1,236 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- ; correct anchor
- ; trust-anchor: "example.com. DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af"
- ; wrong anchor
- trust-anchor: "example.com. DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deeaaaaa"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD from zonefile with failed trust anchor
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_chain.rpl b/contrib/unbound/testdata/auth_zonemd_chain.rpl
deleted file mode 100644
index 74479274fa97..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_chain.rpl
+++ /dev/null
@@ -1,234 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD from zonefile with chain of trust
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_chain_fail.rpl b/contrib/unbound/testdata/auth_zonemd_chain_fail.rpl
deleted file mode 100644
index 393b1c028fa9..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_chain_fail.rpl
+++ /dev/null
@@ -1,236 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-; dnskey is wrong:
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+AAAAA ;{id = 55566 (zsk), size = 1024b}
-; dnskey that was correct:
-;example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD from zonefile with failed chain of trust
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_file.rpl b/contrib/unbound/testdata/auth_zonemd_file.rpl
deleted file mode 100644
index bdf0ccbae74f..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_file.rpl
+++ /dev/null
@@ -1,183 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD from zonefile
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_file_fail.rpl b/contrib/unbound/testdata/auth_zonemd_file_fail.rpl
deleted file mode 100644
index 69487cf6512c..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_file_fail.rpl
+++ /dev/null
@@ -1,185 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; good zonemd
-;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; wrong zonemd
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D7AAAAA
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD failure from zonefile
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_insecure.rpl b/contrib/unbound/testdata/auth_zonemd_insecure.rpl
deleted file mode 100644
index 18a4117d86ac..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_insecure.rpl
+++ /dev/null
@@ -1,215 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD that is securely insecure
-; the trust anchor finds an online delegation with an insecure DS referral.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION AUTHORITY
-com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1603979208 1800 900 604800 86400
-com. 3600 IN RRSIG SOA 8 1 3600 20201116135527 20201019135527 1444 com. LTUZ8PlkMLX+dBZLGcJcahrzOgf1PgYbi/s5VKyR9iyYKeP6qdxO5VehUVHdXfmUiXrsszvhAHzo4AZnfRbDkK6uTfMKCSIB1aXOU4A74LpjhJBsXjyo3CN3IK/dMS/FpJfAb6JnuQV1E3ytDd34yNsoBazEjYeoN1kymGAttbM=
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_insecure_absent.rpl b/contrib/unbound/testdata/auth_zonemd_insecure_absent.rpl
deleted file mode 100644
index 1c3f488080ee..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_insecure_absent.rpl
+++ /dev/null
@@ -1,217 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; the missing ZONEMD record
-;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with absent ZONEMD that is securely insecure
-; the trust anchor finds an online delegation with an insecure DS referral.
-; the ZONEMD is not there.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION AUTHORITY
-com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1603979208 1800 900 604800 86400
-com. 3600 IN RRSIG SOA 8 1 3600 20201116135527 20201019135527 1444 com. LTUZ8PlkMLX+dBZLGcJcahrzOgf1PgYbi/s5VKyR9iyYKeP6qdxO5VehUVHdXfmUiXrsszvhAHzo4AZnfRbDkK6uTfMKCSIB1aXOU4A74LpjhJBsXjyo3CN3IK/dMS/FpJfAb6JnuQV1E3ytDd34yNsoBazEjYeoN1kymGAttbM=
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_insecure_absent_reject.rpl b/contrib/unbound/testdata/auth_zonemd_insecure_absent_reject.rpl
deleted file mode 100644
index beb9f5b9ac89..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_insecure_absent_reject.rpl
+++ /dev/null
@@ -1,218 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- zonemd-check: yes
- zonemd-reject-absence: yes
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; the missing ZONEMD record
-;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with reject-absence ZONEMD that is securely insecure
-; the trust anchor finds an online delegation with an insecure DS referral.
-; the ZONEMD is not there. This is not allowed by the zonemd-reject-absence
-; option in config, so it fails the zone.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION AUTHORITY
-com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1603979208 1800 900 604800 86400
-com. 3600 IN RRSIG SOA 8 1 3600 20201116135527 20201019135527 1444 com. LTUZ8PlkMLX+dBZLGcJcahrzOgf1PgYbi/s5VKyR9iyYKeP6qdxO5VehUVHdXfmUiXrsszvhAHzo4AZnfRbDkK6uTfMKCSIB1aXOU4A74LpjhJBsXjyo3CN3IK/dMS/FpJfAb6JnuQV1E3ytDd34yNsoBazEjYeoN1kymGAttbM=
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_insecure_fail.rpl b/contrib/unbound/testdata/auth_zonemd_insecure_fail.rpl
deleted file mode 100644
index f7aad071e3b9..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_insecure_fail.rpl
+++ /dev/null
@@ -1,218 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; correct ZONEMD
-;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; wrong ZONEMD
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D7AAAAA
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD fail that is securely insecure
-; the trust anchor finds an online delegation with an insecure DS referral.
-; the ZONEMD is wrong, eg. the hash does not match the zone data.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION AUTHORITY
-com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1603979208 1800 900 604800 86400
-com. 3600 IN RRSIG SOA 8 1 3600 20201116135527 20201019135527 1444 com. LTUZ8PlkMLX+dBZLGcJcahrzOgf1PgYbi/s5VKyR9iyYKeP6qdxO5VehUVHdXfmUiXrsszvhAHzo4AZnfRbDkK6uTfMKCSIB1aXOU4A74LpjhJBsXjyo3CN3IK/dMS/FpJfAb6JnuQV1E3ytDd34yNsoBazEjYeoN1kymGAttbM=
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. IN NSEC foo.com. NS RRSIG
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_nokey.rpl b/contrib/unbound/testdata/auth_zonemd_nokey.rpl
deleted file mode 100644
index a89414bf631c..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_nokey.rpl
+++ /dev/null
@@ -1,212 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with ZONEMD that lacks a DNSKEY
-; the zone has no DNSSEC, but the trust anchor requires it.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_permissive_mode.rpl b/contrib/unbound/testdata/auth_zonemd_permissive_mode.rpl
deleted file mode 100644
index 4149daa927f4..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_permissive_mode.rpl
+++ /dev/null
@@ -1,187 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- zonemd-permissive-mode: yes
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; good zonemd
-;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; wrong zonemd
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D7AAAAA
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test zonemd permissive mode
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr.rpl b/contrib/unbound/testdata/auth_zonemd_xfr.rpl
deleted file mode 100644
index 89e22cea1472..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr.rpl
+++ /dev/null
@@ -1,238 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: yes
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-bar.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN A 1.2.3.4
-ns.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN A 127.0.0.1
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr_anchor.rpl b/contrib/unbound/testdata/auth_zonemd_xfr_anchor.rpl
deleted file mode 100644
index 667de2eae0da..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr_anchor.rpl
+++ /dev/null
@@ -1,285 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "example.com. DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: yes
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD with trust anchor
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN ZONEMD 200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
-example.com. 3600 IN RRSIG ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr_anchor_fail.rpl b/contrib/unbound/testdata/auth_zonemd_xfr_anchor_fail.rpl
deleted file mode 100644
index 237ed9498e39..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr_anchor_fail.rpl
+++ /dev/null
@@ -1,266 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "example.com. DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: yes
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD fail with trust anchor
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOTIMPL
-SECTION QUESTION
-example.com. IN IXFR
-SECTION ANSWER
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-; this is the bad RR that causes the wrong zonemd. RRSIG is wrong too.
-bar.example.com. 3600 IN A 1.2.3.55
-; orig RR
-;bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr_chain.rpl b/contrib/unbound/testdata/auth_zonemd_xfr_chain.rpl
deleted file mode 100644
index 4deb99bcbd8a..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr_chain.rpl
+++ /dev/null
@@ -1,310 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: yes
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD with chain of trust
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN ZONEMD 200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
-example.com. 3600 IN RRSIG ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr_chain_fail.rpl b/contrib/unbound/testdata/auth_zonemd_xfr_chain_fail.rpl
deleted file mode 100644
index 3e09c9e8e40b..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr_chain_fail.rpl
+++ /dev/null
@@ -1,321 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: yes
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD failure with chain of trust
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOTIMPL
-SECTION QUESTION
-example.com. IN IXFR
-SECTION ANSWER
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-; this is the bad RR that causes the wrong zonemd. RRSIG is wrong too.
-bar.example.com. 3600 IN A 1.2.3.55
-; orig RR
-;bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN ZONEMD 200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
-example.com. 3600 IN RRSIG ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-bar.example.com. 3600 IN A 1.2.3.55
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl b/contrib/unbound/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl
deleted file mode 100644
index 2feec88c075a..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl
+++ /dev/null
@@ -1,315 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
- trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
- trust-anchor-signaling: no
- val-override-date: 20201020135527
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
-
- ## The for-downstream and fallback are disabled, the key cannot be
- ## retrieved by DNS lookup, it is in the xfr itself.
- ## only after the zone is loaded can it be looked up.
- for-downstream: no
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD with key in xfr
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname qtype
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN DS
-SECTION ANSWER
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af
-example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk=
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN DNSKEY
-SECTION ANSWER
-com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
-com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
-SECTION ADDITIONAL
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 127.0.0.1
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN ZONEMD 200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
-example.com. 3600 IN RRSIG ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/auth_zonemd_xfr_fail.rpl b/contrib/unbound/testdata/auth_zonemd_xfr_fail.rpl
deleted file mode 100644
index f54ca7e086f0..000000000000
--- a/contrib/unbound/testdata/auth_zonemd_xfr_fail.rpl
+++ /dev/null
@@ -1,241 +0,0 @@
-; config options
-server:
- target-fetch-policy: "0 0 0 0 0"
-
-auth-zone:
- name: "example.com."
- ## zonefile (or none).
- ## zonefile: "example.com.zone"
- ## master by IP address or hostname
- ## can list multiple masters, each on one line.
- ## master:
- master: 1.2.3.44
- ## url for http fetch
- ## url:
- ## queries from downstream clients get authoritative answers.
- ## for-downstream: yes
- for-downstream: yes
- ## queries are used to fetch authoritative answers from this zone,
- ## instead of unbound itself sending queries there.
- ## for-upstream: yes
- for-upstream: yes
- ## on failures with for-upstream, fallback to sending queries to
- ## the authority servers
- ## fallback-enabled: no
- zonemd-check: yes
-
- ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
- zonefile:
-TEMPFILE_NAME example.com
- ## this is the inline file /tmp/xxx.example.com
- ## the tempfiles are deleted when the testrun is over.
-TEMPFILE_CONTENTS example.com
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test authority zone with AXFR with failed ZONEMD
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
- ADDRESS 193.0.14.129
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET. IN A 193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-RANGE_BEGIN 0 100
- ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com. IN NS ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.44
-ENTRY_END
-RANGE_END
-
-; ns.example.net.
-RANGE_BEGIN 0 100
- ADDRESS 1.2.3.44
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.net. IN NS
-SECTION ANSWER
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-ns.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN A
-SECTION ANSWER
-ns.example.net. IN A 1.2.3.44
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.net. IN AAAA
-SECTION AUTHORITY
-example.net. IN NS ns.example.net.
-SECTION ADDITIONAL
-www.example.net. IN A 1.2.3.44
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns.example.net.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-; serial, refresh, retry, expire, minimum
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOTIMPL
-SECTION QUESTION
-example.com. IN IXFR
-SECTION ANSWER
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; old zonemd
-;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; wrong zonemd
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D7AAAAA
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 TIME_PASSES ELAPSE 10
-STEP 40 TRAFFIC
-
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; recursion happens here.
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA SERVFAIL
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-ENTRY_END
-
-; the zonefile was updated with new contents
-STEP 70 CHECK_TEMPFILE example.com
-FILE_BEGIN
-FILE_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/cachedb_cached_ede.crpl b/contrib/unbound/testdata/cachedb_cached_ede.crpl
new file mode 100644
index 000000000000..5eade545105f
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_cached_ede.crpl
@@ -0,0 +1,91 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ minimal-responses: no
+ module-config: "cachedb validator iterator"
+ trust-anchor-signaling: no
+ verbosity: 4
+ ede: yes
+ val-log-level: 2
+ trust-anchor: "example.nl. DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
+
+
+cachedb:
+ backend: "testframe"
+ secret-seed: "testvalue"
+
+stub-zone:
+ name: "example.nl"
+ stub-addr: 193.0.14.129
+CONFIG_END
+
+SCENARIO_BEGIN Test cachedb support for caching EDEs.
+
+RANGE_BEGIN 0 10
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN DNSKEY
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN A
+SECTION ANSWER
+example.nl. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; get the entry in cache.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ FF FE ; option code = 65534 (LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST)
+ 00 00 ; option length
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; get the answer for it
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+; query again for the cached entry
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ FF FE ; option code = 65534 (LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST)
+ 00 00 ; option length
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; this must be a cached answer since stub is not answering in this range
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.conf b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.conf
index 9afd6e2b1e23..ff76cc37970c 100644
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.conf
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.conf
@@ -1,6 +1,5 @@
server:
- verbosity: 7
- # num-threads: 1
+ verbosity: 4
interface: 127.0.0.1
port: @PORT@
use-syslog: no
@@ -8,16 +7,23 @@ server:
pidfile: "unbound.pid"
chroot: ""
username: ""
+ module-config: "cachedb iterator"
do-not-query-localhost: no
- use-caps-for-id: yes
+ qname-minimisation: no
+
+forward-zone:
+ name: "."
+ forward-addr: 127.0.0.1@@TOPORT@
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 127.0.0.1@@TOPORT@
+
remote-control:
control-enable: yes
control-interface: @CONTROL_PATH@/controlpipe.@CONTROL_PID@
control-use-cert: no
-auth-zone:
- name: "example.com"
- for-upstream: yes
- for-downstream: yes
- zonefile: "zonemd_reload.zone"
- zonemd-check: yes
- #master: "127.0.0.1@@TOPORT@"
+
+cachedb:
+ backend: "testframe"
+ secret-seed: "testvalue"
diff --git a/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.dsc b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.dsc
new file mode 100644
index 000000000000..9d267436edf6
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.dsc
@@ -0,0 +1,16 @@
+BaseName: cachedb_no_store
+Version: 1.0
+Description: cachedb test the cachedb-no-store option
+CreationDate: Wed 11 Oct 11:00:00 CEST 2023
+Maintainer: dr. W.C.A. Wijngaards
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: cachedb_no_store.pre
+Post: cachedb_no_store.post
+Test: cachedb_no_store.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.post b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.post
new file mode 100644
index 000000000000..320dcc3e3e3b
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.post
@@ -0,0 +1,20 @@
+# #-- cachedb_no_store.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+
+echo "> cat logfiles"
+cat fwd.log
+if test -f fwd2.log; then cat fwd2.log; else echo "no fwd2.log"; fi
+if test -f fwd3.log; then cat fwd3.log; else echo "no fwd3.log"; fi
+if test -f fwd4.log; then cat fwd4.log; else echo "no fwd4.log"; fi
+cat unbound.log
+if test -f unbound2.log; then cat unbound2.log; else echo "no unbound2.log"; fi
+kill_pid $FWD_PID
+kill_from_pidfile "unbound.pid"
+rm -f $CONTROL_PATH/controlpipe.$CONTROL_PID
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.pre b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.pre
index fa5e4ca29bbf..e59d3b8da759 100644
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.pre
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.pre
@@ -1,10 +1,13 @@
-# #-- zonemd_reload.pre--#
+# #-- cachedb_no_store.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
+PRE="../.."
. ../common.sh
+if grep "define USE_CACHEDB 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi
+
get_random_port 2
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
@@ -13,16 +16,15 @@ echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
-$LDNS_TESTNS -p $FWD_PORT zonemd_reload.testns >fwd.log 2>&1 &
+$LDNS_TESTNS -p $FWD_PORT cachedb_no_store.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# make config file
CONTROL_PATH=/tmp
CONTROL_PID=$$
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's?@CONTROL_PATH\@?'$CONTROL_PATH'?' -e 's/@CONTROL_PID@/'$CONTROL_PID'/' < zonemd_reload.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's?@CONTROL_PATH\@?'$CONTROL_PATH'?' -e 's/@CONTROL_PID@/'$CONTROL_PID'/' < cachedb_no_store.conf > ub.conf
# start unbound in the background
-PRE="../.."
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
@@ -32,4 +34,3 @@ echo "CONTROL_PID=$CONTROL_PID" >> .tpkg.var.test
cat .tpkg.var.test
wait_ldns_testns_up fwd.log
wait_unbound_up unbound.log
-
diff --git a/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.servfail.testns b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.servfail.testns
new file mode 100644
index 000000000000..b41abb0ff629
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.servfail.testns
@@ -0,0 +1,8 @@
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR AA SERVFAIL
+SECTION QUESTION
+txt1.example.com. IN TXT
+SECTION ANSWER
+ENTRY_END
diff --git a/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.test b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.test
new file mode 100644
index 000000000000..47a89656c6c2
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.test
@@ -0,0 +1,132 @@
+# #-- cachedb_no_store.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+# do the test
+get_ldns_testns
+
+# query for a text record that is stored by unbound's cache and cachedb
+# in the testframe cache.
+echo "> dig txt1.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+if grep "example text message" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+# stop the forwarder with servfail, to check the answer came from the cache
+echo "> stop ldns-testns"
+kill_pid $FWD_PID
+echo "> start ldns-testns with servfails"
+$LDNS_TESTNS -p $FWD_PORT cachedb_no_store.servfail.testns >fwd2.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+wait_ldns_testns_up fwd2.log
+
+echo "> dig txt1.example.com. from unbound cache"
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+if grep "example text message" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+# clear the cache of unbound, but not cachedb testframe cache
+echo "> unbound-control flush"
+$PRE/unbound-control -c ub.conf flush_type txt1.example.com. TXT
+if test $? -ne 0; then
+ echo "wrong exit value."
+ exit 1
+else
+ echo "exit value: OK"
+fi
+
+echo "> dig txt1.example.com. from cachedb"
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+if grep "example text message" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+# start the forwarder again.
+echo "> stop ldns-testns"
+kill_pid $FWD_PID
+echo "> start ldns-testns"
+$LDNS_TESTNS -p $FWD_PORT cachedb_no_store.testns >fwd3.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+wait_ldns_testns_up fwd3.log
+
+# stop unbound to flush the cachedb cache
+echo "> stop unbound"
+kill_from_pidfile "unbound.pid"
+
+echo ""
+echo "> config unbound with cachedb-no-store: yes"
+echo "cachedb: cachedb-no-store: yes" >> ub.conf
+
+# start unbound again.
+echo "> start unbound"
+$PRE/unbound -d -c ub.conf >unbound2.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+wait_unbound_up unbound2.log
+
+echo ""
+echo "> dig txt1.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+if grep "example text message" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+# stop the forwarder with servfail, to check the answer came from the cache
+echo "> stop ldns-testns"
+kill_pid $FWD_PID
+echo "> start ldns-testns with servfails"
+$LDNS_TESTNS -p $FWD_PORT cachedb_no_store.servfail.testns >fwd4.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+wait_ldns_testns_up fwd4.log
+
+echo "> dig txt1.example.com. from unbound cache"
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+if grep "example text message" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+# clear the cache of unbound, but not cachedb testframe cache
+echo "> unbound-control flush"
+$PRE/unbound-control -c ub.conf flush_type txt1.example.com. TXT
+if test $? -ne 0; then
+ echo "wrong exit value."
+ exit 1
+else
+ echo "exit value: OK"
+fi
+
+echo "> dig txt1.example.com. from cachedb, but that has no message stored"
+dig @127.0.0.1 -p $UNBOUND_PORT txt1.example.com. TXT | tee outfile
+if grep "SERVFAIL" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+exit 0
diff --git a/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.testns b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.testns
new file mode 100644
index 000000000000..282b224f82bd
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_no_store.tdir/cachedb_no_store.testns
@@ -0,0 +1,9 @@
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+txt1.example.com. IN TXT
+SECTION ANSWER
+txt1.example.com. IN TXT "example text message"
+ENTRY_END
diff --git a/contrib/unbound/testdata/cachedb_servfail_cname.crpl b/contrib/unbound/testdata/cachedb_servfail_cname.crpl
new file mode 100644
index 000000000000..221f00d4df54
--- /dev/null
+++ b/contrib/unbound/testdata/cachedb_servfail_cname.crpl
@@ -0,0 +1,181 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ minimal-responses: no
+ ;serve-expired: yes
+ module-config: "cachedb iterator"
+
+cachedb:
+ backend: "testframe"
+ secret-seed: "testvalue"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129
+CONFIG_END
+
+SCENARIO_BEGIN Test cachedb store and servfail reply from cname.
+; the servfail reply should not overwrite the cache contents.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns2.example.com.
+SECTION ADDITIONAL
+ns2.example.com. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.com. IN NS
+SECTION AUTHORITY
+foo.com. IN NS ns.example.com.
+ENTRY_END
+RANGE_END
+
+; ns2.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qname qtype
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns2.example.com., now failing
+RANGE_BEGIN 20 100
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qname qtype
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 10 IN CNAME foo.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+REPLY QR AA SERVFAIL
+SECTION QUESTION
+foo.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+REPLY QR AA SERVFAIL
+SECTION QUESTION
+ns2.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+REPLY QR AA SERVFAIL
+SECTION QUESTION
+ns2.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+; get and entry in cache, to make it expired.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; get the answer for it
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+; it is now expired
+STEP 20 TIME_PASSES ELAPSE 20
+
+; get a servfail in cache for the destination
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+foo.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+foo.example.com. IN A
+ENTRY_END
+
+; the query is now a CNAME to servfail.
+; there is a valid, but expired, entry in cache.
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 10 IN CNAME foo.example.com.
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/nsid_bogus.rpl b/contrib/unbound/testdata/disable_edns_do.rpl
index 1414163f8a6a..82a16da062f1 100644
--- a/contrib/unbound/testdata/nsid_bogus.rpl
+++ b/contrib/unbound/testdata/disable_edns_do.rpl
@@ -1,21 +1,18 @@
; config options
; The island of trust is at example.com
server:
- trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
- val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: "no"
- fake-sha1: yes
trust-anchor-signaling: no
minimal-responses: no
- nsid: "ascii_hopsa kidee"
+ disable-edns-do: yes
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
-SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus
+SCENARIO_BEGIN Test lookup with disable-edns-do
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
@@ -108,37 +105,37 @@ ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
-; nodata for ns.example.com AAAA
+; response to query of interest, when sent with EDNS DO
ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode qtype qname DO
ADJUST copy_id
-REPLY QR AA NOERROR
+REPLY QR AA DO NOERROR
SECTION QUESTION
-ns.example.com. IN AAAA
+www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
ENTRY_END
-
-; response to query of interest
+; response to query of interest, when sent without DO
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
-;good signature
-;www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
-;missing
-www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4=
SECTION AUTHORITY
example.com. IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
-ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
ENTRY_END
RANGE_END
@@ -147,28 +144,21 @@ ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
-SECTION ADDITIONAL
- HEX_EDNSDATA_BEGIN
- 00 03 ; Opcode NSID (3)
- 00 00 ; Length 0
- HEX_EDNSDATA_END
ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
SECTION ADDITIONAL
- HEX_EDNSDATA_BEGIN
- 00 03 ; Opcode NSID (3)
- 00 0b ; Length 11
- 68 6F 70 73 61 20 ; "hopsa "
- 6B 69 64 65 65 ; "kidee"
- HEX_EDNSDATA_END
+ns.example.com. IN A 1.2.3.4
ENTRY_END
SCENARIO_END
diff --git a/contrib/unbound/testdata/edns_attached_once_per_upstream.rpl b/contrib/unbound/testdata/edns_attached_once_per_upstream.rpl
deleted file mode 100644
index 19f1ba75df49..000000000000
--- a/contrib/unbound/testdata/edns_attached_once_per_upstream.rpl
+++ /dev/null
@@ -1,90 +0,0 @@
-; config options
-server:
- edns-client-string: 10.0.0.0/24 "abc d"
- outbound-msg-retry: 1
-
-stub-zone:
- name: "edns-string-abc."
- stub-addr: 10.0.0.3
- stub-first: yes
-
-forward-zone:
- name: "."
- forward-addr: 10.0.0.1
-
-CONFIG_END
-
-SCENARIO_BEGIN Test that upstream specific EDNS is attached once; uses string tag option
-
-RANGE_BEGIN 0 1000
- ADDRESS 10.0.0.3
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR SERVFAIL
-SECTION QUESTION
-edns-string-abc. IN A
-ENTRY_END
-RANGE_END
-
-RANGE_BEGIN 0 1000
- ADDRESS 10.0.0.1
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-edns-string-abc. IN A
-SECTION ANSWER
-edns-string-abc. IN A 10.20.30.40
-SECTION ADDITIONAL
-ENTRY_END
-RANGE_END
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-edns-string-abc. IN A
-ENTRY_END
-
-; This will receive SERVFAIL and the next address will be queried
-STEP 20 CHECK_OUT_QUERY ADDRESS 10.0.0.3
-ENTRY_BEGIN
-MATCH qname qtype opcode ednsdata
-SECTION QUESTION
-edns-string-abc. IN A
-SECTION ADDITIONAL
- HEX_EDNSDATA_BEGIN
- fd e9 ; Opcode 65001
- 00 05 ; Length 5
- 61 62 63 20 64 ; "abc d"
- HEX_EDNSDATA_END
-ENTRY_END
-
-; This will receive the answer; makes sure that EDNS is attached once
-STEP 22 CHECK_OUT_QUERY ADDRESS 10.0.0.1
-ENTRY_BEGIN
-MATCH qname qtype opcode ednsdata
-SECTION QUESTION
-edns-string-abc. IN A
-SECTION ADDITIONAL
- HEX_EDNSDATA_BEGIN
- fd e9 ; Opcode 65001
- 00 05 ; Length 5
- 61 62 63 20 64 ; "abc d"
- HEX_EDNSDATA_END
-ENTRY_END
-
-
-STEP 30 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-edns-string-abc. IN A
-SECTION ANSWER
-edns-string-abc. IN A 10.20.30.40
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/edns_downstream_cookies.rpl b/contrib/unbound/testdata/edns_downstream_cookies.rpl
new file mode 100644
index 000000000000..820bc5a7ca70
--- /dev/null
+++ b/contrib/unbound/testdata/edns_downstream_cookies.rpl
@@ -0,0 +1,235 @@
+; config options
+server:
+ answer-cookie: yes
+ cookie-secret: "000102030405060708090a0b0c0d0e0f"
+ access-control: 127.0.0.1 allow_cookie
+ access-control: 1.2.3.4 allow
+ local-data: "test. TXT test"
+
+CONFIG_END
+
+SCENARIO_BEGIN Test downstream DNS Cookies
+
+; Note: When a valid hash was required, it was generated by running this test
+; with an invalid one and checking the output for the valid one.
+; Actual hash generation is tested with unit tests.
+
+; Query without a client cookie ...
+STEP 0 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+; ... get TC and refused
+STEP 1 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA TC REFUSED
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query without a client cookie on TCP ...
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+MATCH TCP
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+; ... get an answer
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with only a client cookie ...
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 08 ; Length 8
+ 31 32 33 34 35 36 37 38 ; Random bits
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get BADCOOKIE and a new cookie
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query with an invalid cookie ...
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 02 00 00 00 ; wrong version
+ 00 00 00 00 ; Timestamp
+ 31 32 33 34 35 36 37 38 ; wrong hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get BADCOOKIE and a new cookie
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query with an invalid cookie from a non-cookie protected address ...
+STEP 40 QUERY ADDRESS 1.2.3.4
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 02 00 00 00 ; wrong version
+ 00 00 00 00 ; Timestamp
+ 31 32 33 34 35 36 37 38 ; wrong hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get answer and a cookie
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with a valid cookie ...
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 00 00 ; Timestamp
+ 38 52 7b a8 c6 a4 ea 96 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get answer and the cookie
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with a valid >30 minutes old cookie ...
+STEP 59 TIME_PASSES ELAPSE 1801
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 00 00 ; Timestamp
+ 38 52 7b a8 c6 a4 ea 96 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... Get answer and a refreshed cookie
+; (we don't check the re-freshness here; it has its own unit test)
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with a hash-valid >60 minutes old cookie ...
+STEP 69 TIME_PASSES ELAPSE 3601
+STEP 70 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 07 09 ; Timestamp (1801)
+ 77 81 38 e3 8f aa 72 86 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get BADCOOKIE and a new cookie
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query with a valid future (<5 minutes) cookie ...
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 16 45 ; Timestamp (1801 + 3601 + 299)
+ 4a f5 0f df f0 e8 c7 09 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get an answer
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/fwd_error_retries.rpl b/contrib/unbound/testdata/fwd_error_retries.rpl
deleted file mode 100644
index b63086c0f46a..000000000000
--- a/contrib/unbound/testdata/fwd_error_retries.rpl
+++ /dev/null
@@ -1,27 +0,0 @@
-; config options
-server:
- outbound-msg-retry: 1
-
-forward-zone:
- name: "."
- forward-addr: 216.0.0.1
-CONFIG_END
-SCENARIO_BEGIN Test basic forwarding with servfail and retry of 1
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-; query fails with servfail, now we make only outgoing-msg-retry=1 retries
-STEP 2 ERROR
-; returns servfail
-STEP 14 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH opcode qname qtype
-SECTION QUESTION
-REPLY SERVFAIL QR RD RA
-MATCH all
-www.example.com. IN A
-ENTRY_END
-SCENARIO_END
diff --git a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf b/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf
deleted file mode 100644
index 6daf2eeecc36..000000000000
--- a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-server:
- verbosity: 5
- # num-threads: 1
- interface: 127.0.0.1
- port: @PORT@
- use-syslog: no
- directory: ""
- pidfile: "unbound.pid"
- chroot: ""
- username: ""
- do-not-query-localhost: no
-forward-zone:
- name: "tcp.example.com"
- forward-addr: "127.0.0.1@@TOPORT@"
- forward-tcp-upstream: "yes"
-forward-zone:
- name: "udp.example.com"
- forward-addr: "127.0.0.1@@TOPORT@"
- forward-tcp-upstream: "no"
-
diff --git a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc b/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc
deleted file mode 100644
index 5b1f0d3d1ab4..000000000000
--- a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: fwd_udp_with_tcp_upstream
-Version: 1.0
-Description: Forward an UDP packet to upstream via TCP and return reply.
-CreationDate: Thu Aug 5 07:44:41 CEST 2021
-Maintainer: ziollek
-Category:
-Component:
-CmdDepends:
-Depends:
-Help:
-Pre: fwd_udp_with_tcp_upstream.pre
-Post: fwd_udp_with_tcp_upstream.post
-Test: fwd_udp_with_tcp_upstream.test
-AuxFiles:
-Passed:
-Failure:
diff --git a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post b/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post
deleted file mode 100644
index 0013eca71a4d..000000000000
--- a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post
+++ /dev/null
@@ -1,10 +0,0 @@
-# #-- fwd_udp_with_tcp_upstream.post --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# source the test var file when it's there
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-#
-# do your teardown here
-. ../common.sh
-kill_pid $FWD_PID
-kill_pid $UNBOUND_PID
diff --git a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre b/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre
deleted file mode 100644
index 546787a5fc9f..000000000000
--- a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre
+++ /dev/null
@@ -1,31 +0,0 @@
-# #-- fwd_udp_with_tcp_upstream.pre--#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-. ../common.sh
-get_random_port 2
-UNBOUND_PORT=$RND_PORT
-FWD_PORT=$(($RND_PORT + 1))
-echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
-
-# start forwarder
-get_ldns_testns
-$LDNS_TESTNS -p $FWD_PORT fwd_udp_with_tcp_upstream.testns >fwd.log 2>&1 &
-FWD_PID=$!
-echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
-
-# make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_udp_with_tcp_upstream.conf > ub.conf
-# start unbound in the background
-PRE="../.."
-$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
-UNBOUND_PID=$!
-echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
-
-cat .tpkg.var.test
-wait_ldns_testns_up fwd.log
-wait_unbound_up unbound.log
-
diff --git a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test b/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test
deleted file mode 100644
index fad6497beb15..000000000000
--- a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test
+++ /dev/null
@@ -1,35 +0,0 @@
-# #-- fwd_udp_with_tcp_upstream.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-# do the test
-echo "> dig tcp.example.com."
-dig @localhost -p $UNBOUND_PORT tcp.example.com. | tee outfile
-echo "> cat logfiles"
-cat fwd.log
-cat unbound.log
-echo "> check answer"
-if grep "10.20.30.40" outfile; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-echo "> dig udp.example.com."
-dig @localhost -p $UNBOUND_PORT udp.example.com. | tee outfile
-echo "> cat logfiles"
-cat fwd.log
-cat unbound.log
-echo "> check answer"
-if grep "10.20.30.80" outfile; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-exit 0
diff --git a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns b/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns
deleted file mode 100644
index 04089af0e1b6..000000000000
--- a/contrib/unbound/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns
+++ /dev/null
@@ -1,25 +0,0 @@
-; nameserver test file
-$ORIGIN example.com.
-$TTL 3600
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-MATCH TCP
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-tcp IN A
-SECTION ANSWER
-tcp IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-MATCH UDP
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-udp IN A
-SECTION ANSWER
-udp IN A 10.20.30.80
-ENTRY_END
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone b/contrib/unbound/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone
deleted file mode 100644
index 695eb1c32bd4..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/127.0.0.1/example.com.zone
+++ /dev/null
@@ -1,3 +0,0 @@
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-example.com. IN NS ns.example.net.
-www.example.com. IN A 1.2.3.4
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.dsc b/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.dsc
deleted file mode 100644
index 6b24c43fc7ab..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: http_user_agent
-Version: 1.0
-Description: Check the http-user-agent configuration
-CreationDate: Wed 2 Jun 13:59:26 CEST 2021
-Maintainer:
-Category:
-Component:
-CmdDepends:
-Depends:
-Help:
-Pre: http_user_agent.pre
-Post: http_user_agent.post
-Test: http_user_agent.test
-AuxFiles:
-Passed:
-Failure:
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.post b/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.post
deleted file mode 100644
index 797ff57c8bbc..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.post
+++ /dev/null
@@ -1,11 +0,0 @@
-# #-- http_user_agent.post --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# source the test var file when it's there
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-#
-# do your teardown here
-PRE="../.."
-. ../common.sh
-kill_pid $UNBOUND_PID
-kill_pid $PETAL_PID
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.pre b/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.pre
deleted file mode 100644
index e94bd536edb4..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.pre
+++ /dev/null
@@ -1,37 +0,0 @@
-# #-- http_user_agent.pre--#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-. ../common.sh
-get_random_port 3
-UNBOUND_PORT=$RND_PORT
-PETAL_PORT=$(($RND_PORT + 1))
-CONTROL_PORT=$(($RND_PORT + 3))
-echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "PETAL_PORT=$PETAL_PORT" >> .tpkg.var.test
-echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
-
-get_make
-(cd $PRE; $MAKE petal)
-
-# start https daemon
-# More verbosity because we need to see the HTTP headers
-$PRE/petal -vv -a "127.0.0.1" -p $PETAL_PORT >petal.log 2>&1 &
-PETAL_PID=$!
-echo "PETAL_PID=$PETAL_PID" >> .tpkg.var.test
-cat .tpkg.var.test
-wait_petal_up petal.log
-
-# make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$PETAL_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/'< http_user_agent.conf > ub.conf
-# start unbound in the background
-$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
-UNBOUND_PID=$!
-echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
-
-cat .tpkg.var.test
-wait_unbound_up unbound.log
-
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.test b/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.test
deleted file mode 100644
index dce2d476c8f6..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.test
+++ /dev/null
@@ -1,103 +0,0 @@
-# #-- http_user_agent.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-
-# Query and check check that we get the correct answer from the auth_zone
-query () {
- echo "> dig www.example.com."
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- if grep SERVFAIL outfile; then
- echo "> try again"
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- fi
- if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 1
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- fi
- if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 1
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- fi
- if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 1
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- fi
- if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 10
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- fi
- if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 10
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
- fi
- echo "> check answer"
- if grep "1.2.3.4" outfile; then
- echo "OK"
- else
- echo "Not OK"
- exit 1
- fi
-}
-
-# Reload the configuration and retransfer the zone
-reload_and_retransfer () {
- echo "> Reloading Unbound"
- echo "$PRE/unbound-control -c ub.conf reload"
- $PRE/unbound-control -c ub.conf reload
- if test $? -ne 0; then
- echo "wrong exit value from unbound-control"
- exit 1
- fi
- echo "> Refetching example.com"
- echo "$PRE/unbound-control -c ub.conf auth_zone_transfer example.com"
- $PRE/unbound-control -c ub.conf auth_zone_transfer example.com
- if test $? -ne 0; then
- echo "wrong exit value from unbound-control"
- exit 1
- fi
-}
-
-# do the test
-query
-# add custom http-user-agent
-echo "server: http-user-agent: customUA" >> ub.conf
-reload_and_retransfer
-query
-# hide http-user-agent
-echo "server: hide-http-user-agent: yes" >> ub.conf
-reload_and_retransfer
-query
-
-echo "> cat logfiles"
-cat petal.log
-cat unbound.log
-
-# check petal.log for the correct number of occurrences.
-# It should be 2 User-Agents, one being the custom.
-echo "> check User-Agent occurrences"
-occurrences=`grep "User-Agent:" petal.log | wc -l`
-echo $occurrences
-if test $occurrences -eq 2; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-echo "> check custom User-Agent"
-if grep "User-Agent: customUA" petal.log; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-exit 0
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/petal.key b/contrib/unbound/testdata/http_user_agent.tdir/petal.key
deleted file mode 100644
index 6614e498fcd2..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/petal.key
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
-RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
-QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
-O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
-J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
-Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
-mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
-qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
-6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
-lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
-Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
-XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
-Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
-C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
-EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
-3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
-F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
-kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
-berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
------END RSA PRIVATE KEY-----
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/petal.pem b/contrib/unbound/testdata/http_user_agent.tdir/petal.pem
deleted file mode 100644
index 19c8b895ba86..000000000000
--- a/contrib/unbound/testdata/http_user_agent.tdir/petal.pem
+++ /dev/null
@@ -1,14 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
-ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
-BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
-OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
-/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
-67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
-PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
-9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
-ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
-mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
-bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
-q7miNnkO8vd0maw=
------END CERTIFICATE-----
diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.conf
index 5d2456c39311..ae7d0cda0d9d 100644
--- a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.conf
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.conf
@@ -8,15 +8,14 @@ server:
pidfile: "unbound.pid"
chroot: ""
username: ""
- do-not-query-localhost: no
+ local-data: "test. IN TXT localdata"
- ratelimit: 1
- ratelimit-factor: 0
-
-stub-zone:
- name: "example.com."
- stub-addr: "127.0.0.1@@TOPORT@"
- stub-no-cache: yes
+ ip-ratelimit: 1
+ ip-ratelimit-cookie: 0
+ ip-ratelimit-factor: 0
+ ip-ratelimit-backoff: yes
+ answer-cookie: yes
+ access-control: 127.0.0.0/8 allow_cookie
remote-control:
control-enable: yes
diff --git a/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
new file mode 100644
index 000000000000..a6f6192360cd
--- /dev/null
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
@@ -0,0 +1,16 @@
+BaseName: ip_ratelimit
+Version: 1.0
+Description: Test IP source ratelimit.
+CreationDate: Tue Aug 8 00:00:00 CET 2023
+Maintainer: Yorgos Thessalonikefs
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: ip_ratelimit.pre
+Post: ip_ratelimit.post
+Test: ip_ratelimit.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.post b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.post
index 6738ed55ad07..1f86d008587d 100644
--- a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.post
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.post
@@ -1,4 +1,4 @@
-# #-- ratelimit.post --#
+# #-- ip_ratelimit.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
@@ -6,7 +6,6 @@
#
# do your teardown here
. ../common.sh
-kill_pid $STUB_PID
kill_pid $UNBOUND_PID
if test -f unbound.log; then
echo ">>> unbound log"
diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.pre
index 2404cfc00b93..c4589a0ea4fe 100644
--- a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.pre
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.pre
@@ -1,4 +1,4 @@
-# #-- ratelimit.pre--#
+# #-- ip_ratelimit.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
@@ -8,26 +8,17 @@ PRE="../.."
. ../common.sh
get_random_port 2
UNBOUND_PORT=$RND_PORT
-STUB_PORT=$(($RND_PORT + 1))
-CONTROL_PORT=$(($RND_PORT + 2))
+CONTROL_PORT=$(($RND_PORT + 1))
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
-# start ldns-testns
-get_ldns_testns
-$LDNS_TESTNS -v -p $STUB_PORT ratelimit.testns >stub.log 2>&1 &
-STUB_PID=$!
-echo "STUB_PID=$STUB_PID" >> .tpkg.var.test
-
# make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$STUB_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ratelimit.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ip_ratelimit.conf > ub.conf
# start unbound in the background
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
-wait_ldns_testns_up stub.log
wait_unbound_up unbound.log
cat .tpkg.var.test
diff --git a/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.test b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.test
new file mode 100644
index 000000000000..f58b7edcbe2a
--- /dev/null
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/ip_ratelimit.test
@@ -0,0 +1,165 @@
+# #-- ip_ratelimit.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# These tests rely on second time precision. To combat false negatives the
+# tests run multiple times and we allow 1/3 of the runs to fail.
+total_runs=6
+success_threshold=4 # 2/3*total_runs
+
+if dig -h 2>&1 | grep "cookie" >/dev/null; then
+ nocookie="+nocookie"
+else
+ nocookie=""
+fi
+
+echo "> First get a valid cookie"
+dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:0102030405060708 $nocookie +tcp +retry=0 +time=1 test. TXT >outfile 2>&1
+if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+if test `grep "COOKIE: " outfile | wc -l` -ne 1; then
+ echo "Could not get cookie"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+cookie=`grep "COOKIE: " outfile | cut -d ' ' -f 3`
+
+successes=0
+echo "> Three parallel queries with backoff and cookie"
+# For this test we send three parallel queries. The ratelimit should be reached
+# for that second. We send a query to verify that there is no reply.
+# Then for the next second we again send three parallel queries and we expect
+# none of them to be allowed through because of the backoff logic that keeps
+# rolling the RATE_WINDOW based on demand.
+# Again we send another query but with a valid cookie and we expect to receive
+# an answer.
+for i in $(seq 1 $total_runs); do
+ # Try to hit limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect no answer because of limit
+ dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -eq 0; then
+ continue
+ fi
+ # Try to keep limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect answer because of DNS cookie
+ dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -ne 0; then
+ continue
+ fi
+ ((successes++))
+ # We don't have to wait for all the runs to complete if we know
+ # we passed the threshold.
+ if test $successes -ge $success_threshold; then
+ break
+ fi
+done
+
+if test $successes -ge $success_threshold; then
+ echo "Three parallel queries with backoff and cookie OK"
+else
+ echo "Three parallel queries with backoff and cookie NOT OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Three parallel queries with backoff and cookie NOT OK"
+ exit 1
+fi
+
+echo "> Activating ip-ratelimit-cookie"
+echo "$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1"
+$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1
+if test $? -ne 0; then
+ echo "wrong exit value after success"
+ exit 1
+fi
+
+successes=0
+echo "> Three parallel queries with backoff and cookie with ip-ratelimit-cookie"
+# This is the exact same test as above with the exception that we don't expect
+# an answer on the last query because ip-ratelimit-cookie is now enabled.
+for i in $(seq 1 $total_runs); do
+ # Try to hit limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect no answer because of limit
+ dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -eq 0; then
+ continue
+ fi
+ # Try to keep limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect no answer because of ip-ratelimit-cookie
+ dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -eq 0; then
+ continue
+ fi
+ ((successes++))
+ # We don't have to wait for all the runs to complete if we know
+ # we passed the threshold.
+ if test $successes -ge $success_threshold; then
+ break
+ fi
+done
+
+if test $successes -ge $success_threshold; then
+ echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie OK"
+else
+ echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
+ exit 1
+fi
+
+exit 0
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/unbound_control.key b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.key
index 753a4ef6162e..753a4ef6162e 100644
--- a/contrib/unbound/testdata/http_user_agent.tdir/unbound_control.key
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.key
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/unbound_control.pem b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.pem
index a1edf7017f1d..a1edf7017f1d 100644
--- a/contrib/unbound/testdata/http_user_agent.tdir/unbound_control.pem
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_control.pem
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/unbound_server.key b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.key
index 370a7bbb2f22..370a7bbb2f22 100644
--- a/contrib/unbound/testdata/http_user_agent.tdir/unbound_server.key
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.key
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/unbound_server.pem b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.pem
index 986807310f2b..986807310f2b 100644
--- a/contrib/unbound/testdata/http_user_agent.tdir/unbound_server.pem
+++ b/contrib/unbound/testdata/ip_ratelimit.tdir/unbound_server.pem
diff --git a/contrib/unbound/testdata/iter_cname_minimise_nx.rpl b/contrib/unbound/testdata/iter_cname_minimise_nx.rpl
new file mode 100644
index 000000000000..a04eb8b24791
--- /dev/null
+++ b/contrib/unbound/testdata/iter_cname_minimise_nx.rpl
@@ -0,0 +1,245 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: yes
+ module-config: "validator iterator"
+ trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+ val-override-date: "20070916134226"
+ fake-sha1: yes
+ trust-anchor-signaling: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test cname chain resolution of nxdomain with qname minimisation.
+; the qtype CNAME lookup has NXDOMAIN.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 300 IN SOA a. b. 1 2 3 4 300
+example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
+v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
+v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
+example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+SECTION AUTHORITY
+example.com. 300 IN SOA a. b. 1 2 3 4 300
+example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
+v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
+v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
+example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+c.example.com. IN CNAME
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+c.example.com. IN CNAME
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+ENTRY_END
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+c.example.com. IN A
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+SECTION AUTHORITY
+example.com. 300 IN SOA a. b. 1 2 3 4 300
+example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
+v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
+v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
+example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_dname_ttl.rpl b/contrib/unbound/testdata/iter_dname_ttl.rpl
new file mode 100644
index 000000000000..115947af3ab3
--- /dev/null
+++ b/contrib/unbound/testdata/iter_dname_ttl.rpl
@@ -0,0 +1,310 @@
+; config options
+; The island of trust is at example.com
+; validation is enabled because the pickup of DNAME from cache wants
+; a DNSSEC signed DNAME.
+server:
+ trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+ trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
+ val-override-date: "20070916134226"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ fake-sha1: yes
+ trust-anchor-signaling: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator for TTL of synthesized CNAME of a DNAME from cache.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN CNAME
+SECTION ANSWER
+www.example.com. IN CNAME www.example.net.
+www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFGcJxnNxpWCBzXejiSdl4p1BKRMnAhUApoJrugVBRwFgAoYAhhqlZFac7fE= ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www2.example.com. IN A
+SECTION ANSWER
+www2.example.com. 3600 IN CNAME www.example.net.
+www2.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN A
+SECTION ANSWER
+test-dname.example.com. 3600 IN DNAME example.net.
+test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.5
+ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN DNSKEY
+SECTION ANSWER
+example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+example.net. 3600 IN RRSIG DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.5
+ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION ANSWER
+www.example.net. IN A 11.12.13.14
+www.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+foo.example.net. IN A
+SECTION ANSWER
+foo.example.net. IN A 11.12.13.15
+foo.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. X6T6SE9UzxAD/4zKpwGOxEDyE4g7lfYYw3lvw533uwRN8mWTcBvSva0/jjyhrogJcuLO32jPHK6zGb93w2xnuA==
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+foo2.example.net. IN A
+SECTION ANSWER
+foo2.example.net. IN A 11.12.13.16
+foo2.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. BZm+GljD8m9N+pNJN8D+LlSyHqM+InNUe0+heKILR9be+Goqv6SEb7LKtX6+kj3239Y5by7u+/Cuk8kkWistEQ==
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 1 TIME_PASSES ELAPSE 10
+; Get DNAME in cache and then pick it up again from cache.
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo.test-dname.example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN A
+SECTION ANSWER
+test-dname.example.com. 3600 IN DNAME example.net.
+test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+foo.example.net. IN A 11.12.13.15
+foo.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. X6T6SE9UzxAD/4zKpwGOxEDyE4g7lfYYw3lvw533uwRN8mWTcBvSva0/jjyhrogJcuLO32jPHK6zGb93w2xnuA==
+ENTRY_END
+
+STEP 30 TIME_PASSES ELAPSE 10
+
+; Use DNAME from cache
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo2.test-dname.example.com. IN A
+ENTRY_END
+
+; Test the TTL on the synthesized CNAME for the DNAME record from cache.
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo2.test-dname.example.com. IN A
+SECTION ANSWER
+test-dname.example.com. 3590 IN DNAME example.net.
+test-dname.example.com. 3590 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo2.test-dname.example.com. 3590 IN CNAME foo2.example.net.
+foo2.example.net. 3600 IN A 11.12.13.16
+foo2.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. BZm+GljD8m9N+pNJN8D+LlSyHqM+InNUe0+heKILR9be+Goqv6SEb7LKtX6+kj3239Y5by7u+/Cuk8kkWistEQ==
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_failreply.rpl b/contrib/unbound/testdata/iter_failreply.rpl
new file mode 100644
index 000000000000..393714196d89
--- /dev/null
+++ b/contrib/unbound/testdata/iter_failreply.rpl
@@ -0,0 +1,132 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ minimal-responses: no
+ log-servfail: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator fail_reply report
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. IN NS ns2.example.net.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. IN AAAA ::1
+ns2.example.net. IN AAAA ::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example.net. IN A
+SECTION ANSWER
+ns2.example.net. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example.net. IN AAAA
+SECTION ANSWER
+ns2.example.net. IN AAAA ::1
+ENTRY_END
+
+RANGE_END
+
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+ns.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+ns.example.com. IN AAAA
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_OUT_QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 21 TIMEOUT
+STEP 22 TIMEOUT
+STEP 23 TIMEOUT
+STEP 24 TIMEOUT
+STEP 25 TIMEOUT
+
+STEP 31 TIMEOUT
+STEP 32 TIMEOUT
+STEP 33 TIMEOUT
+STEP 34 TIMEOUT
+
+; recursion happens here.
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_ignore_empty.rpl b/contrib/unbound/testdata/iter_ignore_empty.rpl
new file mode 100644
index 000000000000..4b2f695b8501
--- /dev/null
+++ b/contrib/unbound/testdata/iter_ignore_empty.rpl
@@ -0,0 +1,248 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ minimal-responses: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ignore of an empty response.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. IN NS ns2.example2.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example2.com. IN NS
+SECTION AUTHORITY
+example2.com. IN NS ns2.example2.com.
+SECTION ADDITIONAL
+ns2.example2.com. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.com. IN NS
+SECTION AUTHORITY
+foo.com. IN NS ns.foo.com.
+SECTION ADDITIONAL
+ns.foo.com. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. IN NS ns2.example.net.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN SOA ns root 4 14400 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+; ns2.example2.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example2.com. IN NS
+SECTION ANSWER
+example2.com. IN NS ns2.example2.com.
+SECTION ADDITIONAL
+ns2.example2.com. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example2.com. IN A
+SECTION ANSWER
+ns2.example2.com. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example2.com. IN AAAA
+SECTION AUTHORITY
+example2.com. IN SOA ns2 root 4 14400 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+
+; foo.com
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.foo.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+;foo.com. IN SOA ns2.foo.com root.foo.com 4 14400 3600 604800 3600
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+
+; wait for pending nameserver lookups.
+STEP 20 TRAFFIC
+
+; Test that a nodata stays a nodata.
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.foo.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_nat64.rpl b/contrib/unbound/testdata/iter_nat64.rpl
new file mode 100644
index 000000000000..dde0a25596c1
--- /dev/null
+++ b/contrib/unbound/testdata/iter_nat64.rpl
@@ -0,0 +1,117 @@
+; config options
+server:
+ do-nat64: yes
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 2001:db8::1
+CONFIG_END
+
+SCENARIO_BEGIN Test NAT64 transport for a v4-only server.
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8::1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS FAKE.ROOT.
+SECTION ADDITIONAL
+FAKE.ROOT. IN AAAA 2001:db8::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+; replies from NS over "NAT64"
+
+RANGE_BEGIN 0 100
+ ADDRESS 64:ff9b::c000:0201
+
+; A over NAT64
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN A
+SECTION ANSWER
+ns.v4only. IN A 192.0.2.1
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+ENTRY_END
+
+; no AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN AAAA
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION ANSWER
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test.v4only. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_nat64_prefix.rpl b/contrib/unbound/testdata/iter_nat64_prefix.rpl
new file mode 100644
index 000000000000..ecb6508dcf55
--- /dev/null
+++ b/contrib/unbound/testdata/iter_nat64_prefix.rpl
@@ -0,0 +1,119 @@
+; config options
+server:
+ do-nat64: yes
+ nat64-prefix: 2001:db8:1234::/96
+ target-fetch-policy: "0 0 0 0 0"
+ do-ip4: no
+
+stub-zone:
+ name: "."
+ stub-addr: 2001:db8::1
+CONFIG_END
+
+SCENARIO_BEGIN Test NAT64 transport for a v4-only server, custom NAT64 prefix.
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8::1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS FAKE.ROOT.
+SECTION ADDITIONAL
+FAKE.ROOT. IN AAAA 2001:db8::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+; replies from NS over "NAT64"
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8:1234::c000:0201
+
+; A over NAT64
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN A
+SECTION ANSWER
+ns.v4only. IN A 192.0.2.1
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+ENTRY_END
+
+; no AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN AAAA
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION ANSWER
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test.v4only. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_nat64_prefix48.rpl b/contrib/unbound/testdata/iter_nat64_prefix48.rpl
new file mode 100644
index 000000000000..e7c32e8ffc6a
--- /dev/null
+++ b/contrib/unbound/testdata/iter_nat64_prefix48.rpl
@@ -0,0 +1,118 @@
+; config options
+server:
+ do-nat64: yes
+ nat64-prefix: 2001:db8:2345::/48
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 2001:db8::1
+CONFIG_END
+
+SCENARIO_BEGIN Test NAT64 transport, this time with /48 NAT64 prefix.
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8::1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS FAKE.ROOT.
+SECTION ADDITIONAL
+FAKE.ROOT. IN AAAA 2001:db8::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+; replies from NS over "NAT64"
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8:2345:c000:0002:0100::
+
+; A over NAT64
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN A
+SECTION ANSWER
+ns.v4only. IN A 192.0.2.1
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+ENTRY_END
+
+; no AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN AAAA
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION ANSWER
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test.v4only. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/iter_scrub_rr_length.rpl b/contrib/unbound/testdata/iter_scrub_rr_length.rpl
new file mode 100644
index 000000000000..2ef73c2fe152
--- /dev/null
+++ b/contrib/unbound/testdata/iter_scrub_rr_length.rpl
@@ -0,0 +1,298 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ minimal-responses: no
+ rrset-roundrobin: no
+ ede: yes
+ log-servfail: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test scrub of RRs of inappropriate length
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 200
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 200
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 200
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+www.example.com. IN A \# 3 030405
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN AAAA
+SECTION ANSWER
+www.example.com. IN AAAA 2001:db8::1234
+www.example.com. IN AAAA \# 48 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+broken1.example.com. IN A
+SECTION ANSWER
+broken1.example.com. IN A \# 3 030405
+broken1.example.com. IN A \# 3 030406
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+broken1.example.com. IN AAAA
+SECTION ANSWER
+broken1.example.com. IN AAAA \# 48 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F
+broken1.example.com. IN AAAA \# 48 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E30
+broken1.example.com. IN AAAA \# 48 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E31
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+broken2.example.com. IN A
+SECTION ANSWER
+broken2.example.com. IN A 1.2.3.4
+broken2.example.com. IN A \# 3 030405
+broken2.example.com. IN A 1.2.3.5
+broken2.example.com. IN A \# 3 030406
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A \# 3 030407
+ns.example.com. IN A 1.2.3.6
+ns.example.com. IN A \# 3 030408
+ns.example.com. IN A \# 3 030409
+ns.example.com. IN A 1.2.3.7
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN AAAA
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN AAAA
+SECTION ANSWER
+www.example.com. IN AAAA 2001:db8::1234
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+broken1.example.com. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+broken1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+broken1.example.com. IN AAAA
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+broken1.example.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+broken2.example.com. IN A
+ENTRY_END
+
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+broken2.example.com. IN A
+SECTION ANSWER
+broken2.example.com. IN A 1.2.3.4
+broken2.example.com. IN A 1.2.3.5
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.6
+ns.example.com. IN A 1.2.3.7
+ENTRY_END
+
+STEP 100 QUERY
+ENTRY_BEGIN
+REPLY RD CD DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=0
+REPLY QR RD CD RA DO NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.6
+ns.example.com. IN A 1.2.3.7
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc
deleted file mode 100644
index abd5307c79ef..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: ratelimit
-Version: 1.0
-Description: Test ratelimit.
-CreationDate: Sun Jan 30 00:40:00 CET 2022
-Maintainer: Yorgos Thessalonikefs
-Category:
-Component:
-CmdDepends:
-Depends:
-Help:
-Pre: ratelimit.pre
-Post: ratelimit.post
-Test: ratelimit.test
-AuxFiles:
-Passed:
-Failure:
diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.test b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.test
deleted file mode 100644
index cc14717405c6..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.test
+++ /dev/null
@@ -1,183 +0,0 @@
-# #-- ratelimit.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-. ../common.sh
-
-get_make
-(cd $PRE; $MAKE streamtcp)
-
-# These tests rely on second time precision. To combat false negatives the
-# tests run multiple times and we allow 1/3 of the runs to fail.
-total_runs=6
-success_threshold=4 # 2/3*total_runs
-
-successes=0
-echo "> Three parallel queries"
-# For this test we send three parallel queries and we expect only one of them
-# to be allowed through each second.
-for i in $(seq 1 $total_runs); do
- $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
- if test "$?" -ne 0; then
- echo "exit status not OK"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Not OK"
- exit 1
- fi
- cat outfile
- if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 2; then
- ((successes++))
- fi
- # We don't have to wait for all the runs to complete if we know
- # we passed the threshold.
- if test $successes -ge $success_threshold; then
- break
- fi
- sleep 1
-done
-if test $successes -ge $success_threshold; then
- echo "Number of ratelimited queries OK for three parallel queries"
-else
- echo "Number of ratelimited queries not OK for three parallel queries"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Number of ratelimited queries not OK for three parallel queries"
- exit 1
-fi
-
-echo "> Activating ratelimit-factor"
-echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3"
-$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3
-if test $? -ne 0; then
- echo "wrong exit value after success"
- exit 1
-fi
-
-slipped_through=0
-echo "> Three parallel queries with ratelimit-factor"
-# For this test we send three parallel queries and we expect at least two of
-# them to be allowed through at a given second; one from the ratelimit itself
-# and one from the ratelimit-factor.
-for i in {1..10}; do
- $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
- if test "$?" -ne 0; then
- echo "exit status not OK"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Not OK"
- exit 1
- fi
- cat outfile
- if test `grep "rcode: SERVFAIL" outfile | wc -l` -lt 2; then
- slipped_through=1
- break
- fi
- sleep 2
-done
-if test $slipped_through -eq 0; then
- echo "ratelimit-factor did not work"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "ratelimit-factor did not work"
- exit 1
-fi
-echo "ratelimit-factor OK"
-
-echo "> Disabling ratelimit-factor"
-echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0"
-$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0
-if test $? -ne 0; then
- echo "wrong exit value after success"
- exit 1
-fi
-echo "> Activating ratelimit-backoff"
-echo "$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes"
-$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes
-if test $? -ne 0; then
- echo "wrong exit value after success"
- exit 1
-fi
-
-successes=0
-echo "> Three parallel queries with backoff"
-# For this test we send three parallel queries. The ratelimit should be reached
-# for that second. Then for the next second we again send three parallel
-# queries and we expect none of them to be allowed through because of the
-# backoff logic that keeps rolling the RATE_WINDOW based on demand.
-for i in $(seq 1 $total_runs); do
- $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
- if test "$?" -ne 0; then
- echo "exit status not OK"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Not OK"
- exit 1
- fi
- sleep 1 # Limit is reached; it should also be active for the next second
- $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
- if test "$?" -ne 0; then
- echo "exit status not OK"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Not OK"
- exit 1
- fi
- cat outfile
- if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 3; then
- ((successes++))
- fi
- # We don't have to wait for all the runs to complete if we know
- # we passed the threshold.
- if test $successes -ge $success_threshold; then
- break
- fi
-done
-
-if test $successes -ge $success_threshold; then
- echo "three parallel queries with backoff OK"
-else
- echo "Number of ratelimited queries not OK for three parallel queries with backoff"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Number of ratelimited queries not OK for three parallel queries with backoff"
- exit 1
-fi
-
-echo "> Three parallel queries after backoff RATE_WINDOW"
-sleep 3 # Make sure the RATE_WINDOW is renewed
-# For this test we make three parallel queries after the RATE_WINDOW has passed
-# without any new demand and we expect at least one query to pass through. This
-# is to check that the backoff logic does not insist on past (outside of
-# RATE_WINDOW) limits.
-$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1
-if test "$?" -ne 0; then
- echo "exit status not OK"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Not OK"
- exit 1
-fi
-cat outfile
-if test `grep "rcode: NOERROR" outfile | wc -l` -gt 0; then
- echo "Number of ratelimited queries OK for three parallel queries after backoff RATE_WINDOW"
-else
- echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW"
- echo "> cat logfiles"
- cat outfile
- cat unbound.log
- echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW"
- exit 1
-fi
-exit 0
diff --git a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns b/contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns
deleted file mode 100644
index 673bd15a598b..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/ratelimit.testns
+++ /dev/null
@@ -1,13 +0,0 @@
-; nameserver test file
-$ORIGIN example.com.
-$TTL 3600
-
-ENTRY_BEGIN
-MATCH opcode qtype
-REPLY QR AA NOERROR
-ADJUST copy_id copy_query
-SECTION QUESTION
-wild IN A
-SECTION ANSWER
-wild IN A 10.20.30.40
-ENTRY_END
diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_control.key b/contrib/unbound/testdata/ratelimit.tdir/unbound_control.key
deleted file mode 100644
index 753a4ef6162e..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/unbound_control.key
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
-1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
-F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
-ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
-vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
-IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
-cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
-lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
-15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
-LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
-Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
-YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
-whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
-lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
-tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
-U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
-Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
-Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
-ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
-1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
-b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
-ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
-TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
-tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
-aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
-A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
-LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
-R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
-7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
-7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
-jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
-BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
-kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
-qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
-VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
-MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
-C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
------END RSA PRIVATE KEY-----
diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem b/contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem
deleted file mode 100644
index a1edf7017f1d..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/unbound_control.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
-EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
-WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
-A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
-OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
-1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
-NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
-A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
-Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
-TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
-nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
-+i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
-4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
-hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
-9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
-ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
-pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
-72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
-muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
-uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
------END CERTIFICATE-----
diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_server.key b/contrib/unbound/testdata/ratelimit.tdir/unbound_server.key
deleted file mode 100644
index 370a7bbb2f22..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/unbound_server.key
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
-0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
-GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
-uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
-WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
-FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
-q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
-A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
-7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
-XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
-iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
-2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
-MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
-WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
-O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
-IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
-qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
-dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
-bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
-YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
-7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
-gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
-5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
-ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
-oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
-s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
-zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
-ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
-oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
-BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
-mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
-kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
-7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
-RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
-jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
-O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
-MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
------END RSA PRIVATE KEY-----
diff --git a/contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem b/contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem
deleted file mode 100644
index 986807310f2b..000000000000
--- a/contrib/unbound/testdata/ratelimit.tdir/unbound_server.pem
+++ /dev/null
@@ -1,22 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
-EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
-WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
-igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
-a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
-4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
-aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
-TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
-uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
-+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
-XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
-dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
-84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
-JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
-fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
-XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
-qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
-sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
-yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
-CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
------END CERTIFICATE-----
diff --git a/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.conf b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.conf
new file mode 100644
index 000000000000..befb4fbe97b3
--- /dev/null
+++ b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.conf
@@ -0,0 +1,34 @@
+server:
+ verbosity: 7
+ # num-threads: 1
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: ""
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ do-not-query-localhost: no
+ # for the test, so that DNSSEC verification works.
+ #val-override-date: 20230929090000
+ trust-anchor: ". DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
+
+remote-control:
+ control-enable: yes
+ control-interface: @CONTROL_PATH@/controlpipe.@CONTROL_PID@
+ control-use-cert: no
+
+# for the test, an upstream server in the test setup.
+stub-zone:
+ name: "."
+ stub-addr: 127.0.0.1@@TOPORT@
+
+# hyperlocal root zone
+auth-zone:
+ name: "."
+ fallback-enabled: yes
+ for-downstream: no
+ for-upstream: yes
+ zonefile: "root.zone"
+ zonemd-check: yes
+ zonemd-reject-absence: yes
diff --git a/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.dsc b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.dsc
new file mode 100644
index 000000000000..8015ac2d13ad
--- /dev/null
+++ b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.dsc
@@ -0,0 +1,16 @@
+BaseName: root_zonemd
+Version: 1.0
+Description: ZONEMD check for root zone
+CreationDate: Fri 29 Sep 09:00:00 CEST 2023
+Maintainer: dr. W.C.A. Wijngaards
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: root_zonemd.pre
+Post: root_zonemd.post
+Test: root_zonemd.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.post b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.post
index 5e315088a097..a28599fafe7a 100644
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.post
+++ b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.post
@@ -1,4 +1,4 @@
-# #-- zonemd_reload.post --#
+# #-- root_zonemd.post --#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# source the test var file when it's there
diff --git a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.pre
index 2bca63b9d56b..fe369bb20bbb 100644
--- a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre
+++ b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.pre
@@ -1,10 +1,25 @@
-# #-- stub_udp_with_tcp_upstream.pre--#
+# #-- root_zonemd.pre--#
# source the master var file when it's there
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
# use .tpkg.var.test for in test variable passing
[ -f .tpkg.var.test ] && source .tpkg.var.test
+
. ../common.sh
+# attempt to download the root zone
+from=k.root-servers.net
+dig @$from . AXFR > root.txt
+if test $? -ne 0; then
+ echo "could not fetch root zone"
+ skip_test "could not fetch root zone"
+fi
+grep " SOA " root.txt | head -1 > root.soa
+cat root.soa >> root.zone
+grep -v " SOA " root.txt >> root.zone
+echo "fetched root.zone"
+ls -l root.zone
+cat root.soa
+
get_random_port 2
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
@@ -13,23 +28,23 @@ echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
# start forwarder
get_ldns_testns
-$LDNS_TESTNS -p $FWD_PORT stub_udp_with_tcp_upstream.testns >fwd.log 2>&1 &
+$LDNS_TESTNS -p $FWD_PORT root_zonemd.testns >fwd.log 2>&1 &
FWD_PID=$!
echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
# make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_udp_with_tcp_upstream.conf > ub.conf
+CONTROL_PATH=/tmp
+CONTROL_PID=$$
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's?@CONTROL_PATH\@?'$CONTROL_PATH'?' -e 's/@CONTROL_PID@/'$CONTROL_PID'/' < root_zonemd.conf > ub.conf
# start unbound in the background
PRE="../.."
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+echo "CONTROL_PATH=$CONTROL_PATH" >> .tpkg.var.test
+echo "CONTROL_PID=$CONTROL_PID" >> .tpkg.var.test
cat .tpkg.var.test
-
-# wait for forwarder to come up
wait_ldns_testns_up fwd.log
-
-# wait for unbound to come up
wait_unbound_up unbound.log
diff --git a/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.test b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.test
new file mode 100644
index 000000000000..2745b5009e8f
--- /dev/null
+++ b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.test
@@ -0,0 +1,63 @@
+# #-- root_zonemd.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig . SOA"
+dig @127.0.0.1 -p $UNBOUND_PORT . SOA | tee outfile
+echo "> check answer"
+if grep root-servers outfile | grep "nstld.verisign-grs.com"; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> unbound-control status"
+$PRE/unbound-control -c ub.conf status
+if test $? -ne 0; then
+ echo "wrong exit value."
+ exit 1
+else
+ echo "exit value: OK"
+fi
+
+# This is the output when an unsupported algorithm is used.
+if grep "auth zone . zonemd DNSSEC verification of SOA and ZONEMD RRsets secure" unbound.log; then
+ echo "OK"
+else
+ echo "ZONEMD verification not OK"
+ exit 1
+fi
+if grep "auth-zone . ZONEMD hash is correct" unbound.log; then
+ echo "OK"
+else
+ echo "ZONEMD verification not OK"
+ exit 1
+fi
+if grep "auth zone . ZONEMD verification successful" unbound.log; then
+ echo "OK"
+else
+ echo "ZONEMD verification not OK"
+ exit 1
+fi
+
+echo "> unbound-control auth_zone_reload ."
+$PRE/unbound-control -c ub.conf auth_zone_reload . 2>&1 | tee outfile
+if test $? -ne 0; then
+ echo "wrong exit value."
+ exit 1
+fi
+# The output of the reload can be checked.
+echo "> check unbound-control output"
+if grep ".: ZONEMD verification successful" outfile; then
+ echo "OK"
+else
+ echo "Not OK"
+ exit 1
+fi
+
+exit 0
diff --git a/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.testns b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.testns
new file mode 100644
index 000000000000..d538f2215ecf
--- /dev/null
+++ b/contrib/unbound/testdata/root_zonemd.tdir/root_zonemd.testns
@@ -0,0 +1,9 @@
+# reply to everything
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+example.com. IN SOA
+SECTION ANSWER
+ENTRY_END
diff --git a/contrib/unbound/testdata/rpz_cached_cname.rpl b/contrib/unbound/testdata/rpz_cached_cname.rpl
new file mode 100644
index 000000000000..198b946310bf
--- /dev/null
+++ b/contrib/unbound/testdata/rpz_cached_cname.rpl
@@ -0,0 +1,122 @@
+; config options
+server:
+ module-config: "respip validator iterator"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ rrset-roundrobin: no
+ access-control: 192.0.0.0/8 allow
+
+rpz:
+ name: "rpz.example.com"
+ rpz-log: yes
+ rpz-log-name: "rpz.example.com"
+ zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+rpz.example.com. 3600 IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+rpz.example.com. 3600 IN NS ns.rpz.example.net.
+a.foo.rpz.example.com. 120 IN A 10.99.99.99
+TEMPFILE_END
+
+stub-zone:
+ name: "."
+ stub-addr: 10.20.30.40
+
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ with cached CNAME to A record
+
+RANGE_BEGIN 0 100
+ ADDRESS 10.20.30.40
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS ns.
+SECTION ADDITIONAL
+ns. IN NS 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+b.foo. IN A
+SECTION ANSWER
+b.foo. 30 CNAME a.foo.
+a.foo. 30 A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+a.foo. IN A
+SECTION ANSWER
+a.foo. A 1.2.3.4
+ENTRY_END
+
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.foo. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.foo. IN A
+SECTION ANSWER
+a.foo. 120 A 10.99.99.99
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.foo. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.foo. IN A
+SECTION ANSWER
+b.foo. 30 CNAME a.foo.
+a.foo. 120 A 10.99.99.99
+ENTRY_END
+
+STEP 50 TIME_PASSES ELAPSE 3
+
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.foo. IN A
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.foo. IN A
+SECTION ANSWER
+b.foo. 30 CNAME a.foo.
+a.foo. 120 A 10.99.99.99
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_clientip.rpl b/contrib/unbound/testdata/rpz_clientip.rpl
deleted file mode 100644
index 78e05ad91994..000000000000
--- a/contrib/unbound/testdata/rpz_clientip.rpl
+++ /dev/null
@@ -1,264 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
- minimal-responses: no
- access-control: 192.0.0.0/8 allow
-
-rpz:
- name: "rpz.example.com."
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-24.0.0.0.192.rpz-client-ip CNAME .
-24.0.1.0.192.rpz-client-ip CNAME *.
-24.0.2.0.192.rpz-client-ip CNAME rpz-drop.
-24.0.3.0.192.rpz-client-ip CNAME rpz-passthru.
-24.0.4.0.192.rpz-client-ip CNAME rpz-tcp-only.
-24.0.5.0.192.rpz-client-ip A 127.0.0.1
-24.0.5.0.192.rpz-client-ip TXT "42"
-TEMPFILE_END
-
-stub-zone:
- name: "a."
- stub-addr: 10.20.30.40
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ client ip triggers
-
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.40
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a. IN NS
-SECTION ANSWER
-a. IN NS ns.a.
-SECTION ADDITIONAL
-ns.a IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a.a. IN A
-SECTION ANSWER
-a.a. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a.a. IN AAAA
-SECTION ANSWER
-a.a. IN AAAA 2001:db8::123
-ENTRY_END
-
-RANGE_END
-
-; unrelated client ip address -- passthru
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 11 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-; should be NXDOMAIN
-
-STEP 20 QUERY ADDRESS 192.0.0.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 21 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NXDOMAIN
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-; should be NODATA
-
-STEP 30 QUERY ADDRESS 192.0.1.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 31 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-; should be PASSTHRU
-
-STEP 40 QUERY ADDRESS 192.0.3.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 41 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-; should be TRUNCATED
-
-STEP 50 QUERY ADDRESS 192.0.4.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 51 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA TC RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-; should not be TRUNCATED via TCP
-
-STEP 52 QUERY ADDRESS 192.0.4.1
-ENTRY_BEGIN
-MATCH TCP
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 53 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all TCP
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-; should be synthesized
-
-STEP 60 QUERY ADDRESS 192.0.5.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN A
-ENTRY_END
-
-STEP 61 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-a.a. IN A
-SECTION ANSWER
-a.a. IN A 127.0.0.1
-SECTION ADDITIONAL
-rpz.example.com. 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 )
-ENTRY_END
-
-; should be synthesized
-
-STEP 62 QUERY ADDRESS 192.0.5.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 63 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "42"
-SECTION ADDITIONAL
-rpz.example.com. 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 )
-ENTRY_END
-
-; should be synthesized NODATA
-
-STEP 64 QUERY ADDRESS 192.0.5.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN AAAA
-ENTRY_END
-
-STEP 65 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NOERROR
-SECTION QUESTION
-a.a. IN AAAA
-SECTION ADDITIONAL
-rpz.example.com. 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 )
-ENTRY_END
-
-; should be DROPPED
-
-STEP 90 QUERY ADDRESS 192.0.2.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_nsdname.rpl b/contrib/unbound/testdata/rpz_nsdname.rpl
deleted file mode 100644
index 1c678cc13bad..000000000000
--- a/contrib/unbound/testdata/rpz_nsdname.rpl
+++ /dev/null
@@ -1,390 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
- access-control: 192.0.0.0/8 allow
-
-rpz:
- name: "rpz.example.com."
- rpz-log: yes
- rpz-log-name: "rpz.example.com"
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-ns1.gotham.aa.rpz-nsdname CNAME .
-ns1.gotham.bb.rpz-nsdname CNAME *.
-ns1.gotham.cc.rpz-nsdname CNAME rpz-drop.
-ns1.gotham.com.rpz-nsdname CNAME rpz-passthru.
-ns1.gotham.dd.rpz-nsdname CNAME rpz-tcp-only.
-ns1.gotham.ff.rpz-nsdname A 127.0.0.1
-ns1.gotham.ff.rpz-nsdname TXT "42"
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 1.1.1.1
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ nsip triggers
-
-; . --------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 1.1.1.1
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS ns.root.
-SECTION ADDITIONAL
-ns.root IN A 1.1.1.1
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com. IN NS ns1.com.
-SECTION ADDITIONAL
-ns1.com. IN A 8.8.8.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-aa. IN A
-SECTION AUTHORITY
-aa. IN NS ns1.aa.
-SECTION ADDITIONAL
-ns1.aa. IN A 8.8.0.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-bb. IN A
-SECTION AUTHORITY
-bb. IN NS ns1.bb.
-SECTION ADDITIONAL
-ns1.bb. IN A 8.8.1.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-cc. IN A
-SECTION AUTHORITY
-cc. IN NS ns1.cc.
-SECTION ADDITIONAL
-ns1.cc. IN A 8.8.2.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-dd. IN A
-SECTION AUTHORITY
-dd. IN NS ns1.dd.
-SECTION ADDITIONAL
-ns1.dd. IN A 8.8.3.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-ee. IN A
-SECTION AUTHORITY
-ee. IN NS ns1.ee.
-SECTION ADDITIONAL
-ns1.ee. IN A 8.8.5.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-ff. IN A
-SECTION AUTHORITY
-ff. IN NS ns1.ff.
-SECTION ADDITIONAL
-ns1.ff. IN A 8.8.6.8
-ENTRY_END
-
-RANGE_END
-
-; com. -----------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.8.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS ns1.com.
-SECTION ADDITIONAL
-ns1.com. IN A 8.8.8.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.com. IN A
-SECTION AUTHORITY
-gotham.com. IN NS ns1.gotham.com.
-SECTION ADDITIONAL
-ns1.gotham.com. IN A 192.0.6.1
-ENTRY_END
-
-RANGE_END
-
-; aa. ------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.0.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-aa. IN NS
-SECTION ANSWER
-aa. IN NS ns1.aa.
-SECTION ADDITIONAL
-ns1.aa. IN A 8.8.0.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.aa. IN A
-SECTION AUTHORITY
-gotham.aa. IN NS ns1.gotham.aa.
-SECTION ADDITIONAL
-ns1.gotham.aa. IN A 192.0.0.1
-ENTRY_END
-
-RANGE_END
-
-; bb. ------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.1.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-bb. IN NS
-SECTION ANSWER
-bb. IN NS ns1.bb.
-SECTION ADDITIONAL
-ns1.bb. IN A 8.8.1.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.bb. IN A
-SECTION AUTHORITY
-gotham.bb. IN NS ns1.gotham.bb.
-SECTION ADDITIONAL
-ns1.gotham.bb. IN A 192.0.1.1
-ENTRY_END
-
-RANGE_END
-
-; ff. ------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.6.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ff. IN NS
-SECTION ANSWER
-ff. IN NS ns1.ff.
-SECTION ADDITIONAL
-ns1.ff. IN A 8.8.6.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION AUTHORITY
-gotham.ff. IN NS ns1.gotham.ff.
-SECTION ADDITIONAL
-ns1.gotham.ff. IN A 192.0.5.1
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.com. ------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.6.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.com. IN A
-SECTION ANSWER
-gotham.com. IN A 192.0.6.2
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.aa. -------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.0.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.aa. IN A
-SECTION ANSWER
-gotham.aa. IN A 192.0.0.2
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.bb. -------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.1.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.bb. IN A
-SECTION ANSWER
-gotham.bb. IN A 192.0.1.2
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.ff. -------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.5.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION ANSWER
-gotham.ff. IN A 192.0.5.2
-ENTRY_END
-
-RANGE_END
-
-; ----------------------------------------------------------------------------
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.com. IN A
-ENTRY_END
-
-STEP 2 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-gotham.com. IN A
-SECTION ANSWER
-gotham.com. IN A 192.0.6.2
-ENTRY_END
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.aa. IN A
-ENTRY_END
-
-STEP 11 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NXDOMAIN
-SECTION QUESTION
-gotham.aa. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 20 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.bb. IN A
-ENTRY_END
-
-STEP 21 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NOERROR
-SECTION QUESTION
-gotham.bb. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.ff. IN A
-ENTRY_END
-
-STEP 31 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION ANSWER
-gotham.ff. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_nsip.rpl b/contrib/unbound/testdata/rpz_nsip.rpl
deleted file mode 100644
index 34dbd9fef816..000000000000
--- a/contrib/unbound/testdata/rpz_nsip.rpl
+++ /dev/null
@@ -1,408 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
- access-control: 192.0.0.0/8 allow
-
-rpz:
- name: "rpz.example.com."
- rpz-log: yes
- rpz-log-name: "rpz.example.com"
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.gotham.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-24.0.0.0.192.rpz-nsip CNAME .
-24.0.1.0.192.rpz-nsip CNAME *.
-24.0.2.0.192.rpz-nsip CNAME rpz-drop.
-24.0.3.0.192.rpz-nsip CNAME rpz-passthru.
-24.0.4.0.192.rpz-nsip CNAME rpz-tcp-only.
-24.0.5.0.192.rpz-nsip A 127.0.0.1
-24.0.5.0.192.rpz-nsip TXT "42"
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 1.1.1.1
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ nsip triggers
-
-; . --------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 1.1.1.1
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS ns.root.
-SECTION ADDITIONAL
-ns.root IN A 1.1.1.1
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN A
-SECTION AUTHORITY
-com. IN NS ns1.com.
-SECTION ADDITIONAL
-ns1.com. IN A 8.8.8.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-aa. IN A
-SECTION AUTHORITY
-aa. IN NS ns1.aa.
-SECTION ADDITIONAL
-ns1.aa. IN A 8.8.0.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-bb. IN A
-SECTION AUTHORITY
-bb. IN NS ns1.bb.
-SECTION ADDITIONAL
-ns1.bb. IN A 8.8.1.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-cc. IN A
-SECTION AUTHORITY
-cc. IN NS ns1.cc.
-SECTION ADDITIONAL
-ns1.cc. IN A 8.8.2.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-dd. IN A
-SECTION AUTHORITY
-dd. IN NS ns1.dd.
-SECTION ADDITIONAL
-ns1.dd. IN A 8.8.3.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-ee. IN A
-SECTION AUTHORITY
-ee. IN NS ns1.ee.
-SECTION ADDITIONAL
-ns1.ee. IN A 8.8.5.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-ff. IN A
-SECTION AUTHORITY
-ff. IN NS ns1.ff.
-SECTION ADDITIONAL
-ns1.ff. IN A 8.8.6.8
-ENTRY_END
-
-RANGE_END
-
-; com. -----------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.8.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS ns1.com.
-SECTION ADDITIONAL
-ns1.com. IN A 8.8.8.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.com. IN A
-SECTION AUTHORITY
-gotham.com. IN NS ns1.gotham.com.
-SECTION ADDITIONAL
-ns1.gotham.com. IN A 192.0.6.1
-ENTRY_END
-
-RANGE_END
-
-; aa. ------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.0.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-aa. IN NS
-SECTION ANSWER
-aa. IN NS ns1.aa.
-SECTION ADDITIONAL
-ns1.aa. IN A 8.8.0.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.aa. IN A
-SECTION AUTHORITY
-gotham.aa. IN NS ns1.gotham.aa.
-SECTION ADDITIONAL
-ns1.gotham.aa. IN A 192.0.0.1
-ENTRY_END
-
-RANGE_END
-
-; bb. ------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.1.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-bb. IN NS
-SECTION ANSWER
-bb. IN NS ns1.bb.
-SECTION ADDITIONAL
-ns1.bb. IN A 8.8.1.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.bb. IN A
-SECTION AUTHORITY
-gotham.bb. IN NS ns1.gotham.bb.
-SECTION ADDITIONAL
-ns1.gotham.bb. IN A 192.0.1.1
-ENTRY_END
-
-RANGE_END
-
-; ff. ------------------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 8.8.6.8
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ff. IN NS
-SECTION ANSWER
-ff. IN NS ns1.ff.
-SECTION ADDITIONAL
-ns1.ff. IN A 8.8.6.8
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION AUTHORITY
-gotham.ff. IN NS ns1.gotham.ff.
-SECTION ADDITIONAL
-ns1.gotham.ff. IN A 192.0.5.1
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.com. ------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.6.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.com. IN A
-SECTION ANSWER
-gotham.com. IN A 192.0.6.2
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.aa. -------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.0.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.aa. IN A
-SECTION ANSWER
-gotham.aa. IN A 192.0.0.2
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.bb. -------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.1.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.bb. IN A
-SECTION ANSWER
-gotham.bb. IN A 192.0.1.2
-ENTRY_END
-
-RANGE_END
-
-; ns1.gotham.ff. -------------------------------------------------------------
-RANGE_BEGIN 0 100
- ADDRESS 192.0.5.1
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION ANSWER
-gotham.ff. IN A 192.0.5.2
-ENTRY_END
-
-RANGE_END
-
-; ----------------------------------------------------------------------------
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.com. IN A
-ENTRY_END
-
-STEP 2 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-gotham.com. IN A
-SECTION ANSWER
-gotham.com. IN A 192.0.6.2
-ENTRY_END
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.aa. IN A
-ENTRY_END
-
-STEP 11 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD RA NXDOMAIN
-SECTION QUESTION
-gotham.aa. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 20 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.bb. IN A
-ENTRY_END
-
-STEP 21 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NOERROR
-SECTION QUESTION
-gotham.bb. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.ff. IN A
-ENTRY_END
-
-STEP 31 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION ANSWER
-gotham.ff. IN A 127.0.0.1
-ENTRY_END
-
-; again with more cache items
-STEP 40 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-gotham.ff. IN A
-ENTRY_END
-
-STEP 41 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NOERROR
-SECTION QUESTION
-gotham.ff. IN A
-SECTION ANSWER
-gotham.ff. IN A 127.0.0.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_qname_tcponly.rpl b/contrib/unbound/testdata/rpz_qname_tcponly.rpl
deleted file mode 100644
index d30b88616227..000000000000
--- a/contrib/unbound/testdata/rpz_qname_tcponly.rpl
+++ /dev/null
@@ -1,117 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
-
-rpz:
- name: "rpz.example.com."
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-a.a CNAME rpz-passthru.
-b.a CNAME rpz-tcp-only.
-TEMPFILE_END
-
-stub-zone:
- name: "a."
- stub-addr: 10.20.30.40
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ qname trigger and tcp-only action
-
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.40
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a. IN NS
-SECTION ANSWER
-a. IN NS ns.a.
-SECTION ADDITIONAL
-ns.a IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-b.a. IN TXT
-SECTION ANSWER
-b.a. IN TXT "upstream txt rr b.a."
-ENTRY_END
-
-RANGE_END
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 11 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-STEP 20 QUERY
-ENTRY_BEGIN
-MATCH UDP
-REPLY RD
-SECTION QUESTION
-b.a. IN TXT
-ENTRY_END
-
-STEP 21 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all UDP
-REPLY QR AA TC RD RA NOERROR
-SECTION QUESTION
-b.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 QUERY
-ENTRY_BEGIN
-MATCH TCP
-REPLY RD
-SECTION QUESTION
-b.a. IN TXT
-ENTRY_END
-
-STEP 31 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all TCP
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-b.a. IN TXT
-SECTION ANSWER
-b.a. IN TXT "upstream txt rr b.a."
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_respip_tcponly.rpl b/contrib/unbound/testdata/rpz_respip_tcponly.rpl
deleted file mode 100644
index c495de2038a1..000000000000
--- a/contrib/unbound/testdata/rpz_respip_tcponly.rpl
+++ /dev/null
@@ -1,207 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
-
-rpz:
- name: "rpz.example.com."
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-8.0.0.0.10.rpz-ip CNAME *.
-16.0.0.10.10.rpz-ip CNAME .
-24.0.10.10.10.rpz-ip CNAME rpz-drop.
-32.10.10.10.10.rpz-ip CNAME rpz-passthru.
-32.1.1.1.10.rpz-ip CNAME rpz-tcp-only.
-TEMPFILE_END
-
-stub-zone:
- name: "."
- stub-addr: 10.20.30.40
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ response IP address trigger and tcp-only action
-
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.40
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS ns.
-SECTION ADDITIONAL
-ns. IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a. IN A
-SECTION ANSWER
-a. IN A 10.0.0.123
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-b. IN A
-SECTION ANSWER
-b. IN A 10.1.0.123
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-c. IN A
-SECTION ANSWER
-c. IN A 10.11.0.123
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-d. IN A
-SECTION ANSWER
-d. IN A 10.10.0.123
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-f. IN A
-SECTION ANSWER
-f. IN A 10.10.10.10
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-y. IN A
-SECTION ANSWER
-y. IN A 10.1.1.1
-ENTRY_END
-
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a. IN A
-ENTRY_END
-
-STEP 2 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-a. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-b. IN A
-ENTRY_END
-
-STEP 11 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-b. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 13 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-d. IN A
-ENTRY_END
-
-STEP 14 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NXDOMAIN
-SECTION QUESTION
-d. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 17 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-f. IN A
-ENTRY_END
-
-STEP 18 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-f. IN A
-SECTION ANSWER
-f. IN A 10.10.10.10
-ENTRY_END
-
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-y. IN A
-ENTRY_END
-
-STEP 31 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR TC RD RA NOERROR
-SECTION QUESTION
-y. IN A
-SECTION ANSWER
-ENTRY_END
-
-STEP 40 QUERY
-ENTRY_BEGIN
-MATCH TCP
-REPLY RD
-SECTION QUESTION
-y. IN A
-ENTRY_END
-
-STEP 41 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all TCP
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-y. IN A
-SECTION ANSWER
-y. IN A 10.1.1.1
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_rootwc.rpl b/contrib/unbound/testdata/rpz_rootwc.rpl
deleted file mode 100644
index 1fb94a1439fa..000000000000
--- a/contrib/unbound/testdata/rpz_rootwc.rpl
+++ /dev/null
@@ -1,162 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
-
-rpz:
- name: "rpz.example.com."
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-a CNAME .
-a CNAME *. ; duplicate CNAME here on purpose
-*.a TXT "wildcard local data"
-* CNAME .
-b.a CNAME *.
-c.a CNAME rpz-passthru.
-TEMPFILE_END
-
-rpz:
- name: "rpz2.example.com."
- zonefile:
-TEMPFILE_NAME rpz2.example.com
-TEMPFILE_CONTENTS rpz2.example.com
-$ORIGIN example.com.
-rpz2 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz2.example.com.
-a TXT "local data 2nd zone"
-d TXT "local data 2nd zone"
-e CNAME *.a.example.
-*.e CNAME *.b.example.
-drop CNAME rpz-drop.
-TEMPFILE_END
-
-stub-zone:
- name: "a."
- stub-addr: 10.20.30.40
-stub-zone:
- name: "example."
- stub-addr: 10.20.30.50
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ QNAME trigger for root wildcard.
-
-; a.
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.40
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a. IN NS
-SECTION ANSWER
-a. IN NS ns.a.
-SECTION ADDITIONAL
-ns.a IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-c.a. IN TXT
-SECTION ANSWER
-c.a. IN TXT "answer from upstream ns"
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-x.b.a. IN TXT
-SECTION ANSWER
-x.b.a. IN TXT "answer from upstream ns"
-ENTRY_END
-
-RANGE_END
-
-; example.
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.50
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example. IN NS
-SECTION ANSWER
-example. IN NS ns.example.
-SECTION ADDITIONAL
-ns.example IN A 10.20.30.50
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-e.a.example. IN TXT
-SECTION ANSWER
-e.a.example. IN TXT "e.a.example. answer from upstream ns"
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-something.e.b.example. IN TXT
-SECTION ANSWER
-something.e.b.example. IN TXT "*.b.example. answer from upstream ns"
-ENTRY_END
-
-RANGE_END
-
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-x. IN TXT
-ENTRY_END
-
-; wildcard deny all
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NXDOMAIN
-SECTION QUESTION
-x. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-y.tld. IN TXT
-ENTRY_END
-
-; wildcard deny all
-STEP 40 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA AA NXDOMAIN
-SECTION QUESTION
-y.tld. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl b/contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl
deleted file mode 100644
index b89498cf9626..000000000000
--- a/contrib/unbound/testdata/rpz_signal_nxdomain_ra.rpl
+++ /dev/null
@@ -1,254 +0,0 @@
-; config options
-server:
- module-config: "respip validator iterator"
- target-fetch-policy: "0 0 0 0 0"
- qname-minimisation: no
- access-control: 192.0.0.0/8 allow
-
-rpz:
- name: "rpz.example.com."
- rpz-signal-nxdomain-ra: yes
- zonefile:
-TEMPFILE_NAME rpz.example.com
-TEMPFILE_CONTENTS rpz.example.com
-$ORIGIN example.com.
-rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
- 1379078166 28800 7200 604800 7200 )
- 3600 IN NS ns1.rpz.example.com.
- 3600 IN NS ns2.rpz.example.com.
-$ORIGIN rpz.example.com.
-a.a CNAME .
-b.a CNAME .
-ns1.a.rpz-nsdname CNAME .
-24.0.0.0.192.rpz-nsip CNAME .
-24.0.3.0.192.rpz-client-ip CNAME .
-TEMPFILE_END
-
-stub-zone:
- name: "a."
- stub-addr: 10.20.30.40
-CONFIG_END
-
-SCENARIO_BEGIN Test RPZ qname trigger and signal NXDOMAIN with unset RA.
-
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.40
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a. IN NS
-SECTION ANSWER
-a. IN NS ns.a.
-SECTION ADDITIONAL
-ns.a IN A 10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-a.a. IN TXT "upstream txt rr a.a."
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-b.a. IN TXT
-SECTION ANSWER
-b.a. IN TXT "upstream txt rr b.a."
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-c.a. IN TXT
-SECTION ANSWER
-c.a. IN CNAME b.a
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-d.a. IN NS
-SECTION ANSWER
-SECTION AUTHORITY
-d.a. IN NS ns1.a.
-SECTION ADDITIONAL
-ns1.a. IN A 10.20.30.50
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-e.a. IN NS
-SECTION ANSWER
-SECTION AUTHORITY
-e.a. IN NS ns2.a.
-SECTION ADDITIONAL
-ns2.a. IN A 192.0.0.5
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-f.a. IN TXT
-SECTION ANSWER
-f.a. IN TXT "upstream txt rr f.a."
-ENTRY_END
-
-RANGE_END
-
-RANGE_BEGIN 0 100
- ADDRESS 10.20.30.50
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-d.a. IN NS
-SECTION ANSWER
-d.a. IN NS ns1.a.
-SECTION ADDITIONAL
-ns1.a. IN A 10.20.30.50
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-d.d.a. IN TXT
-SECTION ANSWER
-d.d.a. IN TXT "upstream answer for d.d.a"
-ENTRY_END
-
-RANGE_END
-
-RANGE_BEGIN 0 100
- ADDRESS 192.0.0.5
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-e.a. IN NS
-SECTION ANSWER
-e.a. IN NS ns2.a.
-SECTION ADDITIONAL
-ns2.a. IN A 192.0.0.5
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-e.e.a. IN TXT
-SECTION ANSWER
-e.e.a. IN TXT "upstream answer for e.e.a"
-ENTRY_END
-
-RANGE_END
-
-; qname trigger
-STEP 10 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-a.a. IN TXT
-ENTRY_END
-
-STEP 11 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD AA NXDOMAIN
-SECTION QUESTION
-a.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-; qname trigger after cname
-STEP 20 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-c.a. IN TXT
-ENTRY_END
-
-STEP 21 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD AA NXDOMAIN
-SECTION QUESTION
-c.a. IN TXT
-SECTION ANSWER
-c.a. IN CNAME b.a
-ENTRY_END
-
-; nsdname trigger
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-d.d.a. IN TXT
-ENTRY_END
-
-STEP 31 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD AA NXDOMAIN
-SECTION QUESTION
-d.d.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-; nsip trigger
-STEP 40 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-e.e.a. IN TXT
-ENTRY_END
-
-STEP 41 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD AA NXDOMAIN
-SECTION QUESTION
-e.e.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-; clientip trigger
-STEP 50 QUERY ADDRESS 192.0.3.1
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-f.a. IN TXT
-ENTRY_END
-
-STEP 51 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR AA RD NXDOMAIN
-SECTION QUESTION
-f.a. IN TXT
-SECTION ANSWER
-ENTRY_END
-
-SCENARIO_END
diff --git a/contrib/unbound/testdata/rrset_use_cached.rpl b/contrib/unbound/testdata/rrset_use_cached.rpl
new file mode 100644
index 000000000000..8420ae02afe6
--- /dev/null
+++ b/contrib/unbound/testdata/rrset_use_cached.rpl
@@ -0,0 +1,151 @@
+server:
+ minimal-responses: no
+ serve-expired: yes
+ # The value does not matter, we will not simulate delay.
+ # We do not want only serve-expired because fetches from that
+ # apply a generous PREFETCH_LEEWAY.
+ serve-expired-client-timeout: 1000
+ # So that we can only have to give one SERVFAIL answer.
+ outbound-msg-retry: 0
+
+forward-zone: name: "." forward-addr: 216.0.0.1
+CONFIG_END
+
+SCENARIO_BEGIN RRset from cache updates the message TTL.
+
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+; the query is sent to the forwarder - no cache yet.
+STEP 2 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+STEP 3 REPLY
+ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ ; authoritative answer
+ REPLY QR AA RD RA NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 5 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 10.20.30.50
+ENTRY_END
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 5 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 10.20.30.50
+ENTRY_END
+
+; Wait for the A RRSET to expire.
+STEP 5 TIME_PASSES ELAPSE 6
+
+STEP 6 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+; expired answer will not be served due to serve-expired-client-timeout.
+STEP 7 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+STEP 8 REPLY
+ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ ; authoritative answer
+ REPLY QR AA RD RA NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 5 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 10.20.30.50
+ENTRY_END
+; The cached NS related RRSETs will not be overwritten by the fresh answer.
+; The message should have a TTL of 4 instead of 5 from above.
+STEP 9 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 5 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. 4 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 4 IN A 10.20.30.50
+ENTRY_END
+
+; Wait for the NS RRSETs to expire.
+STEP 10 TIME_PASSES ELAPSE 5
+
+STEP 11 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+; The message should be expired, again no expired answer at this point due to
+; serve-expired-client-timeout.
+STEP 12 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH qname qtype opcode
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+STEP 13 REPLY
+ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+; The SERVFAIL will trigger the serve-expired-client-timeout logic to try and
+; replace the SERVFAIL with a possible cached (expired) answer.
+; The A RRSET would be at 0TTL left (not expired) but the message should have
+; been updated to use a TTL of 4 so expired by now.
+; If the message TTL was not updated (bug), this message would be treated as
+; non-expired and the now expired NS related RRSETs would fail sanity checks
+; for non-expired messages. The result would be SERVFAIL here.
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 0 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. 30 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 30 IN A 10.20.30.50
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl b/contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl
new file mode 100644
index 000000000000..7f1b5a565853
--- /dev/null
+++ b/contrib/unbound/testdata/serve_expired_0ttl_nodata.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with NXDOMAIN followed by 0 TTL
+; Scenario overview:
+; - query for 0ttl.example.com. IN A
+; - answer from upstream is NODATA; will be cached for the SOA negative TTL.
+; - check that the client gets the NODATA; also cached
+; - query again right after the TTL expired
+; - this time the server answers with a 0 TTL RRset
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the NODATA (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NODATA
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Wait for the NXDOMAIN to expire
+STEP 31 TIME_PASSES ELAPSE 32
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NODATA
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 60 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl b/contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl
new file mode 100644
index 000000000000..4adb4b839a69
--- /dev/null
+++ b/contrib/unbound/testdata/serve_expired_0ttl_nxdomain.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with NXDOMAIN followed by 0 TTL
+; Scenario overview:
+; - query for 0ttl.example.com. IN A
+; - answer from upstream is NXDOMAIN; will be cached for the SOA negative TTL.
+; - check that the client gets the NXDOMAIN; also cached
+; - query again right after the TTL expired
+; - this time the server answers with a 0 TTL RRset
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NXDOMAIN
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Wait for the NXDOMAIN to expire
+STEP 31 TIME_PASSES ELAPSE 32
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NXDOMAIN
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 60 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl b/contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl
new file mode 100644
index 000000000000..6833af17b827
--- /dev/null
+++ b/contrib/unbound/testdata/serve_expired_0ttl_servfail.rpl
@@ -0,0 +1,129 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with SERVFAIL followed by 0 TTL
+; Scenario overview:
+; - query for 0ttl.example.com. IN A
+; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
+; - check that the client gets the SERVFAIL; also cached
+; - query again right after the TTL expired
+; - this time the server answers with a 0 TTL RRset
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA SERVFAIL
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached SERVFAIL
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 31 TIME_PASSES ELAPSE 32
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/serve_expired_cached_servfail.rpl b/contrib/unbound/testdata/serve_expired_cached_servfail.rpl
new file mode 100644
index 000000000000..f5f4c7030198
--- /dev/null
+++ b/contrib/unbound/testdata/serve_expired_cached_servfail.rpl
@@ -0,0 +1,130 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ serve-expired-reply-ttl: 123
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
+; Scenario overview:
+; - query for example.com. IN A
+; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
+; - check that the client gets the SERVFAIL; also cached
+; - query again right after the TTL expired
+; - cached SERVFAIL should be ignored and upstream queried
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 10 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the cached SERVFAIL
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 31 TIME_PASSES ELAPSE 6
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 10 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl b/contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl
new file mode 100644
index 000000000000..9b7c1fda16c1
--- /dev/null
+++ b/contrib/unbound/testdata/serve_expired_cached_servfail_refresh.rpl
@@ -0,0 +1,145 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ serve-expired-reply-ttl: 123
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
+; Scenario overview:
+; - query for example.com. IN A
+; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
+; - check that the client gets the SERVFAIL; also cached
+; - query again right after the TTL expired
+; - cached SERVFAIL should be ignored and upstream queried
+; - answer from upstream is still SERVFAIL; the cached error response will be
+; refreshed for another NORR_TTL(5)
+; - check that the client gets the SERVFAIL
+; - query again; the upstream now has the answer available
+; - check that we get the refreshed cached response instead
+
+; ns.example.com.
+RANGE_BEGIN 0 50
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 60 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 10 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the cached SERVFAIL
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 31 TIME_PASSES ELAPSE 6
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be refreshed)
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Query again, upstream has the real answer available
+STEP 60 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the refreshed cached SERVFAIL
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/stat_values.tdir/stat_values_cachedb.conf b/contrib/unbound/testdata/stat_values.tdir/stat_values_cachedb.conf
new file mode 100644
index 000000000000..b5e9b0e02932
--- /dev/null
+++ b/contrib/unbound/testdata/stat_values.tdir/stat_values_cachedb.conf
@@ -0,0 +1,36 @@
+server:
+ verbosity: 5
+ module-config: "cachedb iterator"
+ serve-expired: yes
+ num-threads: 1
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: ""
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ do-not-query-localhost: no
+ extended-statistics: yes
+ identity: "stat_values"
+ outbound-msg-retry: 0
+ root-key-sentinel: no
+ trust-anchor-signaling: no
+
+ local-zone: local.zone static
+ local-data: "www.local.zone A 192.0.2.1"
+remote-control:
+ control-enable: yes
+ control-interface: 127.0.0.1
+ # control-interface: ::1
+ control-port: @CONTROL_PORT@
+ server-key-file: "unbound_server.key"
+ server-cert-file: "unbound_server.pem"
+ control-key-file: "unbound_control.key"
+ control-cert-file: "unbound_control.pem"
+forward-zone:
+ name: "."
+ forward-addr: "127.0.0.1@@TOPORT@"
+forward-zone:
+ name: "expired."
+ forward-addr: "127.0.0.1@@EXPIREDPORT@"
diff --git a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.conf b/contrib/unbound/testdata/stat_values.tdir/stat_values_downstream_cookies.conf
index c563416aefbe..21e78829fc8e 100644
--- a/contrib/unbound/testdata/http_user_agent.tdir/http_user_agent.conf
+++ b/contrib/unbound/testdata/stat_values.tdir/stat_values_downstream_cookies.conf
@@ -1,18 +1,7 @@
-auth-zone:
- name: "example.com"
- for-upstream: yes
- for-downstream: yes
- url: "https://127.0.0.1:@TOPORT@/example.com.zone"
-remote-control:
- control-enable: yes
- control-interface: 127.0.0.1
- control-port: @CONTROL_PORT@
- server-key-file: "unbound_server.key"
- server-cert-file: "unbound_server.pem"
- control-key-file: "unbound_control.key"
- control-cert-file: "unbound_control.pem"
server:
- verbosity: 7
+ verbosity: 5
+ module-config: "iterator"
+ num-threads: 1
interface: 127.0.0.1
port: @PORT@
use-syslog: no
@@ -20,5 +9,24 @@ server:
pidfile: "unbound.pid"
chroot: ""
username: ""
- do-not-query-localhost: no
- use-caps-for-id: yes
+ extended-statistics: yes
+ identity: "stat_values"
+ outbound-msg-retry: 0
+ root-key-sentinel: no
+ trust-anchor-signaling: no
+
+ local-zone: local.zone static
+ local-data: "www.local.zone A 192.0.2.1"
+
+ answer-cookie: yes
+ access-control: 127.0.0.1 allow_cookie
+
+remote-control:
+ control-enable: yes
+ control-interface: 127.0.0.1
+ # control-interface: ::1
+ control-port: @CONTROL_PORT@
+ server-key-file: "unbound_server.key"
+ server-cert-file: "unbound_server.pem"
+ control-key-file: "unbound_control.key"
+ control-cert-file: "unbound_control.pem"
diff --git a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf b/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf
deleted file mode 100644
index d57c787b154c..000000000000
--- a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-server:
- verbosity: 2
- # num-threads: 1
- interface: 127.0.0.1
- port: @PORT@
- use-syslog: no
- directory: ""
- pidfile: "unbound.pid"
- chroot: ""
- username: ""
- do-not-query-localhost: no
-stub-zone:
- name: "tcp.example.com"
- stub-addr: "127.0.0.1@@TOPORT@"
- stub-tcp-upstream: "yes"
-stub-zone:
- name: "udp.example.com"
- stub-addr: "127.0.0.1@@TOPORT@"
- stub-tcp-upstream: "no" \ No newline at end of file
diff --git a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc b/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc
deleted file mode 100644
index 526ff67f98f9..000000000000
--- a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: stub_udp_with_tcp_upstream
-Version: 1.0
-Description: Stub server contacted via UDP with tcp upstream.
-CreationDate: Thu Aug 5 07:44:41 CEST 2021
-Maintainer: ziollek
-Category:
-Component:
-CmdDepends:
-Depends:
-Help:
-Pre: stub_udp_with_tcp_upstream.pre
-Post: stub_udp_with_tcp_upstream.post
-Test: stub_udp_with_tcp_upstream.test
-AuxFiles:
-Passed:
-Failure:
diff --git a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post b/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post
deleted file mode 100644
index c804b6c46d64..000000000000
--- a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post
+++ /dev/null
@@ -1,10 +0,0 @@
-# #-- stub_udp_with_tcp_upstream.post --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# source the test var file when it's there
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-#
-# do your teardown here
-. ../common.sh
-kill_pid $FWD_PID
-kill_pid $UNBOUND_PID
diff --git a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test b/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test
deleted file mode 100644
index 43591ac16c0f..000000000000
--- a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test
+++ /dev/null
@@ -1,37 +0,0 @@
-# #-- stub_udp_with_tcp_upstream.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-# do the test
-echo "> dig tcp.example.com."
-dig @127.0.0.1 -p $UNBOUND_PORT tcp.example.com. | tee outfile
-echo "> cat logfiles"
-cat fwd.log
-cat unbound.log
-echo "> check answer"
-if grep "10.20.30.40" outfile; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-
-# check if second stub is requested via udp
-echo "> dig udp.example.com."
-dig @127.0.0.1 -p $UNBOUND_PORT udp.example.com. | tee outfile
-echo "> cat logfiles"
-cat fwd.log
-cat unbound.log
-echo "> check answer"
-if grep "10.20.30.80" outfile; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-exit 0
diff --git a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns b/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns
deleted file mode 100644
index f2155414e045..000000000000
--- a/contrib/unbound/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns
+++ /dev/null
@@ -1,48 +0,0 @@
-; nameserver test file
-$ORIGIN example.com.
-$TTL 3600
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-MATCH TCP
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-tcp IN A
-SECTION ANSWER
-tcp IN A 10.20.30.40
-SECTION AUTHORITY
-@ IN NS ns.example.com.
-SECTION ADDITIONAL
-ns IN A 127.0.0.1
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-MATCH UDP
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-udp IN A
-SECTION ANSWER
-udp IN A 10.20.30.80
-SECTION AUTHORITY
-@ IN NS ns.example.com.
-SECTION ADDITIONAL
-ns IN A 127.0.0.1
-ENTRY_END
-
-; root prime
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-. IN NS
-SECTION ANSWER
-. IN NS root.server.
-SECTION AUTHORITY
-SECTION ADDITIONAL
-root.server. IN A 127.0.0.1
-ENTRY_END
-
diff --git a/contrib/unbound/testdata/subnet_cached_ede.crpl b/contrib/unbound/testdata/subnet_cached_ede.crpl
new file mode 100644
index 000000000000..36bb28fcc180
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_cached_ede.crpl
@@ -0,0 +1,114 @@
+; Ask the same question twice. Check to see second is answered
+; from cache
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 17
+ module-config: "subnetcache validator iterator"
+ verbosity: 3
+ qname-minimisation: no
+ minimal-responses: no
+ ede: yes
+ val-log-level: 2
+ trust-anchor: "example.nl. DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
+
+stub-zone:
+ name: "example.nl"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test subnetcache support for caching EDEs.
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN DNSKEY
+SECTION ANSWER
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 11 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN A
+SECTION ANSWER
+example.nl. IN A 1.2.3.4
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 11 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; get the entry in cache.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 08 00 07 ; OPC, optlen
+ 00 01 11 00 ; ip4, scope 17, source 0
+ 7f 00 00 ; 127.0.0.0/17
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; get the answer for it
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+; query again for the cached entry
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 08 00 07 ; OPC, optlen
+ 00 01 11 00 ; ip4, scope 17, source 0
+ 7f 00 00 ; 127.0.0.0/17
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; this must be a cached answer since stub is not answering in this range
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/subnet_cached_servfail.crpl b/contrib/unbound/testdata/subnet_cached_servfail.crpl
new file mode 100644
index 000000000000..9c746d579124
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_cached_servfail.crpl
@@ -0,0 +1,167 @@
+; Check if an expired SERVFAIL answer stored in the global cache does not block
+; ECS queries to reach the ECS cache.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ serve-expired: yes
+ prefetch: yes
+
+stub-zone:
+ name: "example.com."
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test that expired SERVFAIL in global cache does not block clients to reach the ECS cache
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR SERVFAIL
+ SECTION QUESTION
+ www.example.com. IN A
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 05 ; option length
+ 00 01 ; Family
+ 08 00 ; source mask, scopemask
+ 7f ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; Bring the cached SERVFAIL to prefetch time
+STEP 10 TIME_PASSES ELAPSE 5
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 05 ; OPC, optlen
+ 00 01 08 00 ; ip4, source 8, scope 0
+ 7f ; 127.0.0.0/8
+HEX_EDNSDATA_END
+ENTRY_END
+
+; This answer was cached but a prefetch was triggerred
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 13 TIME_PASSES ELAPSE 2
+
+; Query again to verify that the record was prefetched and stored in the ECS
+; cache (because the server replied with ECS this time)
+STEP 14 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 05 ; OPC, optlen
+ 00 01 08 00 ; ip4, source 8, scope 0
+ 7f ; 127.0.0.0/8
+HEX_EDNSDATA_END
+ENTRY_END
+
+; This record came from the ECS cache
+STEP 15 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA DO NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 8 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3598 IN NS ns.example.com.
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 05 ; OPC, optlen
+ 00 01 08 08 ; ip4, source 8, scope 0
+ 7f ; 127.0.0.0/8
+HEX_EDNSDATA_END
+ns.example.com. 3598 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/subnet_global_prefetch.crpl b/contrib/unbound/testdata/subnet_global_prefetch.crpl
new file mode 100644
index 000000000000..2f005d43b905
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_global_prefetch.crpl
@@ -0,0 +1,236 @@
+; Check if the prefetch option works properly for messages stored in the global
+; cache for non-ECS clients. The prefetch query needs to result in an ECS
+; outgoing query based on the client's IP.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ prefetch: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 15 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache (because no ECS from upstream)
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Try to trigger a prefetch
+STEP 3 TIME_PASSES ELAPSE 9
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the global cache and a prefetch was triggered.
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 1 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3591 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3591 IN A 1.2.3.4
+ENTRY_END
+
+; Allow time to pass so that the global cache record is expired.
+STEP 13 TIME_PASSES ELAPSE 2
+
+; Query again to verify that the record was prefetched and stored in the ECS
+; cache.
+STEP 15 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the ECS cache.
+STEP 16 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 8 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3598 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3598 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/subnet_global_prefetch_always_forward.crpl b/contrib/unbound/testdata/subnet_global_prefetch_always_forward.crpl
new file mode 100644
index 000000000000..ccfe5dfd6ea1
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_global_prefetch_always_forward.crpl
@@ -0,0 +1,167 @@
+; Check if the prefetch option works properly when serve-expired is combined
+; with client-subnet-always-forward for non-ECS clients. The prefetch query
+; needs to result in an outgoing query without ECS.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ serve-expired: yes
+ client-subnet-always-forward: yes
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired and client-subnet-always-forward without ECS in the request
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 3 TIME_PASSES ELAPSE 20
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the global cache and a prefetch was triggered
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 30 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3580 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3580 IN A 1.2.3.4
+ENTRY_END
+
+STEP 13 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH all
+ REPLY NOERROR DO
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+
+STEP 14 TRAFFIC
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/subnet_global_prefetch_expired.crpl b/contrib/unbound/testdata/subnet_global_prefetch_expired.crpl
new file mode 100644
index 000000000000..de1b780553a9
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_global_prefetch_expired.crpl
@@ -0,0 +1,241 @@
+; Check if the prefetch option works properly for messages stored in the global
+; cache for non-ECS clients. The prefetch query needs to result in an ECS
+; outgoing query based on the client's IP.
+; Prefetch initiated via serve-expired.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ serve-expired: yes
+ serve-expired-ttl: 1
+ prefetch: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled (initiated via serve-expired)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 15 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache (because no ECS from upstream)
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Try to trigger a prefetch with expired data
+STEP 3 TIME_PASSES ELAPSE 11
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This expired record came from the global cache and a prefetch is triggered.
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 30 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3589 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3589 IN A 1.2.3.4
+ENTRY_END
+
+;STEP 13 TRAFFIC
+; Allow enough time to pass so that the expired record from the global cache
+; cannot be used anymore.
+STEP 14 TIME_PASSES ELAPSE 1
+
+; Query again to verify that the record was prefetched and stored in the ECS
+; cache.
+STEP 15 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the ECS cache.
+STEP 16 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 9 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3599 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3599 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/subnet_prezero.crpl b/contrib/unbound/testdata/subnet_prezero.crpl
new file mode 100644
index 000000000000..22cdfffb03b3
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_prezero.crpl
@@ -0,0 +1,155 @@
+; subnet unit test
+server:
+ trust-anchor-signaling: no
+ send-client-subnet: 1.2.3.4
+ send-client-subnet: 1.2.3.5
+ target-fetch-policy: "0 0 0 0 0"
+ module-config: "subnetcache validator iterator"
+ qname-minimisation: no
+ minimal-responses: no
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test subnetcache source prefix zero from client.
+; In RFC7871 section-7.1.2 (para. 2).
+; It says that the recursor must send no EDNS subnet or its own address
+; in the EDNS subnet to the upstream server. And use that answer for the
+; source prefix length zero query. That type of query is for privacy.
+; The authority server is then going to use the resolver's IP, if any, to
+; tailor the answer to the query source address.
+
+; ns.example.com
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+
+; reply with 0.0.0.0/0 in reply
+; For the test the answers for 0.0.0.0/0 queries are SERVFAIL, the normal
+; answers are NOERROR.
+ENTRY_BEGIN
+MATCH opcode qtype qname ednsdata
+ADJUST copy_id
+REPLY QR AA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN CNAME star.c10r.example.com.
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 04 ; OPCODE=subnet, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ; 0.0.0.0/0
+HEX_EDNSDATA_END
+ENTRY_END
+
+; reply without subnet
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA DO NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN CNAME star.c10r.example.com.
+ENTRY_END
+
+; delegation answer for c10r.example.com, with subnet /0
+ENTRY_BEGIN
+MATCH opcode subdomain ednsdata
+ADJUST copy_id copy_query
+REPLY QR DO SERVFAIL
+SECTION QUESTION
+c10r.example.com. IN NS
+SECTION AUTHORITY
+c10r.example.com. IN NS ns.c10r.example.com.
+SECTION ADDITIONAL
+ns.c10r.example.com. IN A 1.2.3.5
+HEX_EDNSDATA_BEGIN
+ 00 08 00 04 ; OPCODE=subnet, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ; 0.0.0.0/0
+HEX_EDNSDATA_END
+ENTRY_END
+
+; delegation answer for c10r.example.com, without subnet
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR DO NOERROR
+SECTION QUESTION
+c10r.example.com. IN NS
+SECTION AUTHORITY
+c10r.example.com. IN NS ns.c10r.example.com.
+SECTION ADDITIONAL
+ns.c10r.example.com. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.c10r.example.com
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.5
+
+; reply with 0.0.0.0/0 in reply
+ENTRY_BEGIN
+MATCH opcode qtype qname ednsdata
+ADJUST copy_id
+REPLY QR AA DO SERVFAIL
+SECTION QUESTION
+star.c10r.example.com. IN A
+SECTION ANSWER
+star.c10r.example.com. IN A 1.2.3.6
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 04 ; OPCODE=subnet, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ; 0.0.0.0/0
+HEX_EDNSDATA_END
+ENTRY_END
+
+; reply without subnet
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA DO NOERROR
+SECTION QUESTION
+star.c10r.example.com. IN A
+SECTION ANSWER
+star.c10r.example.com. IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+; ask for www.example.com
+; server answers with CNAME to a delegation, that then
+; returns a /24 answer.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 04 ; OPCODE=subnet, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ; 0.0.0.0/0
+HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA DO NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN CNAME star.c10r.example.com.
+star.c10r.example.com. IN A 1.2.3.6
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 04 ; OPCODE=subnet, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ; 0.0.0.0/0
+HEX_EDNSDATA_END
+ENTRY_END
+SCENARIO_END
diff --git a/contrib/unbound/testdata/subnet_scopezero_noedns.crpl b/contrib/unbound/testdata/subnet_scopezero_noedns.crpl
new file mode 100644
index 000000000000..25df0dd71cf2
--- /dev/null
+++ b/contrib/unbound/testdata/subnet_scopezero_noedns.crpl
@@ -0,0 +1,441 @@
+; scope of 0, if the query also had scope of 0, do not answer this
+; to everyone, but only for scope 0 queries. Otherwise can answer cached.
+
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ module-config: "subnetcache validator iterator"
+ verbosity: 4
+ qname-minimisation: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test subnet cache with scope zero response without EDNS.
+
+; the upstream server.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+
+ENTRY_BEGIN
+MATCH opcode qtype qname ednsdata
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+HEX_EDNSDATA_END
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 11
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 11 ; source mask, scopemask
+ 7f 00 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 20 31
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 11 ; source mask, scopemask
+ 7f 01 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 40 51
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+;no EDNS in this answer. Tests if the back_parsed callback
+;is called to process the lack of edns contents.
+;HEX_EDNSDATA_BEGIN
+ ;00 08 ; OPC
+ ;00 04 ; option length
+ ;00 01 ; Family
+ ;00 00 ; source mask, scopemask
+ ; ; address 0.0.0.0/0 scope 0
+;HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 120 131
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+;copy_ednsdata_assume_clientsubnet
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.43
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 00 ; source mask, scopemask
+ 7f 02 00 ; address 127.2.0.0/24 scope 0
+HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+
+; query for 127.0.0.0/24
+STEP 1 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 18 00 ; ip4, scope 24, source 0
+ 7f 00 00 ;127.0.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer is 10.20.30.40 for 127.0.0.0/24 scope 17
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 11 ; source mask, scopemask
+ 7f 00 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 127.1.0.0/24
+STEP 20 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 18 00 ; ip4, scope 24, source 0
+ 7f 01 00 ;127.1.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer is 10.20.30.41 for 127.1.0.0/24 scope 17
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.1.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 11 ; source mask, scopemask
+ 7f 01 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 0.0.0.0/0
+STEP 40 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 08
+
+ 00 08 00 04 ; OPC, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+; answer is 10.20.30.42 for 0.0.0.0/0 scope 0
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 ; OPC
+ 00 04 ; option length
+ 00 01 ; Family
+ 00 00 ; source mask, scopemask
+ ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 127.0.0.0/24, again, it should be in cache.
+; and not from the scope 0 answer.
+STEP 60 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 18 00 ; ip4, scope 24, source 0
+ 7f 00 00 ;127.0.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.40 for 127.0.0.0/24 scope 17
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 11 ; source mask, scopemask
+ 7f 00 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 127.1.0.0/24, again, it should be in cache.
+STEP 80 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 18 00 ; ip4, scope 24, source 0
+ 7f 01 00 ;127.1.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.41 for 127.1.0.0/24 scope 17
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.1.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 11 ; source mask, scopemask
+ 7f 01 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; query for 0.0.0.0/0, again.
+STEP 100 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 08
+
+ 00 08 00 04 ; OPC, optlen
+ 00 01 00 00 ; ip4, scope 0, source 0
+ ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.42 for 0.0.0.0/0 scope 0
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 ; OPC
+ 00 04 ; option length
+ 00 01 ; Family
+ 00 00 ; source mask, scopemask
+ ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; now a query for a /24 that gets an answer for a /0.
+STEP 120 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 18 00 ; ip4, scope 24, source 0
+ 7f 02 00 ;127.2.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+; answer should be 10.20.30.43 for 127.2.0.0/24 scope 0
+STEP 130 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.43
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.2.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 00 ; source mask, scopemask
+ 7f 02 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; the scope 0 answer is now used to answer queries from
+; query for 127.0.0.0/24
+STEP 140 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+ 00 00 01 00 00 01 00 00 ;ID 0
+ 00 00 00 01 03 77 77 77 ; www.example.com A? (DO)
+ 07 65 78 61 6d 70 6c 65
+ 03 63 6f 6d 00 00 01 00
+ 01 00 00 29 10 00 00 00
+ 80 00 00 0b
+
+ 00 08 00 07 ; OPC, optlen
+ 00 01 18 00 ; ip4, scope 24, source 0
+ 7f 00 00 ;127.0.0.0/24
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 150 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.43
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 18 00 ; source mask, scopemask
+ 7f 00 00 ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/svcb.tdir/crypto.cloudflare.com.zone b/contrib/unbound/testdata/svcb.tdir/crypto.cloudflare.com.zone
deleted file mode 100644
index 53c89c735ba1..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/crypto.cloudflare.com.zone
+++ /dev/null
@@ -1,9 +0,0 @@
-crypto.cloudflare.com. 3600 IN SOA jobs.ns.cloudflare.com. dns.cloudflare.com. (
- 2037099480 ; serial
- 10000 ; refresh (2 hours 46 minutes 40 seconds)
- 2400 ; retry (40 minutes)
- 604800 ; expire (1 week)
- 3600 ; minimum (1 hour)
- )
-crypto.cloudflare.com. 300 IN HTTPS 1 . alpn=h2 ipv4hint=162.159.135.79,162.159.136.79 echconfig=AEj+CgBETwAgACDeVpr34JzYHDGNFoGWhksj5mpBxradonbqH3X9+h7jHgAEAAEAAQAAABNjbG91ZGZsYXJlLWVzbmkuY29tAAA= ipv6hint=2606:4700:7::a29f:874f,2606:4700:7::a29f:884f
-
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.dsc b/contrib/unbound/testdata/svcb.tdir/svcb.dsc
deleted file mode 100644
index 6eae7638e9b0..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: svcb
-Version: 1.0
-Description: Test SVCB and HTTPS parsing
-CreationDate: Fri May 25 12:51:22 UTC 2021
-Maintainer: Tom Carpay
-Category:
-Component:
-CmdDepends:
-Depends:
-Help:
-Pre:
-Post:
-Test: svcb.test
-AuxFiles:
-Passed:
-Failure:
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-01 b/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-01
deleted file mode 100644
index c60151692ee8..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-01
+++ /dev/null
@@ -1,9 +0,0 @@
-$ORIGIN failure-cases.
-$TTL 3600
-
-@ SOA primary admin 0 0 0 0 0
-
-; Here there are multiple instances of the same SvcParamKey in the mandatory list
-
-f21 HTTPS 1 foo.example.com. ech="123"
-f21 HTTPS 1 foo.example.com. echconfig="123"
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-02 b/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-02
deleted file mode 100644
index 9d6f0186d535..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-02
+++ /dev/null
@@ -1,8 +0,0 @@
-$ORIGIN failure-cases.
-$TTL 3600
-
-@ SOA primary admin 0 0 0 0 0
-
-; Port must be a positive number < 65536
-
-f22 HTTPS 1 foo.example.com. port=65536
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-03 b/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-03
deleted file mode 100644
index bb819daae316..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-03
+++ /dev/null
@@ -1,8 +0,0 @@
-$ORIGIN failure-cases.
-$TTL 3600
-
-@ SOA primary admin 0 0 0 0 0
-
-; 65 SvcParams is too many SvcParams; the limit is 64
-
-f23 HTTPS 1 foo.example.com. ( key11=a key12=a key13=a key14=a key15=a key16=a key17=a key18=a key19=a key110=a key111=a key112=a key113=a key114=a key115=a key116=a key117=a key118=a key119=a key120=a key121=a key122=a key123=a key124=a key125=a key126=a key127=a key128=a key129=a key130=a key131=a key132=a key133=a key134=a key135=a key136=a key137=a key138=a key139=a key140=a key141=a key142=a key143=a key144=a key145=a key146=a key147=a key148=a key149=a key150=a key151=a key152=a key153=a key154=a key155=a key156=a key157=a key158=a key159=a key160=a key161=a key162=a key163=a key164=a key165=a ) \ No newline at end of file
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-04 b/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-04
deleted file mode 100644
index ae02ac417b1b..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.failure-cases-04
+++ /dev/null
@@ -1,8 +0,0 @@
-$ORIGIN failure-cases.
-$TTL 3600
-
-@ SOA primary admin 0 0 0 0 0
-
-; 256 is too many characters for an alpn; maximum is 255
-
-f23 HTTPS 1 foo.example.com. ( alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ) \ No newline at end of file
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone b/contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone
deleted file mode 100644
index 5d6339542f67..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone
+++ /dev/null
@@ -1,47 +0,0 @@
-$ORIGIN success-cases.
-$TTL 3600
-
-@ SOA primary admin 0 0 0 0 0
-
-
-; A particular key does not need to have a value
-
-s01 SVCB 0 . key123
-
-
-; echconfig does not need to have a value
-
-s02 SVCB 0 . echconfig
-
-
-; When "no-default-alpn" is specified in an RR, "alpn" must also be specified
-; in order for the RR to be "self-consistent"
-
-s03 HTTPS 0 . alpn="h2,h3" no-default-alpn
-
-
-; SHOULD is not MUST (so allowed)
-; Zone-file implementations SHOULD enforce self-consistency
-
-s04 HTTPS 0 . no-default-alpn
-
-
-; SHOULD is not MUST (so allowed)
-; (port and no-default-alpn are automatically mandatory keys with HTTPS)
-; Other automatically mandatory keys SHOULD NOT appear in the list either.
-
-s05 HTTPS 0 . alpn="dot" no-default-alpn port=853 mandatory=port
-
-; Any valid base64 is okay for ech
-s06 HTTPS 0 . ech="aGVsbG93b3JsZCE="
-
-; echconfig is an alias for ech
-s07 HTTPS 0 . echconfig="aGVsbG93b3JsZCE="
-
-; maximum size allowed in a svcb rdata set (63 SvcParams)
-
-s08 HTTPS 0 . ( key11=a key12=a key13=a key14=a key15=a key16=a key17=a key18=a key19=a key110=a key111=a key112=a key113=a key114=a key115=a key116=a key117=a key118=a key119=a key120=a key121=a key122=a key123=a key124=a key125=a key126=a key127=a key128=a key129=a key130=a key131=a key132=a key133=a key134=a key135=a key136=a key137=a key138=a key139=a key140=a key141=a key142=a key143=a key144=a key145=a key146=a key147=a key148=a key149=a key150=a key151=a key152=a key153=a key154=a key155=a key156=a key157=a key158=a key159=a key160=a key161=a key162=a key163=a)
-
-; maximum alpn size allowed (255 characters)
-
-s09 HTTPS 0 . ( alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" )
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone.cmp b/contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone.cmp
deleted file mode 100644
index e504e7b18ad5..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.success-cases.zone.cmp
+++ /dev/null
@@ -1,10 +0,0 @@
-success-cases. 3600 IN SOA primary.success-cases. admin.success-cases. 0 0 0 0 0
-s01.success-cases. 3600 IN SVCB 0 . key123
-s02.success-cases. 3600 IN SVCB 0 . ech
-s03.success-cases. 3600 IN HTTPS 0 . alpn="h2,h3" no-default-alpn
-s04.success-cases. 3600 IN HTTPS 0 . no-default-alpn
-s05.success-cases. 3600 IN HTTPS 0 . mandatory=port alpn="dot" no-default-alpn port=853
-s06.success-cases. 3600 IN HTTPS 0 . ech="aGVsbG93b3JsZCE="
-s07.success-cases. 3600 IN HTTPS 0 . ech="aGVsbG93b3JsZCE="
-s08.success-cases. 3600 IN HTTPS 0 . key11="a" key12="a" key13="a" key14="a" key15="a" key16="a" key17="a" key18="a" key19="a" key110="a" key111="a" key112="a" key113="a" key114="a" key115="a" key116="a" key117="a" key118="a" key119="a" key120="a" key121="a" key122="a" key123="a" key124="a" key125="a" key126="a" key127="a" key128="a" key129="a" key130="a" key131="a" key132="a" key133="a" key134="a" key135="a" key136="a" key137="a" key138="a" key139="a" key140="a" key141="a" key142="a" key143="a" key144="a" key145="a" key146="a" key147="a" key148="a" key149="a" key150="a" key151="a" key152="a" key153="a" key154="a" key155="a" key156="a" key157="a" key158="a" key159="a" key160="a" key161="a" key162="a" key163="a"
-s09.success-cases. 3600 IN HTTPS 0 . alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.test b/contrib/unbound/testdata/svcb.tdir/svcb.test
deleted file mode 100644
index 17330e08fde6..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.test
+++ /dev/null
@@ -1,97 +0,0 @@
-# #-- svcb.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-
-# check and write the test vectors in their respective formats
-PRE=../..
-if ! $PRE/readzone svcb.test-vectors-pf.zone > svcb.test-vectors-pf.zone.out
-then
- echo "Could not parse presentation format zone"
- exit 1
-
-elif ! $PRE/readzone svcb.test-vectors-pf.zone.out > svcb.test-vectors-pf.zone.out.out
-then
- echo "Could not parse output from presentation format zone"
- exit 1
-
-elif ! $PRE/readzone svcb.test-vectors-wf.zone > svcb.test-vectors-wf.zone.out
-then
- echo "Could not parse RFC3597 formatted zone"
- exit 1
-
-elif ! $PRE/readzone svcb.test-vectors-wf.zone.out > svcb.test-vectors-wf.zone.out.out
-then
- echo "Could not parse output from RFC3597 formatted zone"
- exit 1
-else
- echo "All test zones parsed successfully"
-fi
-
-
-# check the formatting of the written files
-if ! diff svcb.test-vectors-pf.zone.out svcb.test-vectors-pf.zone.out.out
-then
- echo "Parsing inconsistency 1"
- exit 1
-
-elif ! diff svcb.test-vectors-pf.zone.out svcb.test-vectors-wf.zone.out
-then
- echo "Parsing inconsistency 2"
- exit 1
-
-elif ! diff svcb.test-vectors-pf.zone.out svcb.test-vectors-wf.zone.out.out
-then
- echo "Parsing inconsistency 3"
- exit 1
-else
- echo "Parsing of SVCB and HTTPS was consistent"
-fi
-
-
-# check all the failure cases
-if $PRE/readzone svcb.failure-cases-01
-then
- echo "Failure case 01: ech value is not base64 encoded"
- echo "Incorrectly succeeded"
- exit 1
-
-elif $PRE/readzone svcb.failure-cases-02
-then
- echo "Failure case 02: port value needs to be a positive integer < 65536"
- echo "Incorrectly succeeded"
- exit 1
-
-elif $PRE/readzone svcb.failure-cases-03
-then
- echo "Failure case 02: 65 SvcParams is too many SvcParams; the limit is 64"
- echo "Incorrectly succeeded"
- exit 1
-
-elif $PRE/readzone svcb.failure-cases-04
-then
- echo "Failure case 04: 256 is too many characters for an alpn; maximum is 255"
- echo "Incorrectly succeeded"
- exit 1
-else
- echo "All failure cases test successfully"
-fi
-
-
-# check all the success and write them
-if ! $PRE/readzone svcb.success-cases.zone > svcb.success-cases.zone.out
-then
- echo "Some particular success cases did not succeed to parse"
- exit 1
-
-elif ! diff svcb.success-cases.zone.out svcb.success-cases.zone.cmp
-then
- echo "Some success cases could not be printed"
- exit 1
-else
- echo "All particular success cases parsed and printed successfully"
-fi
-
-
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-pf.zone b/contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-pf.zone
deleted file mode 100644
index d2cb5087bf9a..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-pf.zone
+++ /dev/null
@@ -1,92 +0,0 @@
-$ORIGIN test-vectors.
-$TTL 3600
-
-@ SOA primary admin 1 3600 1800 7200 3600
-
- NS primary
-primary A 127.0.0.1
-; D.1. AliasForm
-
-v01 SVCB 0 foo.example.com.
-
-; D.2. ServiceForm
-; The first form is the simple "use the ownername".
-
-v02 SVCB 1 .
-
-; This vector only has a port.
-
-v03 SVCB 16 foo.example.com. port=53
-
-; This example has a key that is not registered, its value is unquoted.
-
-v04 SVCB 1 foo.example.com. key667=hello
-
-; This example has a key that is not registered, its value is quoted and
-; contains a decimal-escaped character.
-
-v05 SVCB 1 foo.example.com. key667="hello\210qoo"
-
-; Here, two IPv6 hints are quoted in the presentation format.
-
-v06 SVCB 1 foo.example.com. ipv6hint="2001:db8::1,2001:db8::53:1"
-
-; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
-
-v07 SVCB 1 example.com. ipv6hint="2001:db8:ffff:ffff:ffff:ffff:198.51.100.100"
-
-; In the next vector, neither the SvcParamValues nor the mandatory keys are
-; sorted in presentation format, but are correctly sorted in the wire-format.
-
-v08 SVCB 16 foo.example.org. (alpn=h2,h3-19 mandatory=ipv4hint,alpn
- ipv4hint=192.0.2.1)
-
-; This last (two) vectors has an alpn value with an escaped comma and an
-; escaped backslash in two presentation formats.
-
-v09 SVCB 16 foo.example.org. alpn="f\\\\oo\\,bar,h2"
-v10 SVCB 16 foo.example.org. alpn=f\\\092oo\092,bar,h2
-
-
-; D.1. AliasForm
-
-v11 HTTPS 0 foo.example.com.
-
-; D.2. ServiceForm
-; The first form is the simple "use the ownername".
-
-v12 HTTPS 1 .
-
-; This vector only has a port.
-
-v13 HTTPS 16 foo.example.com. port=53
-
-; This example has a key that is not registered, its value is unquoted.
-
-v14 HTTPS 1 foo.example.com. key667=hello
-
-; This example has a key that is not registered, its value is quoted and
-; contains a decimal-escaped character.
-
-v15 HTTPS 1 foo.example.com. key667="hello\210qoo"
-
-; Here, two IPv6 hints are quoted in the presentation format.
-
-v16 HTTPS 1 foo.example.com. ipv6hint="2001:db8::1,2001:db8::53:1"
-
-; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
-
-v17 HTTPS 1 example.com. ipv6hint="2001:db8:ffff:ffff:ffff:ffff:198.51.100.100"
-
-; In the next vector, neither the SvcParamValues nor the mandatory keys are
-; sorted in presentation format, but are correctly sorted in the wire-format.
-
-v18 HTTPS 16 foo.example.org. (alpn=h2,h3-19 mandatory=ipv4hint,alpn
- ipv4hint=192.0.2.1)
-
-; This last (two) vectors has an alpn value with an escaped comma and an
-; escaped backslash in two presentation formats.
-
-v19 HTTPS 16 foo.example.org. alpn="f\\\\oo\\,bar,h2"
-v20 HTTPS 16 foo.example.org. alpn=f\\\092oo\092,bar,h2
-
diff --git a/contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-wf.zone b/contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-wf.zone
deleted file mode 100644
index bf47ab75c594..000000000000
--- a/contrib/unbound/testdata/svcb.tdir/svcb.test-vectors-wf.zone
+++ /dev/null
@@ -1,232 +0,0 @@
-$ORIGIN test-vectors.
-$TTL 3600
-
-@ SOA primary admin 1 3600 1800 7200 3600
-
- NS primary
-primary A 127.0.0.1
-
-; D.1. AliasForm
-
-v01 SVCB \# 19 (
-00 00 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-)
-
-; D.2. ServiceForm
-; The first form is the simple "use the ownername".
-
-v02 SVCB \# 3 (
-00 01 ; priority
-00 ; target (root label)
-)
-
-; This vector only has a port.
-
-v03 SVCB \# 25 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-00 03 ; key 3
-00 02 ; length 2
-00 35 ; value
-)
-
-; This example has a key that is not registered, its value is unquoted.
-
-v04 SVCB \# 28 (
-00 01 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-02 9b ; key 667
-00 05 ; length 5
-68 65 6c 6c 6f ; value
-)
-
-; This example has a key that is not registered, its value is quoted and
-; contains a decimal-escaped character.
-
-v05 SVCB \# 32 (
-00 01 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-02 9b ; key 667
-00 09 ; length 9
-68 65 6c 6c 6f d2 71 6f 6f ; value
-)
-
-; Here, two IPv6 hints are quoted in the presentation format.
-
-v06 SVCB \# 55 (
-00 01 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-00 06 ; key 6
-00 20 ; length 32
-20 01 0d b8 00 00 00 00 00 00 00 00 00 00 00 01 ; first address
-20 01 0d b8 00 00 00 00 00 00 00 00 00 53 00 01 ; second address
-)
-
-; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
-
-v07 SVCB \# 35 (
-00 01 ; priority
-07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-00 06 ; key 6
-00 10 ; length 16
-20 01 0d b8 ff ff ff ff ff ff ff ff c6 33 64 64 ; address
-)
-
-; In the next vector, neither the SvcParamValues nor the mandatory keys are
-; sorted in presentation format, but are correctly sorted in the wire-format.
-
-v08 SVCB \# 48 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
-00 00 ; key 0
-00 04 ; param length 4
-00 01 ; value: key 1
-00 04 ; value: key 4
-00 01 ; key 1
-00 09 ; param length 9
-02 ; alpn length 2
-68 32 ; alpn value
-05 ; alpn length 5
-68 33 2d 31 39 ; alpn value
-00 04 ; key 4
-00 04 ; param length 4
-c0 00 02 01 ; param value
-)
-
-; This last (two) vectors has an alpn value with an escaped comma and an
-; escaped backslash in two presentation formats.
-
-v09 SVCB \# 35 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
-00 01 ; key 1
-00 0c ; param length 12
-08 ; alpn length 8
-66 5c 6f 6f 2c 62 61 72 ; alpn value
-02 ; alpn length 2
-68 32 ; alpn value
-)
-v10 SVCB \# 35 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
-00 01 ; key 1
-00 0c ; param length 12
-08 ; alpn length 8
-66 5c 6f 6f 2c 62 61 72 ; alpn value
-02 ; alpn length 2
-68 32 ; alpn value
-)
-
-; D.1. AliasForm
-
-v11 HTTPS \# 19 (
-00 00 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-)
-
-; D.2. ServiceForm
-; The first form is the simple "use the ownername".
-
-v12 HTTPS \# 3 (
-00 01 ; priority
-00 ; target (root label)
-)
-
-; This vector only has a port.
-
-v13 HTTPS \# 25 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-00 03 ; key 3
-00 02 ; length 2
-00 35 ; value
-)
-
-; This example has a key that is not registered, its value is unquoted.
-
-v14 HTTPS \# 28 (
-00 01 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-02 9b ; key 667
-00 05 ; length 5
-68 65 6c 6c 6f ; value
-)
-
-; This example has a key that is not registered, its value is quoted and
-; contains a decimal-escaped character.
-
-v15 HTTPS \# 32 (
-00 01 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-02 9b ; key 667
-00 09 ; length 9
-68 65 6c 6c 6f d2 71 6f 6f ; value
-)
-
-; Here, two IPv6 hints are quoted in the presentation format.
-
-v16 HTTPS \# 55 (
-00 01 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-00 06 ; key 6
-00 20 ; length 32
-20 01 0d b8 00 00 00 00 00 00 00 00 00 00 00 01 ; first address
-20 01 0d b8 00 00 00 00 00 00 00 00 00 53 00 01 ; second address
-)
-
-; This example shows a single IPv6 hint in IPv4 mapped IPv6 presentation format.
-
-v17 HTTPS \# 35 (
-00 01 ; priority
-07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target
-00 06 ; key 6
-00 10 ; length 16
-20 01 0d b8 ff ff ff ff ff ff ff ff c6 33 64 64 ; address
-)
-
-; In the next vector, neither the SvcParamValues nor the mandatory keys are
-; sorted in presentation format, but are correctly sorted in the wire-format.
-
-v18 HTTPS \# 48 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
-00 00 ; key 0
-00 04 ; param length 4
-00 01 ; value: key 1
-00 04 ; value: key 4
-00 01 ; key 1
-00 09 ; param length 9
-02 ; alpn length 2
-68 32 ; alpn value
-05 ; alpn length 5
-68 33 2d 31 39 ; alpn value
-00 04 ; key 4
-00 04 ; param length 4
-c0 00 02 01 ; param value
-)
-
-; This last (two) vectors has an alpn value with an escaped comma and an
-; escaped backslash in two presentation formats.
-
-v19 HTTPS \# 35 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
-00 01 ; key 1
-00 0c ; param length 12
-08 ; alpn length 8
-66 5c 6f 6f 2c 62 61 72 ; alpn value
-02 ; alpn length 2
-68 32 ; alpn value
-)
-v20 HTTPS \# 35 (
-00 10 ; priority
-03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target
-00 01 ; key 1
-00 0c ; param length 12
-08 ; alpn length 8
-66 5c 6f 6f 2c 62 61 72 ; alpn value
-02 ; alpn length 2
-68 32 ; alpn value
-)
-
diff --git a/contrib/unbound/testdata/val_any_negcache.rpl b/contrib/unbound/testdata/val_any_negcache.rpl
new file mode 100644
index 000000000000..8800a2140219
--- /dev/null
+++ b/contrib/unbound/testdata/val_any_negcache.rpl
@@ -0,0 +1,243 @@
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+ val-override-date: "20070916134226"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ fake-sha1: yes
+ trust-anchor-signaling: no
+ rrset-roundrobin: no
+ aggressive-nsec: yes
+ harden-unknown-additional: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with response to qtype ANY and negative cache.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response with NODATA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN LOC
+SECTION AUTHORITY
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN ANY
+SECTION ANSWER
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFHq7BNVAeLW+Uw/rkjVS08lrMDk/AhR+bvChHfiE4jLb6uoyE54/irCuqA== ;{id = 2854}
+example.com. 600 IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp.example.com.
+example.com. 600 IN RRSIG NAPTR 3 2 600 20070926134150 20070829134150 2854 example.com. MC0CFE8qs66bzuOyKmTIacamrmqabMRzAhUAn0MujX1LB0UpTHuLMgdgMgJJlq4= ;{id = 2854}
+example.com. 86400 IN AAAA 2001:7b8:206:1::1
+example.com. 86400 IN RRSIG AAAA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFEqS4WHyqhUkv7t42TsBZJk/Q9paAhUAtTZ8GaXGpot0PmsM0oGzQU+2iw4= ;{id = 2854}
+example.com. 86400 IN TXT "Stichting NLnet Labs"
+example.com. 86400 IN RRSIG TXT 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH3otn2u8zXczBS8L0VKpyAYZGSkAhQLGaQclkzMAzlB5j73opFjdkh8TA== ;{id = 2854}
+example.com. 86400 IN MX 100 v.net.example.
+example.com. 86400 IN MX 50 open.example.com.
+example.com. 86400 IN RRSIG MX 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFEKh3jeqh69zcOqWWv3GNKlMECPyAhR9HJkcPLqlyVWUccWDFJfGGcQfdg== ;{id = 2854}
+example.com. 86400 IN NS v.net.example.
+example.com. 86400 IN NS open.example.com.
+example.com. 86400 IN NS ns7.domain-registry.example.
+example.com. 86400 IN RRSIG NS 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCaRn30X4neKW7KYoTa2kcsoOLgfgIURvKEyDczLypWlx99KpxzMxRYhEc= ;{id = 2854}
+example.com. 86400 IN A 213.154.224.1
+example.com. 86400 IN RRSIG A 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH8kSLxmRTwzlGDxvF1e4y/gM+5dAhQkzyQ2a6Gf+CMaHzVScaUvTt9HhQ== ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ns7.domain-registry.example. 80173 IN A 62.4.86.230
+open.example.com. 600 IN A 213.154.224.1
+open.example.com. 600 IN AAAA 2001:7b8:206:1::53
+open.example.com. 600 IN AAAA 2001:7b8:206:1::1
+v.net.example. 28800 IN A 213.154.224.17
+v.net.example. 28800 IN AAAA 2001:7b8:206:1:200:39ff:fe59:b187
+johnny.example.com. 600 IN A 213.154.224.44
+open.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCh8bja923UJmg1+sYXMK8WIE4dpgIUQe9sZa0GOcUYSgb2rXoogF8af+Y= ;{id = 2854}
+open.example.com. 600 IN RRSIG AAAA 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCRGJgIS6kEVG7aJfovuG/q3cgOWwIUYEIFCnfRQlMIYWF7BKMQoMbdkE0= ;{id = 2854}
+johnny.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MCwCFAh0/zSpCd/9eMNz7AyfnuGQFD1ZAhQEpNFNw4XByNEcbi/vsVeii9kp7g== ;{id = 2854}
+_sip._udp.example.com. 600 IN RRSIG SRV 3 4 600 20070926134150 20070829134150 2854 example.com. MCwCFFSRVgOcq1ihVuO6MhCuzWs6SxpVAhRPHHCKy0JxymVkYeFOxTkbVSWMMw== ;{id = 2854}
+_sip._udp.example.com. 600 IN SRV 0 0 5060 johnny.example.com.
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD DO
+SECTION QUESTION
+example.com. IN LOC
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+example.com. IN LOC
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD DO
+SECTION QUESTION
+example.com. IN ANY
+ENTRY_END
+
+; Allow validation resuming for the RRSIGs
+STEP 21 TIME_PASSES ELAPSE 0.05
+
+; recursion happens here.
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+example.com. IN ANY
+SECTION ANSWER
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFHq7BNVAeLW+Uw/rkjVS08lrMDk/AhR+bvChHfiE4jLb6uoyE54/irCuqA== ;{id = 2854}
+example.com. 600 IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp.example.com.
+example.com. 600 IN RRSIG NAPTR 3 2 600 20070926134150 20070829134150 2854 example.com. MC0CFE8qs66bzuOyKmTIacamrmqabMRzAhUAn0MujX1LB0UpTHuLMgdgMgJJlq4= ;{id = 2854}
+example.com. 86400 IN AAAA 2001:7b8:206:1::1
+example.com. 86400 IN RRSIG AAAA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFEqS4WHyqhUkv7t42TsBZJk/Q9paAhUAtTZ8GaXGpot0PmsM0oGzQU+2iw4= ;{id = 2854}
+example.com. 86400 IN TXT "Stichting NLnet Labs"
+example.com. 86400 IN RRSIG TXT 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH3otn2u8zXczBS8L0VKpyAYZGSkAhQLGaQclkzMAzlB5j73opFjdkh8TA== ;{id = 2854}
+example.com. 86400 IN MX 100 v.net.example.
+example.com. 86400 IN MX 50 open.example.com.
+example.com. 86400 IN RRSIG MX 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFEKh3jeqh69zcOqWWv3GNKlMECPyAhR9HJkcPLqlyVWUccWDFJfGGcQfdg== ;{id = 2854}
+example.com. 86400 IN NS v.net.example.
+example.com. 86400 IN NS open.example.com.
+example.com. 86400 IN NS ns7.domain-registry.example.
+example.com. 86400 IN RRSIG NS 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCaRn30X4neKW7KYoTa2kcsoOLgfgIURvKEyDczLypWlx99KpxzMxRYhEc= ;{id = 2854}
+example.com. 86400 IN A 213.154.224.1
+example.com. 86400 IN RRSIG A 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH8kSLxmRTwzlGDxvF1e4y/gM+5dAhQkzyQ2a6Gf+CMaHzVScaUvTt9HhQ== ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+open.example.com. 600 IN A 213.154.224.1
+open.example.com. 600 IN AAAA 2001:7b8:206:1::53
+open.example.com. 600 IN AAAA 2001:7b8:206:1::1
+open.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCh8bja923UJmg1+sYXMK8WIE4dpgIUQe9sZa0GOcUYSgb2rXoogF8af+Y= ;{id = 2854}
+open.example.com. 600 IN RRSIG AAAA 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCRGJgIS6kEVG7aJfovuG/q3cgOWwIUYEIFCnfRQlMIYWF7BKMQoMbdkE0= ;{id = 2854}
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/val_scrub_rr_length.rpl b/contrib/unbound/testdata/val_scrub_rr_length.rpl
new file mode 100644
index 000000000000..0219b918e421
--- /dev/null
+++ b/contrib/unbound/testdata/val_scrub_rr_length.rpl
@@ -0,0 +1,164 @@
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af"
+ val-override-date: "20070916134226"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ trust-anchor-signaling: no
+ minimal-responses: no
+ rrset-roundrobin: no
+ ede: yes
+ log-servfail: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with scrub of RR for inappropriate length
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 55566 example.com. cHdLVCzujUQs6b67c1SmCX+/br4tgOg86Gj/R/x+PKUQmWHyeVwBSTlJuLOHbca3CQoyIQc+V2ilK6fjwjbY/dLk4uOlux8L+Zn7HsUXSOwJPIjsM3LuTa8CYDMvYhOP7KGR+vNpJVSsQ25pyDn6Rzsdl3E7DAf7uSkPV8VJwa8=
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55566 example.com. PBwNifMNxTXlDorHX1neq1wUhWLmqk+PZ+PBZCI5BJAmakdgOXdLQiVqlKaErJyA/4uN+99fUf6/DqxwgxL8FIPdBkxMOTJaKrCFjEhL6qozTd3+DI6qFJPgTm1lrkpvb9W72MtK2vxAyT5I/bG2SWKdpzOaQXysbDb2hnxq3as=
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
+example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20070926134150 20070829134150 55566 example.com. Ni7Q17l2dzKcAnHdU3Mycpdwo0I6qgGxRvBhBNI43xIUFHJpgKpbeMFxKvVTkbwHyMPMIuHmOaC82IBhOpGD10SExVh4erQhWS3Hvl+m4Cwl3WI9N+AW6CTB9yj+d4xzX3bHjjBt6MSk4bU8ABR7qIoAjgjY7zdtUDWQlaM+d18=
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 55566 example.com. cHdLVCzujUQs6b67c1SmCX+/br4tgOg86Gj/R/x+PKUQmWHyeVwBSTlJuLOHbca3CQoyIQc+V2ilK6fjwjbY/dLk4uOlux8L+Zn7HsUXSOwJPIjsM3LuTa8CYDMvYhOP7KGR+vNpJVSsQ25pyDn6Rzsdl3E7DAf7uSkPV8VJwa8=
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55566 example.com. PBwNifMNxTXlDorHX1neq1wUhWLmqk+PZ+PBZCI5BJAmakdgOXdLQiVqlKaErJyA/4uN+99fUf6/DqxwgxL8FIPdBkxMOTJaKrCFjEhL6qozTd3+DI6qFJPgTm1lrkpvb9W72MtK2vxAyT5I/bG2SWKdpzOaQXysbDb2hnxq3as=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 55566 example.com. cHdLVCzujUQs6b67c1SmCX+/br4tgOg86Gj/R/x+PKUQmWHyeVwBSTlJuLOHbca3CQoyIQc+V2ilK6fjwjbY/dLk4uOlux8L+Zn7HsUXSOwJPIjsM3LuTa8CYDMvYhOP7KGR+vNpJVSsQ25pyDn6Rzsdl3E7DAf7uSkPV8VJwa8=
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55566 example.com. PBwNifMNxTXlDorHX1neq1wUhWLmqk+PZ+PBZCI5BJAmakdgOXdLQiVqlKaErJyA/4uN+99fUf6/DqxwgxL8FIPdBkxMOTJaKrCFjEhL6qozTd3+DI6qFJPgTm1lrkpvb9W72MtK2vxAyT5I/bG2SWKdpzOaQXysbDb2hnxq3as=
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+www.example.com. IN A \# 5 0102030405
+; RRSIG includes the malformed record.
+www.example.com. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55566 example.com. W4WFu9B81uRvp3Dj8uLIscypznKWuLuKrZqVg1on5/45/3/xyjHvj3TjTL3gruWFXPiQpldvOstXLZ5eN3OpqILdkVey0eqVATujpHwIruY6GWztVx5WptmFfK6E6zzshZ3RmAARqq/czQ+IZli2A9xixdY2H0o1dSU6gohEjjE=
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 55566 example.com. cHdLVCzujUQs6b67c1SmCX+/br4tgOg86Gj/R/x+PKUQmWHyeVwBSTlJuLOHbca3CQoyIQc+V2ilK6fjwjbY/dLk4uOlux8L+Zn7HsUXSOwJPIjsM3LuTa8CYDMvYhOP7KGR+vNpJVSsQ25pyDn6Rzsdl3E7DAf7uSkPV8VJwa8=
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 55566 example.com. PBwNifMNxTXlDorHX1neq1wUhWLmqk+PZ+PBZCI5BJAmakdgOXdLQiVqlKaErJyA/4uN+99fUf6/DqxwgxL8FIPdBkxMOTJaKrCFjEhL6qozTd3+DI6qFJPgTm1lrkpvb9W72MtK2vxAyT5I/bG2SWKdpzOaQXysbDb2hnxq3as=
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=0
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END
diff --git a/contrib/unbound/testdata/zonemd.example1.zone b/contrib/unbound/testdata/zonemd.example1.zone
deleted file mode 100644
index b1a44895f05c..000000000000
--- a/contrib/unbound/testdata/zonemd.example1.zone
+++ /dev/null
@@ -1,4 +0,0 @@
-example.org. IN SOA ns.example.org. hostmaster.example.org. 200154054 28800 7200 604800 3600
-example.org. IN NS ns.example.org.
-www.example.org. IN A 127.0.0.1
-ns.example.org. IN A 127.0.0.1
diff --git a/contrib/unbound/testdata/zonemd.example10.zone b/contrib/unbound/testdata/zonemd.example10.zone
deleted file mode 100644
index 33ca2828e019..000000000000
--- a/contrib/unbound/testdata/zonemd.example10.zone
+++ /dev/null
@@ -1,35 +0,0 @@
-; DNSSEC signed but RRSIG on SOA is wrong.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-; old sig
-; example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-; wrong sig
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgeAAAAA=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example11.zone b/contrib/unbound/testdata/zonemd.example11.zone
deleted file mode 100644
index 7562f79729b7..000000000000
--- a/contrib/unbound/testdata/zonemd.example11.zone
+++ /dev/null
@@ -1,33 +0,0 @@
-; DNSSEC NSEC zone, but ZONEMD is missing
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-; missing ZONEMD
-;example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-;example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example12.zone b/contrib/unbound/testdata/zonemd.example12.zone
deleted file mode 100644
index 4fc04bf88eb2..000000000000
--- a/contrib/unbound/testdata/zonemd.example12.zone
+++ /dev/null
@@ -1,35 +0,0 @@
-; DNSSEC NSEC3 zone, but ZONEMD is missing
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC3PARAM 1 0 1 012345
-example.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20201116135527 20201019135527 55566 example.com. CDbcPLDrpVUyk3v7kwQ3LNzzhDHS40e0LDv7IZrzMt2AO/6SJ7xhlG+qByhc7CFBUMvBNaOteO5th0tvotWxk0UrVhqRyyXNCr8SmDdAaPH4SGwJ2p+XPIwn0CTXDpyOcgCrW0Kt2OjubA+4fQwjkGYFuDATY5QOITe6kGJpKpw=
-; missing ZONEMD
-;example.com. 3600 IN TYPE63 \# 70 0bee1bc6010246e31506f321c58db811c934c6446141d651a8574fb21088a2bb6feec875fc8b60f50beae00e7f6554e2cf3cb048350ef92e2946137443e30079813db4d1bfbd
-;example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. M0f4wkOn6dcYtaQtwvp698QL7HuKEgi+PPjYJawV8d1VNOWbbRTF9L9tHFDK42Ylq238uOxi223ZEk/pq4BP64Sm31dV54K2V95QqdzN9NDD34+sqKEgGyRcmBiE50gm3kZZ4ENqBQKc+GdlbZ2fHSI6gf6X694sSmZ7dfjq+2k=
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN NSEC3 1 0 1 012345 2v43f6ripfocif5h6bbi07glq6849rnj NS SOA RRSIG DNSKEY NSEC3PARAM TYPE63
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. Yd+g1m2aDKDUuZNv2KpKk4uSNrpB5KLM3QUqypm484VjOpnj5Wy3BjUULH3P8z+S9PG7XbaOf+yUYHK8cI6i5GTcrMhoLKaanAD09i1KbXbTVJujwA9Za7WzlFVZ3o6f1D8CbrSS3YPWNF3Mb2FYaptvZ9so7MlecuLYdEer7DY=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN NSEC3 1 0 1 012345 f0lpjkgefgrobj5pucem78r2ouo53fq8 A RRSIG
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. gTDi/2e/RPeSOwoBr6oqfoFsGXAknLX3J96EHzMmhtRR7W4pEW8uXKsMJ3rr4qgUUX+ZtzoCMYy+UBkiJfjpWvMToGtuADNOzz0rF8BESaW/8k6iDKPmqmwdGyLGMmfGjYPcb4qg3+9egLejA+fF1OSrhHuINeO80ouw++PL0ns=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN NSEC3 1 0 1 012345 v4cknoe1mioduf5bmhgfjjq4dlqet8fm A RRSIG
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. VugivzPyv5+qZhl+x0frrykYyOOdZfcKdmIA13P4OzhtiRNhCRHznhrdTlmfLw/b5Rs5jFX7Iw/hhU80Geg72cYG4KVJwtP6zTyFApDl/8x3rj3vhZOc2nwpYmjjFsyrlb7M2RhcStnS6c/2R4+dBFwwVZXyJBi3fo9NybujI9g=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN NSEC3 1 0 1 012345 r18q2sl76hceldh0keqr7vnqc15db64a A RRSIG
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. zishUbm8GxjaHOOUdbz0ZEut99dm+DQ/zvxhOTeS3kmUnL8t3ISew641JeNvvajAUk/xn6eGHjLBuHfwNG+itF2pSD8Gl6Ppo22Y0C9uO5TyRQalYpjtz1kI/VlIelcd0TyusmIMaRChswtpctPKITbr8Wl+MoZZtPQhJ5NjQlQ=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN NSEC3 1 0 1 012345 91onuasouslv1so1i62id4rf0l763dss A RRSIG
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. d9CluwN3zWfLe20J212CuwNzJVbVsDR4eijuJyLpyHzziSc10CauWtUiuHeQMXCVJNwhPSb5kQTfKtql+Jd44BQlenRt/sHfa6YZEOwClN4O8V0vZ43K4vlwwWbh5kxQbFQ/e+w4vlYb1m4PHwzDLtqocNQ9T4A8SXl3A8paZqI=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN NSEC3 1 0 1 012345 c6ntadrd765diocebcrq6trs8npn83o3 A RRSIG
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. czJf5HkfHLpfGcku2iZnCu9tXnM7VWOYYhGtVAwkYG0M6BO4LzRxGCV3SkUvHLFxoqQY0DZLnafPl2MKg8zsF+tusf3e3xmpcCSR29IfuDYH7GzuVCj3H0ScmXM0lvyQ92JpJ0AMqq2mW1nvKmgjkyugs+EMpxcFVjhibljocLU=
diff --git a/contrib/unbound/testdata/zonemd.example13.zone b/contrib/unbound/testdata/zonemd.example13.zone
deleted file mode 100644
index 9f311c91291e..000000000000
--- a/contrib/unbound/testdata/zonemd.example13.zone
+++ /dev/null
@@ -1,33 +0,0 @@
-; DNSSEC NSEC zone without ZONEMD, but NSEC RRSIG is wrong
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY
-; old sig
-;example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ROT+Kh6Y0sEf+L9c2HGPvppLL/DFP5KcX/zSjy7ovM7vXTrrdhEhOedbuccN84tk6VU8udGIixd5Usc+juZ+WsiWwaSNB5rKo6lZ9ceOJlYVzLCmawePzTsl6VAIiIVXwrMxGz/amBd+Ou/1NCuXJiWVThU9PDyJ/lQZbVJEHMA=
-; wrong sig
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ROT+Kh6Y0sEf+L9c2HGPvppLL/DFP5KcX/zSjy7ovM7vXTrrdhEhOedbuccN84tk6VU8udGIixd5Usc+juZ+WsiWwaSNB5rKo6lZ9ceOJlYVzLCmawePzTsl6VAIiIVXwrMxGz/amBd+Ou/1NCuXJiWVThU9PDyJ/lQZbVAAAAA=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example14.zone b/contrib/unbound/testdata/zonemd.example14.zone
deleted file mode 100644
index bc4cdacdbbf5..000000000000
--- a/contrib/unbound/testdata/zonemd.example14.zone
+++ /dev/null
@@ -1,35 +0,0 @@
-; DNSSEC NSEC3 zone without ZONEMD, but NSEC3 RRSIG is wrong
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC3PARAM 1 0 1 012345
-example.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20201116135527 20201019135527 55566 example.com. CDbcPLDrpVUyk3v7kwQ3LNzzhDHS40e0LDv7IZrzMt2AO/6SJ7xhlG+qByhc7CFBUMvBNaOteO5th0tvotWxk0UrVhqRyyXNCr8SmDdAaPH4SGwJ2p+XPIwn0CTXDpyOcgCrW0Kt2OjubA+4fQwjkGYFuDATY5QOITe6kGJpKpw=
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN NSEC3 1 0 1 012345 2v43f6ripfocif5h6bbi07glq6849rnj NS SOA RRSIG DNSKEY NSEC3PARAM
-; old sig
-;v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. J2LISTGtBe+x2pNESBOYrBHAJjEDVFkmjJf2kj0GSFYisvSuy6ZUvQZZUB9sfLmEX18FpdNTieE8MrR2nbpKWfgVBDdGtcU72x/GOIRRq586A1KNtP2eJ81vcblM5dvqvpht46tF+xy85j9G9BYxpcT1PQRpvmho9yhgCxq2kUQ=
-; wrong sig
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. J2LISTGtBe+x2pNESBOYrBHAJjEDVFkmjJf2kj0GSFYisvSuy6ZUvQZZUB9sfLmEX18FpdNTieE8MrR2nbpKWfgVBDdGtcU72x/GOIRRq586A1KNtP2eJ81vcblM5dvqvpht46tF+xy85j9G9BYxpcT1PQRpvmho9yhgCxAAAAA=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN NSEC3 1 0 1 012345 f0lpjkgefgrobj5pucem78r2ouo53fq8 A RRSIG
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. gTDi/2e/RPeSOwoBr6oqfoFsGXAknLX3J96EHzMmhtRR7W4pEW8uXKsMJ3rr4qgUUX+ZtzoCMYy+UBkiJfjpWvMToGtuADNOzz0rF8BESaW/8k6iDKPmqmwdGyLGMmfGjYPcb4qg3+9egLejA+fF1OSrhHuINeO80ouw++PL0ns=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN NSEC3 1 0 1 012345 v4cknoe1mioduf5bmhgfjjq4dlqet8fm A RRSIG
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. VugivzPyv5+qZhl+x0frrykYyOOdZfcKdmIA13P4OzhtiRNhCRHznhrdTlmfLw/b5Rs5jFX7Iw/hhU80Geg72cYG4KVJwtP6zTyFApDl/8x3rj3vhZOc2nwpYmjjFsyrlb7M2RhcStnS6c/2R4+dBFwwVZXyJBi3fo9NybujI9g=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN NSEC3 1 0 1 012345 r18q2sl76hceldh0keqr7vnqc15db64a A RRSIG
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. zishUbm8GxjaHOOUdbz0ZEut99dm+DQ/zvxhOTeS3kmUnL8t3ISew641JeNvvajAUk/xn6eGHjLBuHfwNG+itF2pSD8Gl6Ppo22Y0C9uO5TyRQalYpjtz1kI/VlIelcd0TyusmIMaRChswtpctPKITbr8Wl+MoZZtPQhJ5NjQlQ=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN NSEC3 1 0 1 012345 91onuasouslv1so1i62id4rf0l763dss A RRSIG
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. d9CluwN3zWfLe20J212CuwNzJVbVsDR4eijuJyLpyHzziSc10CauWtUiuHeQMXCVJNwhPSb5kQTfKtql+Jd44BQlenRt/sHfa6YZEOwClN4O8V0vZ43K4vlwwWbh5kxQbFQ/e+w4vlYb1m4PHwzDLtqocNQ9T4A8SXl3A8paZqI=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN NSEC3 1 0 1 012345 c6ntadrd765diocebcrq6trs8npn83o3 A RRSIG
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. czJf5HkfHLpfGcku2iZnCu9tXnM7VWOYYhGtVAwkYG0M6BO4LzRxGCV3SkUvHLFxoqQY0DZLnafPl2MKg8zsF+tusf3e3xmpcCSR29IfuDYH7GzuVCj3H0ScmXM0lvyQ92JpJ0AMqq2mW1nvKmgjkyugs+EMpxcFVjhibljocLU=
diff --git a/contrib/unbound/testdata/zonemd.example15.zone b/contrib/unbound/testdata/zonemd.example15.zone
deleted file mode 100644
index 8a10689101d7..000000000000
--- a/contrib/unbound/testdata/zonemd.example15.zone
+++ /dev/null
@@ -1,35 +0,0 @@
-; DNSSEC signed but DNSKEY RRSIG is wrong.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-; old sig
-;example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-; wrong sig
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2AAAAA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example16.zone b/contrib/unbound/testdata/zonemd.example16.zone
deleted file mode 100644
index 7520744d3180..000000000000
--- a/contrib/unbound/testdata/zonemd.example16.zone
+++ /dev/null
@@ -1,11 +0,0 @@
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; the ZONEMD that should be in this file, without DNSSEC
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; duplicate zonemd with same scheme and algorithm (different at end)
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D720000
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
diff --git a/contrib/unbound/testdata/zonemd.example17.zone b/contrib/unbound/testdata/zonemd.example17.zone
deleted file mode 100644
index 4315f9054af4..000000000000
--- a/contrib/unbound/testdata/zonemd.example17.zone
+++ /dev/null
@@ -1,11 +0,0 @@
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-; capitalisation is different here.
-exaMPLe.cOM. IN NS Ns.exaMPLe.cOm.
-; the ZONEMD that should be in this file, without DNSSEC
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; capitalisation is different here.
-wWW.exAMPLe.cOM. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
diff --git a/contrib/unbound/testdata/zonemd.example2.zone b/contrib/unbound/testdata/zonemd.example2.zone
deleted file mode 100644
index 14b7ea689ffa..000000000000
--- a/contrib/unbound/testdata/zonemd.example2.zone
+++ /dev/null
@@ -1,15 +0,0 @@
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-; the ZONEMD that should be in this file, without DNSSEC
-example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; incorrect digest in example3 and example4.
-;example.com. IN TYPE63 \# 70 0BEE1BC60102EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
-; correct digest for example 5.
-;example.com. IN TYPE63 \# 70 0BEE1BC6010258F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F
-; correct digest for example 6.
-;example.com. IN TYPE63 \# 70 0BEE1BC6010246E31506F321C58DB811C934C6446141D651A8574FB21088A2BB6FEEC875FC8B60F50BEAE00E7F6554E2CF3CB048350EF92E2946137443E30079813DB4D1BFBD
-www.example.com. IN A 127.0.0.1
-ns.example.com. IN A 127.0.0.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
diff --git a/contrib/unbound/testdata/zonemd.example3.zone b/contrib/unbound/testdata/zonemd.example3.zone
deleted file mode 100644
index 12389f3d5181..000000000000
--- a/contrib/unbound/testdata/zonemd.example3.zone
+++ /dev/null
@@ -1,34 +0,0 @@
-; signed version of zonemd.example2.zone
-; with ldns-signzone -e 20201116135527 -i 20201019135527 zonemd.example2.zone Kexample.com.+008+55566
-; this zonefile has an incorrect ZONEMD digest, with correct DNSSEC signature.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc60102efaa5b78b38ab1c45de57b8167bcce906451d0e72118e1f5e80b5f0c3cf04bffc65d53c011185528ead439d6f3a02f511961e090e5e4e0dfa013bd276d728b22
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. RdHiJlugposfoRbog+Mkg2xeJXSzBi/UXxBnyHVF/Usqhp6Z7Acy4XwtRRb8YAbJevP9nBpCh23Fh4b1Vxl4xI0iB8aXWKtHeb98m81rfsflWvnTYbeau3ltfP/OJWqdmFsBy8DOwNxiN8sAMbGwQK8PFDk3lcRCqv8qq/tmow8=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example4.zone b/contrib/unbound/testdata/zonemd.example4.zone
deleted file mode 100644
index dae0f17c708c..000000000000
--- a/contrib/unbound/testdata/zonemd.example4.zone
+++ /dev/null
@@ -1,36 +0,0 @@
-; signed with NSEC3, of zonemd.example.2.zone
-; ldns-signzone -n -s 012345 -e 20201116135527 -i 20201019135527 zonemd.example2.zone Kexample.com.+008+55566
-; this zonefile has an incorrect ZONEMD digest, with correct DNSSEC signature.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC3PARAM 1 0 1 012345
-example.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20201116135527 20201019135527 55566 example.com. CDbcPLDrpVUyk3v7kwQ3LNzzhDHS40e0LDv7IZrzMt2AO/6SJ7xhlG+qByhc7CFBUMvBNaOteO5th0tvotWxk0UrVhqRyyXNCr8SmDdAaPH4SGwJ2p+XPIwn0CTXDpyOcgCrW0Kt2OjubA+4fQwjkGYFuDATY5QOITe6kGJpKpw=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc60102efaa5b78b38ab1c45de57b8167bcce906451d0e72118e1f5e80b5f0c3cf04bffc65d53c011185528ead439d6f3a02f511961e090e5e4e0dfa013bd276d728b22
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. RdHiJlugposfoRbog+Mkg2xeJXSzBi/UXxBnyHVF/Usqhp6Z7Acy4XwtRRb8YAbJevP9nBpCh23Fh4b1Vxl4xI0iB8aXWKtHeb98m81rfsflWvnTYbeau3ltfP/OJWqdmFsBy8DOwNxiN8sAMbGwQK8PFDk3lcRCqv8qq/tmow8=
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN NSEC3 1 0 1 012345 2v43f6ripfocif5h6bbi07glq6849rnj NS SOA RRSIG DNSKEY NSEC3PARAM TYPE63
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. Yd+g1m2aDKDUuZNv2KpKk4uSNrpB5KLM3QUqypm484VjOpnj5Wy3BjUULH3P8z+S9PG7XbaOf+yUYHK8cI6i5GTcrMhoLKaanAD09i1KbXbTVJujwA9Za7WzlFVZ3o6f1D8CbrSS3YPWNF3Mb2FYaptvZ9so7MlecuLYdEer7DY=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN NSEC3 1 0 1 012345 f0lpjkgefgrobj5pucem78r2ouo53fq8 A RRSIG
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. gTDi/2e/RPeSOwoBr6oqfoFsGXAknLX3J96EHzMmhtRR7W4pEW8uXKsMJ3rr4qgUUX+ZtzoCMYy+UBkiJfjpWvMToGtuADNOzz0rF8BESaW/8k6iDKPmqmwdGyLGMmfGjYPcb4qg3+9egLejA+fF1OSrhHuINeO80ouw++PL0ns=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN NSEC3 1 0 1 012345 v4cknoe1mioduf5bmhgfjjq4dlqet8fm A RRSIG
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. VugivzPyv5+qZhl+x0frrykYyOOdZfcKdmIA13P4OzhtiRNhCRHznhrdTlmfLw/b5Rs5jFX7Iw/hhU80Geg72cYG4KVJwtP6zTyFApDl/8x3rj3vhZOc2nwpYmjjFsyrlb7M2RhcStnS6c/2R4+dBFwwVZXyJBi3fo9NybujI9g=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN NSEC3 1 0 1 012345 r18q2sl76hceldh0keqr7vnqc15db64a A RRSIG
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. zishUbm8GxjaHOOUdbz0ZEut99dm+DQ/zvxhOTeS3kmUnL8t3ISew641JeNvvajAUk/xn6eGHjLBuHfwNG+itF2pSD8Gl6Ppo22Y0C9uO5TyRQalYpjtz1kI/VlIelcd0TyusmIMaRChswtpctPKITbr8Wl+MoZZtPQhJ5NjQlQ=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN NSEC3 1 0 1 012345 91onuasouslv1so1i62id4rf0l763dss A RRSIG
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. d9CluwN3zWfLe20J212CuwNzJVbVsDR4eijuJyLpyHzziSc10CauWtUiuHeQMXCVJNwhPSb5kQTfKtql+Jd44BQlenRt/sHfa6YZEOwClN4O8V0vZ43K4vlwwWbh5kxQbFQ/e+w4vlYb1m4PHwzDLtqocNQ9T4A8SXl3A8paZqI=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN NSEC3 1 0 1 012345 c6ntadrd765diocebcrq6trs8npn83o3 A RRSIG
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. czJf5HkfHLpfGcku2iZnCu9tXnM7VWOYYhGtVAwkYG0M6BO4LzRxGCV3SkUvHLFxoqQY0DZLnafPl2MKg8zsF+tusf3e3xmpcCSR29IfuDYH7GzuVCj3H0ScmXM0lvyQ92JpJ0AMqq2mW1nvKmgjkyugs+EMpxcFVjhibljocLU=
diff --git a/contrib/unbound/testdata/zonemd.example5.zone b/contrib/unbound/testdata/zonemd.example5.zone
deleted file mode 100644
index d88380ade09f..000000000000
--- a/contrib/unbound/testdata/zonemd.example5.zone
+++ /dev/null
@@ -1,34 +0,0 @@
-; signed version of zonemd.example2.zone
-; with ldns-signzone -e 20201116135527 -i 20201019135527 zonemd.example2.zone Kexample.com.+008+55566
-; this zonefile has a correct ZONEMD digest, with correct DNSSEC signature.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example6.zone b/contrib/unbound/testdata/zonemd.example6.zone
deleted file mode 100644
index 0a7b05a8dcea..000000000000
--- a/contrib/unbound/testdata/zonemd.example6.zone
+++ /dev/null
@@ -1,36 +0,0 @@
-; signed with NSEC3, of zonemd.example.2.zone
-; ldns-signzone -n -s 012345 -e 20201116135527 -i 20201019135527 zonemd.example2.zone Kexample.com.+008+55566
-; this zonefile has a correct ZONEMD digest, with correct DNSSEC signature.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC3PARAM 1 0 1 012345
-example.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20201116135527 20201019135527 55566 example.com. CDbcPLDrpVUyk3v7kwQ3LNzzhDHS40e0LDv7IZrzMt2AO/6SJ7xhlG+qByhc7CFBUMvBNaOteO5th0tvotWxk0UrVhqRyyXNCr8SmDdAaPH4SGwJ2p+XPIwn0CTXDpyOcgCrW0Kt2OjubA+4fQwjkGYFuDATY5QOITe6kGJpKpw=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010246e31506f321c58db811c934c6446141d651a8574fb21088a2bb6feec875fc8b60f50beae00e7f6554e2cf3cb048350ef92e2946137443e30079813db4d1bfbd
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. M0f4wkOn6dcYtaQtwvp698QL7HuKEgi+PPjYJawV8d1VNOWbbRTF9L9tHFDK42Ylq238uOxi223ZEk/pq4BP64Sm31dV54K2V95QqdzN9NDD34+sqKEgGyRcmBiE50gm3kZZ4ENqBQKc+GdlbZ2fHSI6gf6X694sSmZ7dfjq+2k=
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN NSEC3 1 0 1 012345 2v43f6ripfocif5h6bbi07glq6849rnj NS SOA RRSIG DNSKEY NSEC3PARAM TYPE63
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. Yd+g1m2aDKDUuZNv2KpKk4uSNrpB5KLM3QUqypm484VjOpnj5Wy3BjUULH3P8z+S9PG7XbaOf+yUYHK8cI6i5GTcrMhoLKaanAD09i1KbXbTVJujwA9Za7WzlFVZ3o6f1D8CbrSS3YPWNF3Mb2FYaptvZ9so7MlecuLYdEer7DY=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN NSEC3 1 0 1 012345 f0lpjkgefgrobj5pucem78r2ouo53fq8 A RRSIG
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. gTDi/2e/RPeSOwoBr6oqfoFsGXAknLX3J96EHzMmhtRR7W4pEW8uXKsMJ3rr4qgUUX+ZtzoCMYy+UBkiJfjpWvMToGtuADNOzz0rF8BESaW/8k6iDKPmqmwdGyLGMmfGjYPcb4qg3+9egLejA+fF1OSrhHuINeO80ouw++PL0ns=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN NSEC3 1 0 1 012345 v4cknoe1mioduf5bmhgfjjq4dlqet8fm A RRSIG
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. VugivzPyv5+qZhl+x0frrykYyOOdZfcKdmIA13P4OzhtiRNhCRHznhrdTlmfLw/b5Rs5jFX7Iw/hhU80Geg72cYG4KVJwtP6zTyFApDl/8x3rj3vhZOc2nwpYmjjFsyrlb7M2RhcStnS6c/2R4+dBFwwVZXyJBi3fo9NybujI9g=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN NSEC3 1 0 1 012345 r18q2sl76hceldh0keqr7vnqc15db64a A RRSIG
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. zishUbm8GxjaHOOUdbz0ZEut99dm+DQ/zvxhOTeS3kmUnL8t3ISew641JeNvvajAUk/xn6eGHjLBuHfwNG+itF2pSD8Gl6Ppo22Y0C9uO5TyRQalYpjtz1kI/VlIelcd0TyusmIMaRChswtpctPKITbr8Wl+MoZZtPQhJ5NjQlQ=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN NSEC3 1 0 1 012345 91onuasouslv1so1i62id4rf0l763dss A RRSIG
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. d9CluwN3zWfLe20J212CuwNzJVbVsDR4eijuJyLpyHzziSc10CauWtUiuHeQMXCVJNwhPSb5kQTfKtql+Jd44BQlenRt/sHfa6YZEOwClN4O8V0vZ43K4vlwwWbh5kxQbFQ/e+w4vlYb1m4PHwzDLtqocNQ9T4A8SXl3A8paZqI=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN NSEC3 1 0 1 012345 c6ntadrd765diocebcrq6trs8npn83o3 A RRSIG
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. czJf5HkfHLpfGcku2iZnCu9tXnM7VWOYYhGtVAwkYG0M6BO4LzRxGCV3SkUvHLFxoqQY0DZLnafPl2MKg8zsF+tusf3e3xmpcCSR29IfuDYH7GzuVCj3H0ScmXM0lvyQ92JpJ0AMqq2mW1nvKmgjkyugs+EMpxcFVjhibljocLU=
diff --git a/contrib/unbound/testdata/zonemd.example7.zone b/contrib/unbound/testdata/zonemd.example7.zone
deleted file mode 100644
index 4339bd570c56..000000000000
--- a/contrib/unbound/testdata/zonemd.example7.zone
+++ /dev/null
@@ -1,31 +0,0 @@
-; DNSSEC NSEC zone without ZONEMD
-; created with
-; ldns-signzone -e 20201116135527 -i 20201019135527 zonemd.example2.zone Kexample.com.+008+55566
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ROT+Kh6Y0sEf+L9c2HGPvppLL/DFP5KcX/zSjy7ovM7vXTrrdhEhOedbuccN84tk6VU8udGIixd5Usc+juZ+WsiWwaSNB5rKo6lZ9ceOJlYVzLCmawePzTsl6VAIiIVXwrMxGz/amBd+Ou/1NCuXJiWVThU9PDyJ/lQZbVJEHMA=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example8.zone b/contrib/unbound/testdata/zonemd.example8.zone
deleted file mode 100644
index 2900753c0483..000000000000
--- a/contrib/unbound/testdata/zonemd.example8.zone
+++ /dev/null
@@ -1,34 +0,0 @@
-; DNSSEC NSEC3 zone without ZONEMD
-; created with
-; ldns-signzone -n -s 012345 -e 20201116135527 -i 20201019135527 zonemd.example2.zone Kexample.com.+008+55566
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN NSEC3PARAM 1 0 1 012345
-example.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20201116135527 20201019135527 55566 example.com. CDbcPLDrpVUyk3v7kwQ3LNzzhDHS40e0LDv7IZrzMt2AO/6SJ7xhlG+qByhc7CFBUMvBNaOteO5th0tvotWxk0UrVhqRyyXNCr8SmDdAaPH4SGwJ2p+XPIwn0CTXDpyOcgCrW0Kt2OjubA+4fQwjkGYFuDATY5QOITe6kGJpKpw=
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN NSEC3 1 0 1 012345 2v43f6ripfocif5h6bbi07glq6849rnj NS SOA RRSIG DNSKEY NSEC3PARAM
-v4cknoe1mioduf5bmhgfjjq4dlqet8fm.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. J2LISTGtBe+x2pNESBOYrBHAJjEDVFkmjJf2kj0GSFYisvSuy6ZUvQZZUB9sfLmEX18FpdNTieE8MrR2nbpKWfgVBDdGtcU72x/GOIRRq586A1KNtP2eJ81vcblM5dvqvpht46tF+xy85j9G9BYxpcT1PQRpvmho9yhgCxq2kUQ=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN NSEC3 1 0 1 012345 f0lpjkgefgrobj5pucem78r2ouo53fq8 A RRSIG
-c6ntadrd765diocebcrq6trs8npn83o3.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. gTDi/2e/RPeSOwoBr6oqfoFsGXAknLX3J96EHzMmhtRR7W4pEW8uXKsMJ3rr4qgUUX+ZtzoCMYy+UBkiJfjpWvMToGtuADNOzz0rF8BESaW/8k6iDKPmqmwdGyLGMmfGjYPcb4qg3+9egLejA+fF1OSrhHuINeO80ouw++PL0ns=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN NSEC3 1 0 1 012345 v4cknoe1mioduf5bmhgfjjq4dlqet8fm A RRSIG
-r18q2sl76hceldh0keqr7vnqc15db64a.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. VugivzPyv5+qZhl+x0frrykYyOOdZfcKdmIA13P4OzhtiRNhCRHznhrdTlmfLw/b5Rs5jFX7Iw/hhU80Geg72cYG4KVJwtP6zTyFApDl/8x3rj3vhZOc2nwpYmjjFsyrlb7M2RhcStnS6c/2R4+dBFwwVZXyJBi3fo9NybujI9g=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN NSEC3 1 0 1 012345 r18q2sl76hceldh0keqr7vnqc15db64a A RRSIG
-f0lpjkgefgrobj5pucem78r2ouo53fq8.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. zishUbm8GxjaHOOUdbz0ZEut99dm+DQ/zvxhOTeS3kmUnL8t3ISew641JeNvvajAUk/xn6eGHjLBuHfwNG+itF2pSD8Gl6Ppo22Y0C9uO5TyRQalYpjtz1kI/VlIelcd0TyusmIMaRChswtpctPKITbr8Wl+MoZZtPQhJ5NjQlQ=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN NSEC3 1 0 1 012345 91onuasouslv1so1i62id4rf0l763dss A RRSIG
-2v43f6ripfocif5h6bbi07glq6849rnj.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. d9CluwN3zWfLe20J212CuwNzJVbVsDR4eijuJyLpyHzziSc10CauWtUiuHeQMXCVJNwhPSb5kQTfKtql+Jd44BQlenRt/sHfa6YZEOwClN4O8V0vZ43K4vlwwWbh5kxQbFQ/e+w4vlYb1m4PHwzDLtqocNQ9T4A8SXl3A8paZqI=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN NSEC3 1 0 1 012345 c6ntadrd765diocebcrq6trs8npn83o3 A RRSIG
-91onuasouslv1so1i62id4rf0l763dss.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20201116135527 20201019135527 55566 example.com. czJf5HkfHLpfGcku2iZnCu9tXnM7VWOYYhGtVAwkYG0M6BO4LzRxGCV3SkUvHLFxoqQY0DZLnafPl2MKg8zsF+tusf3e3xmpcCSR29IfuDYH7GzuVCj3H0ScmXM0lvyQ92JpJ0AMqq2mW1nvKmgjkyugs+EMpxcFVjhibljocLU=
diff --git a/contrib/unbound/testdata/zonemd.example9.zone b/contrib/unbound/testdata/zonemd.example9.zone
deleted file mode 100644
index 9c035aa1310d..000000000000
--- a/contrib/unbound/testdata/zonemd.example9.zone
+++ /dev/null
@@ -1,35 +0,0 @@
-; signed zone but RRSIG on ZONEMD is wrong.
-
-example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM=
-example.com. 3600 IN NS ns.example.com.
-example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg=
-example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b}
-example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA=
-example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f
-; old sig
-; example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y=
-; wrong sig
-example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVAAAAA=
-example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63
-example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo=
-bar.example.com. 3600 IN A 1.2.3.4
-bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds=
-bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC
-bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0=
-ding.example.com. 3600 IN A 1.2.3.4
-ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko=
-ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC
-ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU=
-foo.example.com. 3600 IN A 1.2.3.4
-foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA=
-foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC
-foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s=
-ns.example.com. 3600 IN A 127.0.0.1
-ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg=
-ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC
-ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A=
-www.example.com. 3600 IN A 127.0.0.1
-www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ=
-www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI=
diff --git a/contrib/unbound/testdata/zonemd.example_a1.zone b/contrib/unbound/testdata/zonemd.example_a1.zone
deleted file mode 100644
index 331b45a153d6..000000000000
--- a/contrib/unbound/testdata/zonemd.example_a1.zone
+++ /dev/null
@@ -1,6 +0,0 @@
-example. 86400 IN SOA ns1 admin 2018031900 ( 1800 900 604800 86400 )
- 86400 IN NS ns1
- 86400 IN NS ns2
- 86400 IN ZONEMD 2018031900 1 1 ( c68090d90a7aed71 6bc459f9340e3d7c 1370d4d24b7e2fc3 a1ddc0b9a87153b9 a9713b3c9ae5cc27 777f98b8e730044c )
-ns1 3600 IN A 203.0.113.63
-ns2 3600 IN AAAA 2001:db8::63
diff --git a/contrib/unbound/testdata/zonemd.example_a2.zone b/contrib/unbound/testdata/zonemd.example_a2.zone
deleted file mode 100644
index 56d06ae066bf..000000000000
--- a/contrib/unbound/testdata/zonemd.example_a2.zone
+++ /dev/null
@@ -1,25 +0,0 @@
-example. 86400 IN SOA ns1 admin 2018031900 (
- 1800 900 604800 86400 )
- 86400 IN NS ns1
- 86400 IN NS ns2
- 86400 IN ZONEMD 2018031900 1 1 (
- 31cefb03814f5062
- ad12fa951ba0ef5f
- 8da6ae354a415767
- 246f7dc932ceb1e7
- 42a2108f529db6a3
- 3a11c01493de358d )
-ns1 3600 IN A 203.0.113.63
-ns2 3600 IN AAAA 2001:db8::63
-occluded.sub 7200 IN TXT "I'm occluded but must be digested"
-sub 7200 IN NS ns1
-duplicate 300 IN TXT "I must be digested just once"
-duplicate 300 IN TXT "I must be digested just once"
-foo.test. 555 IN TXT "out-of-zone data must be excluded"
-non-apex 900 IN ZONEMD 2018031900 1 1 (
- 616c6c6f77656420
- 6275742069676e6f
- 7265642e20616c6c
- 6f77656420627574
- 2069676e6f726564
- 2e20616c6c6f7765 )
diff --git a/contrib/unbound/testdata/zonemd.example_a3.zone b/contrib/unbound/testdata/zonemd.example_a3.zone
deleted file mode 100644
index 45c47ad0508e..000000000000
--- a/contrib/unbound/testdata/zonemd.example_a3.zone
+++ /dev/null
@@ -1,30 +0,0 @@
-example. 86400 IN SOA ns1 admin 2018031900 (
- 1800 900 604800 86400 )
-example. 86400 IN NS ns1.example.
-example. 86400 IN NS ns2.example.
-example. 86400 IN ZONEMD 2018031900 1 1 (
- 62e6cf51b02e54b9
- b5f967d547ce4313
- 6792901f9f88e637
- 493daaf401c92c27
- 9dd10f0edb1c56f8
- 080211f8480ee306 )
-example. 86400 IN ZONEMD 2018031900 1 2 (
- 08cfa1115c7b948c
- 4163a901270395ea
- 226a930cd2cbcf2f
- a9a5e6eb85f37c8a
- 4e114d884e66f176
- eab121cb02db7d65
- 2e0cc4827e7a3204
- f166b47e5613fd27 )
-example. 86400 IN ZONEMD 2018031900 1 240 (
- e2d523f654b9422a
- 96c5a8f44607bbee )
-example. 86400 IN ZONEMD 2018031900 241 1 (
- e1846540e33a9e41
- 89792d18d5d131f6
- 05fc283e )
-ns1.example. 3600 IN A 203.0.113.63
-ns2.example. 86400 IN TXT "This example has multiple digests"
-ns2.example. 3600 IN AAAA 2001:db8::63
diff --git a/contrib/unbound/testdata/zonemd.example_a4.zone b/contrib/unbound/testdata/zonemd.example_a4.zone
deleted file mode 100644
index 74b913c89e2b..000000000000
--- a/contrib/unbound/testdata/zonemd.example_a4.zone
+++ /dev/null
@@ -1,127 +0,0 @@
-uri.arpa. 3600 IN SOA sns.dns.icann.org. (
- noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 )
-uri.arpa. 3600 IN RRSIG NSEC 8 2 3600 (
- 20181028142623 20181007205525 47155 uri.arpa.
- eEC4w/oXLR1Epwgv4MBiDtSBsXhqrJVvJWUpbX8XpetAvD35bxwNCUTi
- /pAJVUXefegWeiriD2rkTgCBCMmn7YQIm3gdR+HjY/+o3BXNQnz97f+e
- HAE9EDDzoNVfL1PyV/2fde9tDeUuAGVVwmD399NGq9jWYMRpyri2kysr q/g= )
-uri.arpa. 86400 IN RRSIG NS 8 2 86400 (
- 20181028172020 20181007175821 47155 uri.arpa.
- ATyV2A2A8ZoggC+68u4GuP5MOUuR+2rr3eWOkEU55zAHld/7FiBxl4ln
- 4byJYy7NudUwlMOEXajqFZE7DVl8PpcvrP3HeeGaVzKqaWj+aus0jbKF
- Bsvs2b1qDZemBfkz/IfAhUTJKnto0vSUicJKfItu0GjyYNJCz2CqEuGD Wxc= )
-uri.arpa. 600 IN RRSIG MX 8 2 600 (
- 20181028170556 20181007175821 47155 uri.arpa.
- e7/r3KXDohX1lyVavetFFObp8fB8aXT76HnN9KCQDxSnSghNM83UQV0t
- lTtD8JVeN1mCvcNFZpagwIgB7XhTtm6Beur/m5ES+4uSnVeS6Q66HBZK
- A3mR95IpevuVIZvvJ+GcCAQpBo6KRODYvJ/c/ZG6sfYWkZ7qg/Em5/+3 4UI= )
-uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 (
- 20181028152832 20181007175821 15796 uri.arpa.
- nzpbnh0OqsgBBP8St28pLvPEQ3wZAUdEBuUwil+rtjjWlYYiqjPxZ286
- XF4Rq1usfV5x71jZz5IqswOaQgia91ylodFpLuXD6FTGs2nXGhNKkg1V
- chHgtwj70mXU72GefVgo8TxrFYzxuEFP5ZTP92t97FVWVVyyFd86sbbR
- 6DZj3uA2wEvqBVLECgJLrMQ9Yy7MueJl3UA4h4E6zO2JY9Yp0W9woq0B
- dqkkwYTwzogyYffPmGAJG91RJ2h6cHtFjEZe2MnaY2glqniZ0WT9vXXd
- uFPm0KD9U77Ac+ZtctAF9tsZwSdAoL365E2L1usZbA+K0BnPPqGFJRJk
- 5R0A1w== )
-uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 (
- 20181028152832 20181007175821 55480 uri.arpa.
- lWtQV/5szQjkXmbcD47/+rOW8kJPksRFHlzxxmzt906+DBYyfrH6uq5X
- nHvrUlQO6M12uhqDeL+bDFVgqSpNy+42/OaZvaK3J8EzPZVBHPJykKMV
- 63T83aAiJrAyHzOaEdmzLCpalqcEE2ImzlLHSafManRfJL8Yuv+JDZFj
- 2WDWfEcUuwkmIZWX11zxp+DxwzyUlRl7x4+ok5iKZWIg5UnBAf6B8T75
- WnXzlhCw3F2pXI0a5LYg71L3Tp/xhjN6Yy9jGlIRf5BjB59X2zra3a2R
- PkI09SSnuEwHyF1mDaV5BmQrLGRnCjvwXA7ho2m+vv4SP5dUdXf+GTeA
- 1HeBfw== )
-uri.arpa. 3600 IN RRSIG SOA 8 2 3600 (
- 20181029114753 20181008222815 47155 uri.arpa.
- qn8yBNoHDjGdT79U2Wu9IIahoS0YPOgYP8lG+qwPcrZ1BwGiHywuoUa2
- Mx6BWZlg+HDyaxj2iOmox+IIqoUHhXUbO7IUkJFlgrOKCgAR2twDHrXu
- 9BUQHy9SoV16wYm3kBTEPyxW5FFm8vcdnKAF7sxSY8BbaYNpRIEjDx4A JUc= )
-uri.arpa. 3600 IN NSEC ftp.uri.arpa. NS SOA (
- MX RRSIG NSEC DNSKEY )
-uri.arpa. 86400 IN NS a.iana-servers.net.
-uri.arpa. 86400 IN NS b.iana-servers.net.
-uri.arpa. 86400 IN NS c.iana-servers.net.
-uri.arpa. 86400 IN NS ns2.lacnic.net.
-uri.arpa. 86400 IN NS sec3.apnic.net.
-uri.arpa. 600 IN MX 10 pechora.icann.org.
-uri.arpa. 3600 IN DNSKEY 256 3 8 (
- AwEAAcBi7tSart2J599zbYWspMNGN70IBWb4ziqyQYH9MTB/VCz6WyUK
- uXunwiJJbbQ3bcLqTLWEw134B6cTMHrZpjTAb5WAwg4XcWUu8mdcPTiL
- Bl6qVRlRD0WiFCTzuYUfkwsh1Rbr7rvrxSQhF5rh71zSpwV5jjjp65Wx
- SdJjlH0B )
-uri.arpa. 3600 IN DNSKEY 257 3 8 (
- AwEAAbNVv6ulgRdO31MtAehz7j3ALRjwZglWesnzvllQl/+hBRZr9QoY
- cO2I+DkO4Q1NKxox4DUIxj8SxPO3GwDuOFR9q2/CFi2O0mZjafbdYtWc
- 3zSdBbi3q0cwCIx7GuG9eqlL+pg7mdk9dgdNZfHwB0LnqTD8ebLPsrO/
- Id7kBaiqYOfMlZnh2fp+2h6OOJZHtY0DK1UlssyB5PKsE0tVzo5s6zo9
- iXKe5u+8WTMaGDY49vG80JPAKE7ezMiH/NZcUMiE0PRZ8D3foq2dYuS5
- ym+vA83Z7v8A+Rwh4UGnjxKB8zmr803V0ASAmHz/gwH5Vb0nH+LObwFt
- l3wpbp+Wpm8= )
-uri.arpa. 3600 IN DNSKEY 257 3 8 (
- AwEAAbwnFTakCvaUKsXji4mgmxZUJi1IygbnGahbkmFEa0L16J+TchKR
- wcgzVfsxUGa2MmeA4hgkAooC3uy+tTmoMsgy8uq/JAj24DjiHzd46LfD
- FK/qMidVqFpYSHeq2Vv5ojkuIsx4oe4KsafGWYNOczKZgH5loGjN2aJG
- mrIm++XCphOskgCsQYl65MIzuXffzJyxlAuts+ecAIiVeqRaqQfr8LRU
- 7wIsLxinXirprtQrbor+EtvlHp9qXE6ARTZDzf4jvsNpKvLFZtmxzFf3
- e/UJz5eHjpwDSiZL7xE8aE1o1nGfPtJx9ZnB3bapltaJ5wY+5XOCKgY0
- xmJVvNQlwdE= )
-ftp.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
- 20181028080856 20181007175821 47155 uri.arpa.
- HClGAqPxzkYkAT7Q/QNtQeB6YrkP6EPOef+9Qo5/2zngwAewXEAQiyF9
- jD1USJiroM11QqBS3v3aIdW/LXORs4Ez3hLcKNO1cKHsOuWAqzmE+BPP
- Arfh8N95jqh/q6vpaB9UtMkQ53tM2fYU1GszOLN0knxbHgDHAh2axMGH lqM= )
-ftp.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
- 20181028103644 20181007205525 47155 uri.arpa.
- WoLi+vZzkxaoLr2IGZnwkRvcDf6KxiWQd1WZP/U+AWnV+7MiqsWPZaf0
- 9toRErerGoFOiOASNxZjBGJrRgjmavOM9U+LZSconP9zrNFd4dIu6kp5
- YxlQJ0uHOvx1ZHFCj6lAt1ACUIw04ZhMydTmi27c8MzEOMepvn7iH7r7 k7k= )
-ftp.uri.arpa. 3600 IN NSEC http.uri.arpa. NAPTR (
- RRSIG NSEC )
-ftp.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
- "!^ftp://([^:/?#]*).*$!\\1!i" . )
-http.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
- 20181029010647 20181007175821 47155 uri.arpa.
- U03NntQ73LHWpfLmUK8nMsqkwVsOGW2KdsyuHYAjqQSZvKbtmbv7HBmE
- H1+Ii3Z+wtfdMZBy5aC/6sHdx69BfZJs16xumycMlAy6325DKTQbIMN+
- ift9GrKBC7cgCd2msF/uzSrYxxg4MJQzBPvlkwXnY3b7eJSlIXisBIn7 3b8= )
-http.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
- 20181029011815 20181007205525 47155 uri.arpa.
- T7mRrdag+WSmG+n22mtBSQ/0Y3v+rdDnfQV90LN5Fq32N5K2iYFajF7F
- Tp56oOznytfcL4fHrqOE0wRc9NWOCCUec9C7Wa1gJQcllEvgoAM+L6f0
- RsEjWq6+9jvlLKMXQv0xQuMX17338uoD/xiAFQSnDbiQKxwWMqVAimv5 7Zs= )
-http.uri.arpa. 3600 IN NSEC mailto.uri.arpa. NAPTR (
- RRSIG NSEC )
-http.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
- "!^http://([^:/?#]*).*$!\\1!i" . )
-mailto.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
- 20181028110727 20181007175821 47155 uri.arpa.
- GvxzVL85rEukwGqtuLxek9ipwjBMfTOFIEyJ7afC8HxVMs6mfFa/nEM/
- IdFvvFg+lcYoJSQYuSAVYFl3xPbgrxVSLK125QutCFMdC/YjuZEnq5cl
- fQciMRD7R3+znZfm8d8u/snLV9w4D+lTBZrJJUBe1Efc8vum5vvV7819 ZoY= )
-mailto.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
- 20181028141825 20181007205525 47155 uri.arpa.
- MaADUgc3fc5v++M0YmqjGk3jBdfIA5RuP62hUSlPsFZO4k37erjIGCfF
- j+g84yc+QgbSde0PQHszl9fE/+SU5ZXiS9YdcbzSZxp2erFpZOTchrpg
- 916T4vx6i59scodjb0l6bDyZ+mtIPrc1w6b4hUyOUTsDQoAJYxdfEuMg Vy4= )
-mailto.uri.arpa. 3600 IN NSEC urn.uri.arpa. NAPTR (
- RRSIG NSEC )
-mailto.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
- "!^mailto:(.*)@(.*)$!\\2!i" . )
-urn.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 (
- 20181028123243 20181007175821 47155 uri.arpa.
- Hgsw4Deops1O8uWyELGe6hpR/OEqCnTHvahlwiQkHhO5CSEQrbhmFAWe
- UOkmGAdTEYrSz+skLRQuITRMwzyFf4oUkZihGyhZyzHbcxWfuDc/Pd/9
- DSl56gdeBwy1evn5wBTms8yWQVkNtphbJH395gRqZuaJs3LD/qTyJ5Dp LvA= )
-urn.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 (
- 20181029071816 20181007205525 47155 uri.arpa.
- ALIZD0vBqAQQt40GQ0Efaj8OCyE9xSRJRdyvyn/H/wZVXFRFKrQYrLAS
- D/K7q6CMTOxTRCu2J8yes63WJiaJEdnh+dscXzZkmOg4n5PsgZbkvUSW
- BiGtxvz5jNncM0xVbkjbtByrvJQAO1cU1mnlDKe1FmVB1uLpVdA9Ib4J hMU= )
-urn.uri.arpa. 3600 IN NSEC uri.arpa. NAPTR RRSIG (
- NSEC )
-urn.uri.arpa. 604800 IN NAPTR 0 0 "" "" (
- "/urn:([^:]+)/\\1/i" . )
-uri.arpa. 3600 IN SOA sns.dns.icann.org. (
- noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 )
diff --git a/contrib/unbound/testdata/zonemd.example_a5.zone b/contrib/unbound/testdata/zonemd.example_a5.zone
deleted file mode 100644
index 246f5e2376db..000000000000
--- a/contrib/unbound/testdata/zonemd.example_a5.zone
+++ /dev/null
@@ -1,48 +0,0 @@
-root-servers.net. 3600000 IN SOA a.root-servers.net. (
- nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 )
-root-servers.net. 3600000 IN NS a.root-servers.net.
-root-servers.net. 3600000 IN NS b.root-servers.net.
-root-servers.net. 3600000 IN NS c.root-servers.net.
-root-servers.net. 3600000 IN NS d.root-servers.net.
-root-servers.net. 3600000 IN NS e.root-servers.net.
-root-servers.net. 3600000 IN NS f.root-servers.net.
-root-servers.net. 3600000 IN NS g.root-servers.net.
-root-servers.net. 3600000 IN NS h.root-servers.net.
-root-servers.net. 3600000 IN NS i.root-servers.net.
-root-servers.net. 3600000 IN NS j.root-servers.net.
-root-servers.net. 3600000 IN NS k.root-servers.net.
-root-servers.net. 3600000 IN NS l.root-servers.net.
-root-servers.net. 3600000 IN NS m.root-servers.net.
-a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
-a.root-servers.net. 3600000 IN A 198.41.0.4
-b.root-servers.net. 3600000 IN MX 20 mail.isi.edu.
-b.root-servers.net. 3600000 IN AAAA 2001:500:200::b
-b.root-servers.net. 3600000 IN A 199.9.14.201
-c.root-servers.net. 3600000 IN AAAA 2001:500:2::c
-c.root-servers.net. 3600000 IN A 192.33.4.12
-d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
-d.root-servers.net. 3600000 IN A 199.7.91.13
-e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e
-e.root-servers.net. 3600000 IN A 192.203.230.10
-f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
-f.root-servers.net. 3600000 IN A 192.5.5.241
-g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d
-g.root-servers.net. 3600000 IN A 192.112.36.4
-h.root-servers.net. 3600000 IN AAAA 2001:500:1::53
-h.root-servers.net. 3600000 IN A 198.97.190.53
-i.root-servers.net. 3600000 IN MX 10 mx.i.root-servers.org.
-i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
-i.root-servers.net. 3600000 IN A 192.36.148.17
-j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
-j.root-servers.net. 3600000 IN A 192.58.128.30
-k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
-k.root-servers.net. 3600000 IN A 193.0.14.129
-l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42
-l.root-servers.net. 3600000 IN A 199.7.83.42
-m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
-m.root-servers.net. 3600000 IN A 202.12.27.33
-root-servers.net. 3600000 IN SOA a.root-servers.net. (
- nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 )
-root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 (
- f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97
- 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 )
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.dsc b/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.dsc
deleted file mode 100644
index 016c3d6c7ff0..000000000000
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: zonemd_reload
-Version: 1.0
-Description: ZONEMD check after auth_zone_reload
-CreationDate: Tue 23 Oct 12:00:00 CEST 2020
-Maintainer: dr. W.C.A. Wijngaards
-Category:
-Component:
-CmdDepends:
-Depends:
-Help:
-Pre: zonemd_reload.pre
-Post: zonemd_reload.post
-Test: zonemd_reload.test
-AuxFiles:
-Passed:
-Failure:
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.test b/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.test
deleted file mode 100644
index fbdf07511306..000000000000
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.test
+++ /dev/null
@@ -1,74 +0,0 @@
-# #-- zonemd_reload.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-# do the test
-echo "> dig www.example.com."
-dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-if grep SERVFAIL outfile; then
- echo "> try again"
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-fi
-if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 1
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-fi
-if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 1
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-fi
-if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 1
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-fi
-if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 10
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-fi
-if grep SERVFAIL outfile; then
- echo "> try again"
- sleep 10
- dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-fi
-echo "> cat logfiles"
-cat fwd.log
-cat unbound.log
-echo "> check answer"
-if grep www.example.com outfile | grep "192.0.2.1"; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-echo "> unbound-control status"
-$PRE/unbound-control -c ub.conf status
-if test $? -ne 0; then
- echo "wrong exit value."
- exit 1
-else
- echo "exit value: OK"
-fi
-
-echo "> unbound-control auth_zone_reload example.com"
-$PRE/unbound-control -c ub.conf auth_zone_reload example.com 2>&1 | tee outfile
-if test $? -ne 0; then
- echo "wrong exit value."
- exit 1
-fi
-echo "> check unbound-control output"
-if grep "example.com: ZONEMD verification successful" outfile; then
- echo "OK"
-else
- echo "Not OK"
- exit 1
-fi
-
-exit 0
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.testns b/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.testns
deleted file mode 100644
index f1678a1ccc30..000000000000
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.testns
+++ /dev/null
@@ -1,27 +0,0 @@
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-example.com. IN NS ns.example.net.
-EXTRA_PACKET
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN AXFR
-SECTION ANSWER
-www.example.com. IN A 1.2.3.4
-example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
-ENTRY_END
diff --git a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.zone b/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.zone
deleted file mode 100644
index 01e57a738e37..000000000000
--- a/contrib/unbound/testdata/zonemd_reload.tdir/zonemd_reload.zone
+++ /dev/null
@@ -1,8 +0,0 @@
-example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
-example.com. IN NS ns.example.com.
-example.com. IN ZONEMD 200154054 1 2 D207FBBD1403DC8FDDC0159AB1F4B4C54A2FEB814E5CB1E82841C51D1372E78E4F6C75F7A9D710CC78C54E2DB3B92D07C72990644F93E1C44AC356EACA3980C5
-www.example.com. IN A 192.0.2.1
-ns.example.com. IN A 192.0.2.1
-bar.example.com. IN A 1.2.3.4
-ding.example.com. IN A 1.2.3.4
-foo.example.com. IN A 1.2.3.4
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-01 07:29:30 +0000