From e8984b87b1da9efe8ea2da57cf5faa627fa8d987 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Feb 2019 15:28:41 +0100
Subject: [PATCH 001/127] sholder.hh: pragma once

---
 pdns/sholder.hh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pdns/sholder.hh b/pdns/sholder.hh
index 5a57ddc59c9e..75837c30f146 100644
--- a/pdns/sholder.hh
+++ b/pdns/sholder.hh
@@ -19,6 +19,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
+#pragma once
 #include <memory>
 #include <atomic>
 #include <mutex>

From 559b6c9331eac5bd419eb31db41e3063c25e0254 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Feb 2019 15:44:44 +0100
Subject: [PATCH 002/127] rec: Implement options to not throttle servers

---
 pdns/pdns_recursor.cc                | 23 +++++++++++++++++++
 pdns/recursordist/docs/settings.rst  | 34 ++++++++++++++++++++++++++++
 pdns/recursordist/test-syncres_cc.cc |  2 ++
 pdns/syncres.cc                      |  9 ++++++--
 pdns/syncres.hh                      |  4 ++++
 5 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index f4842e9e7c8d..749c6750a490 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -237,6 +237,10 @@ unsigned int g_numThreads;
 uint16_t g_outgoingEDNSBufsize;
 bool g_logRPZChanges{false};
 
+// Used in the Syncres to not throttle certain servers
+GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
+
 #define LOCAL_NETS "127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10"
 #define LOCAL_NETS_INVERSE "!127.0.0.0/8, !10.0.0.0/8, !100.64.0.0/10, !169.254.0.0/16, !192.168.0.0/16, !172.16.0.0/12, !::1/128, !fc00::/7, !fe80::/10"
 // Bad Nets taken from both:
@@ -3715,6 +3719,23 @@ static int serviceMain(int argc, char*argv[])
 
   g_statisticsInterval = ::arg().asNum("statistics-interval");
 
+  {
+    SuffixMatchNode dontThrottleNames;
+    vector<string> parts;
+    stringtok(parts, ::arg()["dont-throttle-names"]);
+    for (const auto &p : parts) {
+      dontThrottleNames.add(DNSName(p));
+    }
+    g_dontThrottleNames.setState(dontThrottleNames);
+
+    NetmaskGroup dontThrottleNetmasks;
+    stringtok(parts, ::arg()["dont-throttle-netmasks"]);
+    for (const auto &p : parts) {
+      dontThrottleNetmasks.addMask(Netmask(p));
+    }
+    g_dontThrottleNetmasks.setState(dontThrottleNetmasks);
+  }
+
 #ifdef SO_REUSEPORT
   g_reusePort = ::arg().mustDo("reuseport");
 #endif
@@ -4219,6 +4240,8 @@ int main(int argc, char **argv)
     ::arg().set("max-tcp-clients","Maximum number of simultaneous TCP clients")="128";
     ::arg().set("server-down-max-fails","Maximum number of consecutive timeouts (and unreachables) to mark a server as down ( 0 => disabled )")="64";
     ::arg().set("server-down-throttle-time","Number of seconds to throttle all queries to a server after being marked as down")="60";
+    ::arg().set("dont-throttle-names", "Do not throttle nameservers with this name or suffix")="";
+    ::arg().set("dont-throttle-netmasks", "Do not throttle nameservers with this IP netmask")="";
     ::arg().set("hint-file", "If set, load root hints from this file")="";
     ::arg().set("max-cache-entries", "If set, maximum number of entries in the main cache")="1000000";
     ::arg().set("max-negative-ttl", "maximum number of seconds to keep a negative cached entry in memory")="3600";
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 5d44334fdbc4..6e225f36fc5c 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -268,6 +268,40 @@ Operate in the background.
 
 Which domains we only accept delegations from (a Verisign special).
 
+.. _setting-dont-throttle-names:
+
+``dont-throttle-names``
+----------------------------
+.. versionadded:: 4.2.0
+
+-  Comma separated list of domain-names
+-  Default: (empty)
+
+When an authotitative server does not answer a query or sends a reply the recursor does lot like, it is throttled.
+Any servers' name suffix-matching the supplied names will never be throttled.
+
+.. warning::
+  Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-names`` could make this load on the upstream server even higher, resulting in further service degredation.
+
+.. _setting-dont-throttle-netmasks:
+
+``dont-throttle-netmasks``
+----------------------------
+.. versionadded:: 4.2.0
+
+-  Comma separated list of netmasks
+-  Default: (empty)
+
+When an authotitative server does not answer a query or sends a reply the recursor does lot like, it is throttled.
+Any servers matching the supplied netmasks will never be throttled.
+
+This can come in handy on lossy networks when forwarding, where the same server is configured multiple times (e.g. with ``forward-zones-recurse=example.com=192.0.2.1;192.0.2.1``).
+By default, the PowerDNS Recursor would throttle the "first" server on a timeout and hence not retry the "second" one.
+In this case, ``dont-throttle-netmasks`` could be set to ``192.0.2.1``.
+
+.. warning::
+  Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-netmasks`` could make this load on the upstream server even higher, resulting in further service degredation.
+
 .. _setting-disable-packetcache:
 
 ``disable-packetcache``
diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index eb38f362c57a..bcec3a4f181a 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -17,6 +17,8 @@
 
 RecursorStats g_stats;
 GlobalStateHolder<LuaConfigItems> g_luaconfs;
+GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
 thread_local std::unique_ptr<MemRecursorCache> t_RC{nullptr};
 unsigned int g_numThreads = 1;
 bool g_lowercaseOutgoing = false;
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 52d3e1b659e2..2bc62e4b7b41 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2693,7 +2693,12 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
       LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<strerror(errno)<< endl);
     }
 
-    if(resolveret != -2 && !chained) { // don't account for resource limits, they are our own fault
+    auto dontThrottleNames = g_dontThrottleNames.getLocal();
+    auto dontThrottleNetmasks = g_dontThrottleNetmasks.getLocal();
+
+    if(resolveret != -2 && !chained && !(dontThrottleNames->check(nsName) || dontThrottleNetmasks->match(remoteIP))) {
+      // don't account for resource limits, they are our own fault
+      // And don't throttle when the IP address is on the dontThrottleNetmasks list or the name is part of dontThrottleNames
       t_sstorage.nsSpeeds[nsName.empty()? DNSName(remoteIP.toStringWithPort()) : nsName].submit(remoteIP, 1000000, &d_now); // 1 sec
 
       // code below makes sure we don't filter COM or the root
@@ -2707,7 +2712,7 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
         t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 100);
       }
       else {
-        // timeout
+        // timeout, 10 seconds or 5 queries
         t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 10, 5);
       }
     }
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 53825ac81ed7..ce44ba24b1ca 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -49,6 +49,7 @@
 #include "ednssubnet.hh"
 #include "filterpo.hh"
 #include "negcache.hh"
+#include "sholder.hh"
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -58,6 +59,9 @@
 #include <boost/uuid/uuid.hpp>
 #endif
 
+extern GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+extern GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
+
 class RecursorLua4;
 
 typedef map<

From 0c366a8e8183228b86f715d8dd9dbbaf49f7d3e9 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 11:07:43 +0100
Subject: [PATCH 003/127] rec: Add rec_control getters for dont-throttle-*

---
 pdns/rec_channel.hh     |  4 ++++
 pdns/rec_channel_rec.cc | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/pdns/rec_channel.hh b/pdns/rec_channel.hh
index 0f1dd7973e7f..8f590340a8cc 100644
--- a/pdns/rec_channel.hh
+++ b/pdns/rec_channel.hh
@@ -29,8 +29,12 @@
 #include <pthread.h>
 #include "iputils.hh"
 #include "dnsname.hh"
+#include "sholder.hh"
 #include <atomic>
 
+extern GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
+extern GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
+
 /** this class is used both to send and answer channel commands to the PowerDNS Recursor */
 class RecursorControlChannel
 {
diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 0259c6875832..a7fdab2ec712 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1288,6 +1288,16 @@ static string* nopFunction()
   return new string("pong\n");
 }
 
+string getDontThrottleNames() {
+  auto dtn = g_dontThrottleNames.getLocal();
+  return dtn->toString() + "\n";
+}
+
+string getDontThrottleNetmasks() {
+  auto dtn = g_dontThrottleNetmasks.getLocal();
+  return dtn->toString() + "\n";
+}
+
 string RecursorControlParser::getAnswer(const string& question, RecursorControlParser::func_t** command)
 {
   *command=nop;
@@ -1315,6 +1325,8 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
 "dump-throttlemap <filename>      dump the contents of the throttle to the named file\n"
 "get [key1] [key2] ..             get specific statistics\n"
 "get-all                          get all statistics\n"
+"get-dont-throttle-names          get the list of names that are not allowed to be throttled\n"
+"get-dont-throttle-netmasks       get the list of netmasks that are not allowed to be throttled\n"
 "get-ntas                         get all configured Negative Trust Anchors\n"
 "get-tas                          get all configured Trust Anchors\n"
 "get-parameter [key1] [key2] ..   get configuration parameters\n"
@@ -1540,5 +1552,13 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
   if (cmd=="set-dnssec-log-bogus")
     return doSetDnssecLogBogus(begin, end);
 
+  if (cmd == "get-dont-throttle-names") {
+    return getDontThrottleNames();
+  }
+
+  if (cmd == "get-dont-throttle-netmasks") {
+    return getDontThrottleNetmasks();
+  }
+
   return "Unknown command '"+cmd+"', try 'help'\n";
 }

From c4ce5418419ff696d9d5d42a7c88141783777eb3 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 12:15:44 +0100
Subject: [PATCH 004/127] Add rec_control setters for dont-throttle-*

---
 pdns/rec_channel_rec.cc | 86 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index a7fdab2ec712..850cf935aeae 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1298,6 +1298,81 @@ string getDontThrottleNetmasks() {
   return dtn->toString() + "\n";
 }
 
+template<typename T>
+string addDontThrottleNames(T begin, T end) {
+  if (begin == end) {
+    return "No names specified, keeping existing list\n";
+  }
+  vector<DNSName> toAdd;
+  while (begin != end) {
+    try {
+      auto d = DNSName(*begin);
+      toAdd.push_back(d);
+    }
+    catch(const std::exception &e) {
+      return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing added\n";
+    }
+    begin++;
+  }
+
+  string ret = "Added";
+  auto dnt = g_dontThrottleNames.getCopy();
+  bool first = true;
+  for (auto const &d : toAdd) {
+    if (!first) {
+      ret += ",";
+    }
+    first = false;
+    ret += " " + d.toLogString();
+    dnt.add(d);
+  }
+
+  g_dontThrottleNames.setState(dnt);
+
+  ret += " to the list of nameservers that may not be throttled";
+  g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+  return ret + "\n";
+}
+
+template<typename T>
+string addDontThrottleNetmasks(T begin, T end) {
+  if (begin == end) {
+    return "No netmasks specified, keeping existing list\n";
+  }
+  vector<Netmask> toAdd;
+  while (begin != end) {
+    try {
+      auto n = Netmask(*begin);
+      toAdd.push_back(n);
+    }
+    catch(const std::exception &e) {
+      return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing added\n";
+    }
+    catch(const PDNSException &e) {
+      return "Problem parsing '" + *begin + "': "+ e.reason + ", nothing added\n";
+    }
+    begin++;
+  }
+
+  string ret = "Added";
+  auto dnt = g_dontThrottleNetmasks.getCopy();
+  bool first = true;
+  for (auto const &t : toAdd) {
+    if (!first) {
+      ret += ",";
+    }
+    first = false;
+    ret += " " + t.toString();
+    dnt.addMask(t);
+  }
+
+  g_dontThrottleNetmasks.setState(dnt);
+
+  ret += " to the list of nameserver netmasks that may not be throttled";
+  g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+  return ret + "\n";
+}
+
 string RecursorControlParser::getAnswer(const string& question, RecursorControlParser::func_t** command)
 {
   *command=nop;
@@ -1313,6 +1388,9 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
   // should probably have a smart dispatcher here, like auth has
   if(cmd=="help")
     return
+"add-dont-throttle-names [N...]   add names that are not allowed to be throttled\n"
+"add-dont-throttle-netmasks [N...]\n"
+"                                 add netmasks that are not allowed to be throttled\n"
 "add-nta DOMAIN [REASON]          add a Negative Trust Anchor for DOMAIN with the comment REASON\n"
 "add-ta DOMAIN DSRECORD           add a Trust Anchor for DOMAIN with data DSRECORD\n"
 "current-queries                  show currently active queries\n"
@@ -1560,5 +1638,13 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
     return getDontThrottleNetmasks();
   }
 
+  if (cmd == "add-dont-throttle-names") {
+    return addDontThrottleNames(begin, end);
+  }
+
+  if (cmd == "add-dont-throttle-netmasks") {
+    return addDontThrottleNetmasks(begin, end);
+  }
+
   return "Unknown command '"+cmd+"', try 'help'\n";
 }

From a364fbfb6b70c4de3a13fcb66c791f35b9094f33 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 16:10:56 +0100
Subject: [PATCH 005/127] SuffixMatchTree: add remove() functions

---
 pdns/dnsname.hh         | 43 +++++++++++++++++++++++++++++++++++++++++
 pdns/test-dnsname_cc.cc | 10 ++++++++++
 2 files changed, 53 insertions(+)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index f2d9eee21c19..f55d6cbf6881 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -286,6 +286,39 @@ struct SuffixMatchTree
     }
   }
 
+  void remove(const DNSName &name) const
+  {
+    remove(name.getRawLabels());
+  }
+
+  /* Removes the node at `labels`, also make sure that no empty
+   * children will be left behind in memory
+   */
+  void remove(std::vector<std::string> labels) const
+  {
+    SuffixMatchTree smt(*labels.rbegin());
+    auto child = children.find(smt);
+    if (child == children.end()) {
+      // No subnode found, we're done
+      return;
+    }
+
+    // We have found a child
+    labels.pop_back();
+    if (labels.empty()) {
+      // The child is no longer an endnode
+      child->endNode = false;
+      // If the child has no further children, just remove it from the set.
+      if (child->children.empty()) {
+        children.erase(child);
+      }
+      return;
+    }
+
+    // We are not at the end, let the child figure out what to do
+    child->remove(labels);
+  }
+
   T* lookup(const DNSName& name)  const
   {
     if(children.empty()) { // speed up empty set
@@ -340,6 +373,16 @@ struct SuffixMatchNode
     d_tree.add(labels, true);
   }
 
+  void remove(const DNSName& name)
+  {
+    d_tree.remove(name);
+  }
+
+  void remove(std::vector<std::string> labels)
+  {
+    d_tree.remove(labels);
+  }
+
   bool check(const DNSName& dnsname) const
   {
     return d_tree.lookup(dnsname) != nullptr;
diff --git a/pdns/test-dnsname_cc.cc b/pdns/test-dnsname_cc.cc
index d003b8ddcc0c..ac81e6679cf2 100644
--- a/pdns/test-dnsname_cc.cc
+++ b/pdns/test-dnsname_cc.cc
@@ -507,6 +507,11 @@ BOOST_AUTO_TEST_CASE(test_suffixmatch) {
   smn.add(net);
   BOOST_CHECK(smn.check(examplenet));
   BOOST_CHECK(smn.check(net));
+
+  // Remove .net and check that example.net still exists
+  smn.remove(net);
+  BOOST_CHECK_EQUAL(smn.check(net), false);
+  BOOST_CHECK(smn.check(examplenet));
 }
 
 BOOST_AUTO_TEST_CASE(test_suffixmatch_tree) {
@@ -558,6 +563,11 @@ BOOST_AUTO_TEST_CASE(test_suffixmatch_tree) {
   BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
   BOOST_REQUIRE(smt.lookup(net));
   BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+
+  // Remove .net, and check that example.net remains
+  smt.remove(net);
+  BOOST_CHECK(smt.lookup(net) == nullptr);
+  BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
 }
 
 

From fa7cc8af522b5f94df1044231b7c43b9e3d1a179 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 16:11:28 +0100
Subject: [PATCH 006/127] rec_control: add clear-dont-throttle-* functions

---
 pdns/rec_channel_rec.cc | 110 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 110 insertions(+)

diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 850cf935aeae..d130d3e0a32d 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1373,6 +1373,105 @@ string addDontThrottleNetmasks(T begin, T end) {
   return ret + "\n";
 }
 
+template<typename T>
+string clearDontThrottleNames(T begin, T end) {
+  if(begin == end)
+    return "No names specified, doing nothing.\n";
+
+  if (begin + 1 == end && *begin == "*"){
+    SuffixMatchNode smn;
+    g_dontThrottleNames.setState(smn);
+    string ret = "Cleared list of nameserver names that may not be throttled";
+    g_log<<Logger::Warning<<ret<<", requested via control channel"<<endl;
+    return ret + "\n";
+  }
+
+  vector<DNSName> toRemove;
+  while (begin != end) {
+    try {
+      if (*begin == "*") {
+        return "Please don't mix '*' with other names, nothing removed\n";
+      }
+      toRemove.push_back(DNSName(*begin));
+    }
+    catch (const std::exception &e) {
+      return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing removed\n";
+    }
+    begin++;
+  }
+
+  string ret = "Removed";
+  bool first = true;
+  auto dnt = g_dontThrottleNames.getCopy();
+  for (const auto &name : toRemove) {
+    if (!first) {
+      ret += ",";
+    }
+    first = false;
+    ret += " " + name.toLogString();
+    dnt.remove(name);
+  }
+
+  g_dontThrottleNames.setState(dnt);
+
+  ret += " from the list of nameservers that may not be throttled";
+  g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+  return ret + "\n";
+}
+
+template<typename T>
+string clearDontThrottleNetmasks(T begin, T end) {
+  if(begin == end)
+    return "No netmasks specified, doing nothing.\n";
+
+  if (begin + 1 == end && *begin == "*"){
+    auto nmg = g_dontThrottleNetmasks.getCopy();
+    nmg.clear();
+    g_dontThrottleNetmasks.setState(nmg);
+
+    string ret = "Cleared list of nameserver addresses that may not be throttled";
+    g_log<<Logger::Warning<<ret<<", requested via control channel"<<endl;
+    return ret + "\n";
+  }
+
+  std::vector<Netmask> toRemove;
+  while (begin != end) {
+    try {
+      if (*begin == "*") {
+        return "Please don't mix '*' with other netmasks, nothing removed\n";
+      }
+      auto n = Netmask(*begin);
+      toRemove.push_back(n);
+    }
+    catch(const std::exception &e) {
+      return "Problem parsing '" + *begin + "': "+ e.what() + ", nothing added\n";
+    }
+    catch(const PDNSException &e) {
+      return "Problem parsing '" + *begin + "': "+ e.reason + ", nothing added\n";
+    }
+    begin++;
+  }
+
+  string ret = "Removed";
+  bool first = true;
+  auto dnt = g_dontThrottleNetmasks.getCopy();
+  for (const auto &mask : toRemove) {
+    if (!first) {
+      ret += ",";
+    }
+    first = false;
+    ret += " " + mask.toString();
+    dnt.deleteMask(mask);
+  }
+
+  g_dontThrottleNetmasks.setState(dnt);
+
+  ret += " from the list of nameservers that may not be throttled";
+  g_log<<Logger::Info<<ret<<", requested via control channel"<<endl;
+  return ret + "\n";
+}
+
+
 string RecursorControlParser::getAnswer(const string& question, RecursorControlParser::func_t** command)
 {
   *command=nop;
@@ -1394,6 +1493,9 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
 "add-nta DOMAIN [REASON]          add a Negative Trust Anchor for DOMAIN with the comment REASON\n"
 "add-ta DOMAIN DSRECORD           add a Trust Anchor for DOMAIN with data DSRECORD\n"
 "current-queries                  show currently active queries\n"
+"clear-dont-throttle-names [N...] remove names that are not allowed to be throttled. If N is '*', remove all\n"
+"clear-dont-throttle-netmasks [N...]\n"
+"                                 remove netmasks that are not allowed to be throttled. If N is '*', remove all\n"
 "clear-nta [DOMAIN]...            Clear the Negative Trust Anchor for DOMAINs, if no DOMAIN is specified, remove all\n"
 "clear-ta [DOMAIN]...             Clear the Trust Anchor for DOMAINs\n"
 "dump-cache <filename>            dump cache contents to the named file\n"
@@ -1646,5 +1748,13 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
     return addDontThrottleNetmasks(begin, end);
   }
 
+  if (cmd == "clear-dont-throttle-names") {
+    return clearDontThrottleNames(begin, end);
+  }
+
+  if (cmd == "clear-dont-throttle-netmasks") {
+    return clearDontThrottleNetmasks(begin, end);
+  }
+
   return "Unknown command '"+cmd+"', try 'help'\n";
 }

From 606400e75a0a538c63eb9de82d0b4ea392025776 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 16:54:12 +0100
Subject: [PATCH 007/127] SuffixMatchNode: implement a proper toString()

---
 pdns/dnsname.hh | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index f55d6cbf6881..5c2b6bf0161d 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -348,6 +348,20 @@ struct SuffixMatchTree
     return child->lookup(labels);
   }
 
+  // Returns all end-nodes, fully qualified (not as separate labels)
+  std::vector<DNSName> getNodes() const {
+    std::vector<DNSName> ret;
+    if (endNode) {
+      ret.push_back(DNSName(d_name));
+    }
+    for (const auto& child : children) {
+      auto nodes = child.getNodes();
+      for (const auto &node: nodes) {
+        ret.push_back(node + DNSName(d_name));
+      }
+    }
+    return ret;
+  }
 };
 
 /* Quest in life: serve as a rapid block list. If you add a DNSName to a root SuffixMatchNode,
@@ -356,15 +370,10 @@ struct SuffixMatchNode
 {
   SuffixMatchNode()
   {}
-  std::string d_human;
   SuffixMatchTree<bool> d_tree;
 
   void add(const DNSName& dnsname)
   {
-    if(!d_human.empty())
-      d_human.append(", ");
-    d_human += dnsname.toString();
-
     d_tree.add(dnsname, true);
   }
 
@@ -390,7 +399,16 @@ struct SuffixMatchNode
 
   std::string toString() const
   {
-    return d_human;
+    std::string ret;
+    bool first = true;
+    for (const auto &n: d_tree.getNodes()) {
+      if (!first) {
+        ret += ", ";
+      }
+      first = false;
+      ret += n.toString();
+    }
+    return ret;
   }
 
 };

From 67689ec72ed56b7add16f9c534992155afcbf08f Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 17:06:04 +0100
Subject: [PATCH 008/127] SuffixMatchTree: add comment on value replacement

---
 pdns/dnsname.hh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index 5c2b6bf0161d..cb69cac88a95 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -308,6 +308,9 @@ struct SuffixMatchTree
     if (labels.empty()) {
       // The child is no longer an endnode
       child->endNode = false;
+      // TODO clear d_value for this node as d_value = T() would break for types
+      // that require initialization
+
       // If the child has no further children, just remove it from the set.
       if (child->children.empty()) {
         children.erase(child);

From 478eda5a229294c73a3111e91235d2bcfcfe6157 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Feb 2019 17:23:07 +0100
Subject: [PATCH 009/127] rec_control.1: document dont-throttle commands

---
 .../docs/manpages/rec_control.1.rst            | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/pdns/recursordist/docs/manpages/rec_control.1.rst b/pdns/recursordist/docs/manpages/rec_control.1.rst
index d6b8dfe80498..37c314527afd 100644
--- a/pdns/recursordist/docs/manpages/rec_control.1.rst
+++ b/pdns/recursordist/docs/manpages/rec_control.1.rst
@@ -45,6 +45,12 @@ Options
 
 Commands
 --------
+add-dont-throttle-names NAME [NAME...]
+    Add names for nameserver domains that may not be throttled.
+
+add-dont-throttle-netmasks NETMASK [NETMASK...]
+    Add netmasks for nameservers that may not be throttled.
+
 add-nta *DOMAIN* [*REASON*]
     Add a Negative Trust Anchor for *DOMAIN*, suffixed optionally with
     *REASON*.
@@ -56,6 +62,12 @@ add-ta *DOMAIN* *DSRECORD*
 current-queries
     Shows the currently active queries.
 
+clear-dont-throttle-names NAME [NAME...]
+    Remove names that are not allowed to be throttled. If *NAME* is '*', remove all
+
+clear-dont-throttle-netmasks NETMASK [NETMASK...]
+    Remove netmasks that are not allowed to be throttled. If *NETMASK* is '*', remove all
+
 clear-nta *DOMAIN*...
     Remove Negative Trust Anchor for one or more *DOMAIN*\ s. Set domain to
     '*' to remove all NTA's.
@@ -144,6 +156,12 @@ get *STATISTIC* [*STATISTIC*]...
 get-all
     Retrieve all known statistics.
 
+get-dont-throttle-names
+    Get the list of names that are not allowed to be throttled.
+
+get-dont-throttle-netmasks
+    Get the list of netmasks that are not allowed to be throttled.
+
 get-ntas
     Get a list of the currently configured Negative Trust Anchors.
 

From 68bcc8d0c8413c658bca9b2f815afd64cfb7c21e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 19 Feb 2019 10:20:04 +0100
Subject: [PATCH 010/127] Add more unit tests for removal from a
 SuffixMatchTree

---
 pdns/test-dnsname_cc.cc | 55 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/pdns/test-dnsname_cc.cc b/pdns/test-dnsname_cc.cc
index ac81e6679cf2..833f2fc31e43 100644
--- a/pdns/test-dnsname_cc.cc
+++ b/pdns/test-dnsname_cc.cc
@@ -568,6 +568,61 @@ BOOST_AUTO_TEST_CASE(test_suffixmatch_tree) {
   smt.remove(net);
   BOOST_CHECK(smt.lookup(net) == nullptr);
   BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
+
+  smt = SuffixMatchTree<DNSName>();
+  smt.add(examplenet, examplenet);
+  smt.add(net, net);
+  smt.add(DNSName("news.bbc.co.uk."), DNSName("news.bbc.co.uk."));
+  smt.add(apowerdnscom, apowerdnscom);
+
+  smt.remove(DNSName("not-such-entry.news.bbc.co.uk."));
+  BOOST_REQUIRE(smt.lookup(DNSName("news.bbc.co.uk.")));
+  smt.remove(DNSName("news.bbc.co.uk."));
+  BOOST_CHECK(smt.lookup(DNSName("news.bbc.co.uk.")) == nullptr);
+
+  smt.remove(net);
+  BOOST_REQUIRE(smt.lookup(examplenet));
+  BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
+  BOOST_CHECK(smt.lookup(net) == nullptr);
+
+  smt.remove(examplenet);
+  BOOST_CHECK(smt.lookup(net) == nullptr);
+  BOOST_CHECK(smt.lookup(examplenet) == nullptr);
+
+  smt.add(examplenet, examplenet);
+  smt.add(net, net);
+  BOOST_REQUIRE(smt.lookup(examplenet));
+  BOOST_CHECK_EQUAL(*smt.lookup(examplenet), examplenet);
+  BOOST_REQUIRE(smt.lookup(net));
+  BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+
+  smt.remove(examplenet);
+  BOOST_CHECK_EQUAL(*smt.lookup(examplenet), net);
+  BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+  smt.remove(examplenet);
+  BOOST_CHECK_EQUAL(*smt.lookup(examplenet), net);
+  BOOST_CHECK_EQUAL(*smt.lookup(net), net);
+  smt.remove(net);
+  BOOST_CHECK(smt.lookup(net) == nullptr);
+  BOOST_CHECK(smt.lookup(examplenet) == nullptr);
+  smt.remove(net);
+
+  size_t count = 0;
+  smt.visit([apowerdnscom, &count](const SuffixMatchTree<DNSName>& smt) {
+      count++;
+      BOOST_CHECK_EQUAL(smt.d_value, apowerdnscom);
+    });
+  BOOST_CHECK_EQUAL(count, 1);
+
+  BOOST_CHECK_EQUAL(*smt.lookup(apowerdnscom), apowerdnscom);
+  smt.remove(apowerdnscom);
+  BOOST_CHECK(smt.lookup(apowerdnscom) == nullptr);
+
+  count = 0;
+  smt.visit([&count](const SuffixMatchTree<DNSName>& smt) {
+      count++;
+    });
+  BOOST_CHECK_EQUAL(count, 0);
 }
 
 

From 15d0cc71ce9c8e8d4586c57c642784dad9ce7ba6 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 19 Feb 2019 11:37:24 +0100
Subject: [PATCH 011/127] rec: pre-calculate string for SuffixMatchNode on
 change

---
 pdns/dnsname.hh | 96 +++++++++++++++++++++++++++++++------------------
 1 file changed, 61 insertions(+), 35 deletions(-)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index cb69cac88a95..5533da0f600e 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -371,49 +371,75 @@ struct SuffixMatchTree
    anything part of that domain will return 'true' in check */
 struct SuffixMatchNode
 {
-  SuffixMatchNode()
-  {}
-  SuffixMatchTree<bool> d_tree;
+  public:
+    SuffixMatchNode()
+    {}
+    SuffixMatchTree<bool> d_tree;
+
+    void add(const DNSName& dnsname)
+    {
+      d_tree.add(dnsname, true);
+      d_nodes.insert(dnsname);
+      updateHuman();
+    }
 
-  void add(const DNSName& dnsname)
-  {
-    d_tree.add(dnsname, true);
-  }
+    void add(std::vector<std::string> labels)
+    {
+      d_tree.add(labels, true);
+      DNSName tmp;
+      while (!labels.empty()) {
+        tmp.appendRawLabel(labels.back());
+        labels.pop_back(); // This is safe because we have a copy of labels
+      }
+      d_nodes.insert(tmp);
+      updateHuman();
+    }
 
-  void add(std::vector<std::string> labels)
-  {
-    d_tree.add(labels, true);
-  }
+    void remove(const DNSName& name)
+    {
+      d_tree.remove(name);
+      d_nodes.erase(name);
+      updateHuman();
+    }
 
-  void remove(const DNSName& name)
-  {
-    d_tree.remove(name);
-  }
+    void remove(std::vector<std::string> labels)
+    {
+      d_tree.remove(labels);
+      DNSName tmp;
+      while (!labels.empty()) {
+        tmp.appendRawLabel(labels.back());
+        labels.pop_back(); // This is safe because we have a copy of labels
+      }
+      d_nodes.erase(tmp);
+      updateHuman();
+    }
 
-  void remove(std::vector<std::string> labels)
-  {
-    d_tree.remove(labels);
-  }
+    bool check(const DNSName& dnsname) const
+    {
+      return d_tree.lookup(dnsname) != nullptr;
+    }
 
-  bool check(const DNSName& dnsname) const
-  {
-    return d_tree.lookup(dnsname) != nullptr;
-  }
+    std::string toString() const
+    {
+      return d_human;
+    }
 
-  std::string toString() const
-  {
-    std::string ret;
-    bool first = true;
-    for (const auto &n: d_tree.getNodes()) {
-      if (!first) {
-        ret += ", ";
+  private:
+    mutable std::string d_human;
+    mutable std::set<DNSName> d_nodes; // Only used for string generation
+
+    void updateHuman() {
+      std::string tmp;
+      bool first = true;
+      for (const auto& n : d_nodes) {
+        if (!first) {
+          tmp += ", ";
+        }
+        first = false;
+        tmp += n.toString();
       }
-      first = false;
-      ret += n.toString();
+      d_human = tmp;
     }
-    return ret;
-  }
-
 };
 
 std::ostream & operator<<(std::ostream &os, const DNSName& d);

From 3f5115d1e74eb9aaa02683e599ce36ab365e8ce9 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 21 Feb 2019 13:02:04 +0100
Subject: [PATCH 012/127] Don't do O(n) operation needlessly

---
 pdns/dnsname.hh | 24 ++++++++----------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index 5533da0f600e..ff64e2097f95 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -380,7 +380,6 @@ struct SuffixMatchNode
     {
       d_tree.add(dnsname, true);
       d_nodes.insert(dnsname);
-      updateHuman();
     }
 
     void add(std::vector<std::string> labels)
@@ -392,14 +391,12 @@ struct SuffixMatchNode
         labels.pop_back(); // This is safe because we have a copy of labels
       }
       d_nodes.insert(tmp);
-      updateHuman();
     }
 
     void remove(const DNSName& name)
     {
       d_tree.remove(name);
       d_nodes.erase(name);
-      updateHuman();
     }
 
     void remove(std::vector<std::string> labels)
@@ -411,7 +408,6 @@ struct SuffixMatchNode
         labels.pop_back(); // This is safe because we have a copy of labels
       }
       d_nodes.erase(tmp);
-      updateHuman();
     }
 
     bool check(const DNSName& dnsname) const
@@ -421,25 +417,21 @@ struct SuffixMatchNode
 
     std::string toString() const
     {
-      return d_human;
-    }
-
-  private:
-    mutable std::string d_human;
-    mutable std::set<DNSName> d_nodes; // Only used for string generation
-
-    void updateHuman() {
-      std::string tmp;
+      std::string ret;
       bool first = true;
       for (const auto& n : d_nodes) {
         if (!first) {
-          tmp += ", ";
+          ret += ", ";
         }
         first = false;
-        tmp += n.toString();
+        ret += n.toString();
       }
-      d_human = tmp;
+      return ret;
     }
+
+  private:
+    mutable std::string d_human;
+    mutable std::set<DNSName> d_nodes; // Only used for string generation
 };
 
 std::ostream & operator<<(std::ostream &os, const DNSName& d);

From 6dbf337fefdeb053088293dd2e4efdbd21ae289e Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 28 Nov 2018 00:04:16 +0100
Subject: [PATCH 013/127] auth: no dnssec processing for non dnssec zones and
 avoid a lot of isSecuredZone() calls

---
 pdns/packethandler.cc | 43 ++++++++++++++++++++-----------------------
 pdns/packethandler.hh |  1 +
 2 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 72888474af8c..944583606d91 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -585,9 +585,6 @@ void PacketHandler::emitNSEC3(DNSPacket *r, const SOAData& sd, const NSEC3PARAMR
 */
 void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const DNSName& target, const DNSName& wildcard, const DNSName& auth, int mode)
 {
-  if(!p->d_dnssecOk && mode != 5)
-    return;
-
   NSEC3PARAMRecordContent ns3rc;
   bool narrow;
   if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow))  {
@@ -971,7 +968,6 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const DNSName& targ
   DNSZoneRecord rr;
   rr.dr.d_name=sd.qname;
   rr.dr.d_type=QType::SOA;
-  
   rr.dr.d_content=makeSOAContent(sd);
   rr.dr.d_ttl=min(sd.ttl, sd.default_ttl);
   rr.signttl=sd.ttl;
@@ -980,8 +976,9 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const DNSName& targ
   rr.auth = 1;
   r->addRecord(rr);
 
-  if(d_dk.isSecuredZone(sd.qname))
+  if(d_dnssec) {
     addNSECX(p, r, target, wildcard, sd.qname, 4);
+  }
 
   r->setRcode(RCode::NXDomain);
 }
@@ -992,7 +989,6 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const DNSName& targe
   rr.dr.d_name=sd.qname;
   rr.dr.d_type=QType::SOA;
   rr.dr.d_content=makeSOAContent(sd);
-  rr.dr.d_ttl=sd.ttl;
   rr.dr.d_ttl=min(sd.ttl, sd.default_ttl);
   rr.signttl=sd.ttl;
   rr.domain_id=sd.domain_id;
@@ -1000,8 +996,9 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const DNSName& targe
   rr.auth = 1;
   r->addRecord(rr);
 
-  if(d_dk.isSecuredZone(sd.qname))
+  if(d_dnssec) {
     addNSECX(p, r, target, wildcard, sd.qname, mode);
+  }
 
   S.ringAccount("noerror-queries",p->qdomain.toLogString()+"/"+p->qtype.getName());
 }
@@ -1034,20 +1031,15 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
   if(!retargeted)
     r->setA(false);
 
-  if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name))
+  if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
     addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
-  
+  }
+
   return true;
 }
 
 void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, const DNSName &target)
 {
-  if(!p->d_dnssecOk)
-    return; // Don't send dnssec info to non validating resolvers.
-
-  if(!d_dk.isSecuredZone(sd.qname))
-    return;
-
   addNSECX(p, r, target, DNSName(), sd.qname, 5);
   if(sd.qname == p->qdomain) {
     addDNSKEY(p, r, sd);
@@ -1099,9 +1091,10 @@ bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, DNSName
       r->addRecord(rr);
     }
   }
-  if(d_dk.isSecuredZone(sd.qname) && !nodata) {
+  if(d_dnssec && !nodata) {
     addNSECX(p, r, bestmatch, wildcard, sd.qname, 3);
   }
+
   return true;
 }
 
@@ -1280,7 +1273,11 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       goto sendit;
     }
     DLOG(g_log<<Logger::Error<<"We have authority, zone='"<<sd.qname<<"', id="<<sd.domain_id<<endl);
-    authSet.insert(sd.qname); 
+
+    d_dnssec=(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname));
+    if(d_dnssec) {
+      authSet.insert(sd.qname);
+    }
 
     if(!retargetcount) r->qdomainzone=sd.qname;
 
@@ -1300,7 +1297,7 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
         if(addCDS(p,r, sd))
           goto sendit;
       }
-      else if(p->qtype.getCode() == QType::NSEC3PARAM && d_dk.isSecuredZone(sd.qname))
+      else if(d_dnssec && p->qtype.getCode() == QType::NSEC3PARAM)
       {
         if(addNSEC3PARAM(p,r, sd))
           goto sendit;
@@ -1321,7 +1318,7 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
     }
 
     // this TRUMPS a cname!
-    if(p->qtype.getCode() == QType::NSEC && d_dk.isSecuredZone(sd.qname) && !d_dk.getNSEC3PARAM(sd.qname, 0)) {
+    if(d_dnssec && p->qtype.getCode() == QType::NSEC && !d_dk.getNSEC3PARAM(sd.qname, 0)) {
       addNSEC(p, r, target, DNSName(), sd.qname, 5);
       if (!r->isEmpty())
         goto sendit;
@@ -1391,8 +1388,8 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       }
 #endif
       //cerr<<"got content: ["<<rr.content<<"]"<<endl;
-      if (p->qtype.getCode() == QType::ANY && !p->d_dnssecOk && (rr.dr.d_type == QType:: DNSKEY || rr.dr.d_type == QType::NSEC3PARAM))
-        continue; // Don't send dnssec info to non validating resolvers.
+      if (!d_dnssec && p->qtype.getCode() == QType::ANY && (rr.dr.d_type == QType:: DNSKEY || rr.dr.d_type == QType::NSEC3PARAM))
+        continue; // Don't send dnssec info.
       if (rr.dr.d_type == QType::RRSIG) // RRSIGS are added later any way.
         continue; // TODO: this actually means addRRSig should check if the RRSig is already there
 
@@ -1512,7 +1509,7 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       }
 
       if (haveRecords) {
-        if(p->qtype.getCode() == QType::ANY)
+        if(d_dnssec && p->qtype.getCode() == QType::ANY)
           completeANYRecords(p, r, sd, target);
       }
       else
@@ -1548,7 +1545,7 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
         break;
       }
     }
-    if(p->d_dnssecOk)
+    if(authSet.size())
       addRRSigs(d_dk, B, authSet, r->getRRS());
       
     r->wrapup(); // needed for inserting in cache
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 0a38735af6f0..fba95ff50cad 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -109,6 +109,7 @@ private:
   bool d_doIPv6AdditionalProcessing;
   bool d_doDNAME;
   bool d_doExpandALIAS;
+  bool d_dnssec;
   std::unique_ptr<AuthLua4> d_pdl;
   std::unique_ptr<AuthLua4> d_update_policy_lua;
 

From 49ec5db1de3ad650d37b8735c3da229fc11f1168 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 27 Feb 2019 09:34:16 +0100
Subject: [PATCH 014/127] auth: update root direct-ns and ref-3ld expected
 results and add a direct DS test

---
 regression-tests.rootzone/tests/direct-ds/command            | 1 +
 regression-tests.rootzone/tests/direct-ds/description        | 1 +
 regression-tests.rootzone/tests/direct-ds/expected_result    | 4 ++++
 .../tests/direct-ds/expected_result.dnssec                   | 5 +++++
 regression-tests.rootzone/tests/direct-ns/command            | 2 +-
 regression-tests.rootzone/tests/direct-ns/expected_result    | 1 +
 .../tests/direct-ns/expected_result.dnssec                   | 2 ++
 regression-tests.rootzone/tests/ref-3ld/command              | 2 +-
 regression-tests.rootzone/tests/ref-3ld/expected_result      | 1 +
 .../tests/ref-3ld/expected_result.dnssec                     | 2 ++
 10 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100755 regression-tests.rootzone/tests/direct-ds/command
 create mode 100644 regression-tests.rootzone/tests/direct-ds/description
 create mode 100644 regression-tests.rootzone/tests/direct-ds/expected_result
 create mode 100644 regression-tests.rootzone/tests/direct-ds/expected_result.dnssec

diff --git a/regression-tests.rootzone/tests/direct-ds/command b/regression-tests.rootzone/tests/direct-ds/command
new file mode 100755
index 000000000000..fee1baef16f8
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ds/command
@@ -0,0 +1 @@
+cleandig net DS dnssec
diff --git a/regression-tests.rootzone/tests/direct-ds/description b/regression-tests.rootzone/tests/direct-ds/description
new file mode 100644
index 000000000000..3c8d8b17a36b
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ds/description
@@ -0,0 +1 @@
+DS query for an existing TLD should get an answer
diff --git a/regression-tests.rootzone/tests/direct-ds/expected_result b/regression-tests.rootzone/tests/direct-ds/expected_result
new file mode 100644
index 000000000000..8d454a0989c3
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ds/expected_result
@@ -0,0 +1,4 @@
+0	net.	IN	DS	86400	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='net.', qtype=DS
diff --git a/regression-tests.rootzone/tests/direct-ds/expected_result.dnssec b/regression-tests.rootzone/tests/direct-ds/expected_result.dnssec
new file mode 100644
index 000000000000..3b95c8b98e3c
--- /dev/null
+++ b/regression-tests.rootzone/tests/direct-ds/expected_result.dnssec
@@ -0,0 +1,5 @@
+0	net.	IN	DS	86400	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
+0	net.	IN	RRSIG	86400	DS 13 1 86400 [expiry] [inception] [keytag] . ...
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='net.', qtype=DS
diff --git a/regression-tests.rootzone/tests/direct-ns/command b/regression-tests.rootzone/tests/direct-ns/command
index 3051e14ce415..6681bf5a4f0d 100755
--- a/regression-tests.rootzone/tests/direct-ns/command
+++ b/regression-tests.rootzone/tests/direct-ns/command
@@ -1 +1 @@
-cleandig net NS
+cleandig net NS dnssec
diff --git a/regression-tests.rootzone/tests/direct-ns/expected_result b/regression-tests.rootzone/tests/direct-ns/expected_result
index 7fc229651b72..e8cd4fe499af 100644
--- a/regression-tests.rootzone/tests/direct-ns/expected_result
+++ b/regression-tests.rootzone/tests/direct-ns/expected_result
@@ -1,4 +1,5 @@
 1	net.	IN	NS	172800	a.gtld-servers.net.
+2	.	IN	OPT	32768	
 2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
 2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
diff --git a/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec b/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec
index 99b191559301..34b452e7499f 100644
--- a/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec
+++ b/regression-tests.rootzone/tests/direct-ns/expected_result.dnssec
@@ -1,5 +1,7 @@
 1	net.	IN	DS	86400	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
 1	net.	IN	NS	172800	a.gtld-servers.net.
+1	net.	IN	RRSIG	86400	DS 13 1 86400 [expiry] [inception] [keytag] . ...
+2	.	IN	OPT	32768	
 2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
 2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
diff --git a/regression-tests.rootzone/tests/ref-3ld/command b/regression-tests.rootzone/tests/ref-3ld/command
index 9284a40dea45..324d0de13b13 100755
--- a/regression-tests.rootzone/tests/ref-3ld/command
+++ b/regression-tests.rootzone/tests/ref-3ld/command
@@ -1 +1 @@
-cleandig some-host.domain.net A
+cleandig some-host.domain.net A dnssec
diff --git a/regression-tests.rootzone/tests/ref-3ld/expected_result b/regression-tests.rootzone/tests/ref-3ld/expected_result
index 1d4f635e00b6..87f4a7671027 100644
--- a/regression-tests.rootzone/tests/ref-3ld/expected_result
+++ b/regression-tests.rootzone/tests/ref-3ld/expected_result
@@ -1,4 +1,5 @@
 1	net.	IN	NS	172800	a.gtld-servers.net.
+2	.	IN	OPT	32768	
 2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
 2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
diff --git a/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec b/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec
index 40c00dd2e2a2..abd2224cebd0 100644
--- a/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec
+++ b/regression-tests.rootzone/tests/ref-3ld/expected_result.dnssec
@@ -1,5 +1,7 @@
 1	net.	IN	DS	86400	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
 1	net.	IN	NS	172800	a.gtld-servers.net.
+1	net.	IN	RRSIG	86400	DS 13 1 86400 [expiry] [inception] [keytag] . ...
+2	.	IN	OPT	32768	
 2	a.gtld-servers.net.	IN	A	172800	192.5.6.30
 2	a.gtld-servers.net.	IN	AAAA	172800	2001:503:a83e::2:30
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0

From 7865becacac3d1105f9215c20caccf2b071f2fa4 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 1 Mar 2019 09:04:30 +0100
Subject: [PATCH 015/127] SuffixMatchTree: Remove TODO comment

---
 pdns/dnsname.hh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index ff64e2097f95..dc083fa6820d 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -308,8 +308,6 @@ struct SuffixMatchTree
     if (labels.empty()) {
       // The child is no longer an endnode
       child->endNode = false;
-      // TODO clear d_value for this node as d_value = T() would break for types
-      // that require initialization
 
       // If the child has no further children, just remove it from the set.
       if (child->children.empty()) {

From 8d983800709fbce5ce62b02632df64cea92b7ee7 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 1 Mar 2019 09:05:42 +0100
Subject: [PATCH 016/127] SuffixMatchTree: Remove unused d_human member

---
 pdns/dnsname.hh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index dc083fa6820d..030057b40af4 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -428,7 +428,6 @@ struct SuffixMatchNode
     }
 
   private:
-    mutable std::string d_human;
     mutable std::set<DNSName> d_nodes; // Only used for string generation
 };
 

From c3491dd68e99df9f78ab2fc0bf2d29357af19158 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 1 Mar 2019 14:59:00 +0100
Subject: [PATCH 017/127] dnsrecords: make DNAME mimic CNAME

---
 pdns/dnsrecords.hh    | 3 +++
 pdns/packethandler.cc | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/pdns/dnsrecords.hh b/pdns/dnsrecords.hh
index d9f5a18ec474..4258f5b26f66 100644
--- a/pdns/dnsrecords.hh
+++ b/pdns/dnsrecords.hh
@@ -272,6 +272,9 @@ class DNAMERecordContent : public DNSRecordContent
 {
 public:
   includeboilerplate(DNAME)
+  DNAMERecordContent(const DNSName& content) : d_content(content){}
+  DNSName getTarget() const { return d_content; }
+private:
   DNSName d_content;
 };
 
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 72888474af8c..726b6c88024e 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -331,7 +331,7 @@ vector<DNSZoneRecord> PacketHandler::getBestDNAMESynth(DNSPacket *p, SOAData& sd
       ret.push_back(rr);  // put in the original
       rr.dr.d_type = QType::CNAME;
       rr.dr.d_name = prefix + rr.dr.d_name;
-      rr.dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(prefix + getRR<DNAMERecordContent>(rr.dr)->d_content));
+      rr.dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(prefix + getRR<DNAMERecordContent>(rr.dr)->getTarget()));
       rr.auth = 0; // don't sign CNAME
       target= getRR<CNAMERecordContent>(rr.dr)->getTarget();
       ret.push_back(rr); 

From 123da0f8bc6e66e63a85cc04d10808891616a882 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 1 Mar 2019 14:59:32 +0100
Subject: [PATCH 018/127] SyncRes: Process DNAME answers

---
 pdns/recursordist/test-syncres_cc.cc | 66 ++++++++++++++++++++++++++++
 pdns/syncres.cc                      | 37 +++++++++++++---
 pdns/syncres.hh                      |  1 +
 3 files changed, 98 insertions(+), 6 deletions(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 8736f32aee43..1a336cf22c5c 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -10792,6 +10792,72 @@ BOOST_AUTO_TEST_CASE(test_records_sanitization_scrubs_ns_nxd) {
   BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::AAAA), false, &cached, who), 0);
 }
 
+BOOST_AUTO_TEST_CASE(test_dname_processing) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns.com");
+  const DNSName dnameTarget("powerdns.net");
+
+  const DNSName target("dname.powerdns.com.");
+  const DNSName cnameTarget("dname.powerdns.net");
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (isRootServer(ip)) {
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+}
+
 /*
 // cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
 
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3cf44f16a371..d247efd4868f 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -47,6 +47,7 @@ SuffixMatchNode SyncRes::s_ednsdomains;
 EDNSSubnetOpts SyncRes::s_ecsScopeZero;
 string SyncRes::s_serverID;
 SyncRes::LogMode SyncRes::s_lm;
+const std::unordered_set<uint16_t> SyncRes::s_redirectionQTypes = {QType::CNAME, QType::DNAME};
 
 unsigned int SyncRes::s_maxnegttl;
 unsigned int SyncRes::s_maxbogusttl;
@@ -2079,7 +2080,7 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN
       continue;
     }
 
-    if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && rec->d_type != QType::CNAME && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) {
+    if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && s_redirectionQTypes.count(rec->d_type) == 0 && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) {
       LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
       rec = lwr.d_records.erase(rec);
       continue;
@@ -2454,6 +2455,7 @@ dState SyncRes::getDenialValidationState(const NegCache::NegCacheEntry& ne, cons
 bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount)
 {
   bool done = false;
+  DNSName dnameTarget, dnameOwner;
 
   for(auto& rec : lwr.d_records) {
     if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN)
@@ -2513,10 +2515,19 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
 
       negindic=true;
     }
-    else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_type==QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
-      ret.push_back(rec);
-      if (auto content = getRR<CNAMERecordContent>(rec)) {
-        newtarget=content->getTarget();
+    else if(rec.d_place==DNSResourceRecord::ANSWER && s_redirectionQTypes.count(rec.d_type) > 0 && // CNAME or DNAME answer
+        s_redirectionQTypes.count(qtype.getCode()) == 0) { // But not in response to a CNAME or DNAME query
+      if (rec.d_type == QType::CNAME && rec.d_name == qname) {
+        ret.push_back(rec);
+        if (auto content = getRR<CNAMERecordContent>(rec)) {
+          newtarget=content->getTarget();
+        }
+      } else if (rec.d_type == QType::DNAME && qname.isPartOf(rec.d_name)) { // DNAME
+        ret.push_back(rec);
+        if (auto content = getRR<DNAMERecordContent>(rec)) {
+          dnameOwner = rec.d_name;
+          dnameTarget = content->getTarget();
+        }
       }
     }
     /* if we have a positive answer synthetized from a wildcard, we need to
@@ -2571,8 +2582,14 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
       ret.push_back(rec);
     }
     else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER) {
-      if(rec.d_type != QType::RRSIG || rec.d_name == qname)
+      if(rec.d_type != QType::RRSIG || rec.d_name == qname) {
         ret.push_back(rec); // enjoy your DNSSEC
+      } else if(rec.d_type == QType::RRSIG && qname.isPartOf(rec.d_name)) {
+        auto rrsig = getRR<RRSIGRecordContent>(rec);
+        if (rrsig != nullptr && rrsig->d_type == QType::DNAME) {
+           ret.push_back(rec);
+        }
+      }
     }
     else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::NS && qname.isPartOf(rec.d_name)) {
       if(moreSpecificThan(rec.d_name,auth)) {
@@ -2662,6 +2679,14 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
     }
   }
 
+  if (!dnameTarget.empty() && !newtarget.empty()) {
+    DNSName substTarget = qname.makeRelative(dnameOwner) + dnameTarget;
+    if (substTarget != newtarget) {
+      throw ImmediateServFailException("Received wrong DNAME substitution. qname='" + qname.toLogString() +
+           "', DNAME owner='" + dnameOwner.toLogString() + "', DNAME target='" + dnameTarget.toLogString() +
+           "', received CNAME='" + newtarget.toLogString() + "', substituted CNAME='" + substTarget.toLogString() + "'");
+    }
+  }
   return done;
 }
 
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index a19f21e54e6d..27a2e5d6bcff 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -728,6 +728,7 @@ private:
   static EDNSSubnetOpts s_ecsScopeZero;
   static LogMode s_lm;
   static std::unique_ptr<NetmaskGroup> s_dontQuery;
+  const static std::unordered_set<uint16_t> s_redirectionQTypes;
 
   struct GetBestNSAnswer
   {

From 8838c88f478bc2bd20fd8d842ecda1b1f1b6cc95 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 1 Mar 2019 18:33:50 +0100
Subject: [PATCH 019/127] rec: Validate DNAME sigs

---
 pdns/recursordist/test-syncres_cc.cc | 103 +++++++++++++++++++++++++++
 pdns/syncres.cc                      |  32 +++++++--
 2 files changed, 130 insertions(+), 5 deletions(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 1a336cf22c5c..e0e4ca17c4a0 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -10856,6 +10856,109 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
 
   BOOST_CHECK(ret[2].d_type == QType::A);
   BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+  // TODO add cached tests once the caching of DNAME is implemented
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns");
+  const DNSName dnameTarget("example");
+
+  const DNSName target("dname.powerdns");
+  const DNSName cnameTarget("dname.example");
+
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(dnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        bool proveCut=true;
+        auto auth{domain};
+        if (domain.countLabels() > 1) {
+          auth.chopOff();
+          proveCut = false;
+        }
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys, proveCut);
+      }
+
+      if (isRootServer(ip)) {
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameOwner, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameTarget, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
+
+  BOOST_CHECK_EQUAL(queries, 9);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+  BOOST_CHECK(ret[4].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
+
+  // TODO add cached tests once the caching of DNAME is implemented
 }
 
 /*
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index d247efd4868f..01d22c530d51 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2171,6 +2171,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
   std::vector<std::shared_ptr<DNSRecord>> authorityRecs;
   const unsigned int labelCount = qname.countLabels();
   bool isCNAMEAnswer = false;
+  bool isDNAMEAnswer = false;
   for(const auto& rec : lwr.d_records) {
     if (rec.d_class != QClass::IN) {
       continue;
@@ -2179,6 +2180,9 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
     if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
       isCNAMEAnswer = true;
     }
+    if(!isDNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::DNAME && (!(qtype==QType(QType::DNAME))) && qname.isPartOf(rec.d_name)) {
+      isDNAMEAnswer = true;
+    }
 
     /* if we have a positive answer synthetized from a wildcard,
        we need to store the corresponding NSEC/NSEC3 records proving
@@ -2338,6 +2342,10 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       expectSignature = false;
     }
 
+    if (isDNAMEAnswer && !isAA && i->first.place == DNSResourceRecord::ANSWER && i->first.type == QType::DNAME && qname.isPartOf(i->first.name)) {
+      isAA = true;
+    }
+
     if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) {
       /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the
          record describing that alias is necessarily authoritative.
@@ -2367,11 +2375,25 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
             recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
           }
           else {
-            LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
-            recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
-            /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
-            if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) {
-              recordState = Indeterminate;
+            /*
+             * RFC 6672 section 5.3.1
+             *  In any response, a signed DNAME RR indicates a non-terminal
+             *  redirection of the query.  There might or might not be a server-
+             *  synthesized CNAME in the answer section; if there is, the CNAME will
+             *  never be signed.  For a DNSSEC validator, verification of the DNAME
+             *  RR and then that the CNAME was properly synthesized is sufficient
+             *  proof.
+             *
+             * We do the synthesis check in processRecords, here we make sure we
+             * don't validate the CNAME.
+             */
+            if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) {
+              LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
+              recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
+              /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
+              if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) {
+                recordState = Indeterminate;
+              }
             }
           }
         }

From d30b54935bc9037bdded105812ef232a133433f0 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 4 Mar 2019 17:51:22 +0100
Subject: [PATCH 020/127] Retrieve DNAMEs from the cache

---
 pdns/syncres.cc | 106 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 84 insertions(+), 22 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 01d22c530d51..28216fbb0e49 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -936,15 +936,43 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
     return true;
   }
 
-  LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
   vector<DNSRecord> cset;
   vector<std::shared_ptr<RRSIGRecordContent>> signatures;
   vector<std::shared_ptr<DNSRecord>> authorityRecs;
   bool wasAuth;
   uint32_t capTTL = std::numeric_limits<uint32_t>::max();
-  /* we don't require auth data for forward-recurse lookups */
-  if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+  DNSName foundName;
+  QType foundQT = QType(0); // 0 == QTYPE::ENT
+
+  if (qname != g_rootdnsname) {
+    // look for a DNAME cache hit
+    auto labels = qname.getRawLabels();
+    DNSName dnameName(g_rootdnsname);
+
+    do {
+      dnameName.prependRawLabel(labels.back());
+      labels.pop_back();
+      LOG(prefix<<qname<<": Looking for DNAME cache hit of '"<<dnameName<<"|DNAME"<<"'"<<endl);
+      if (t_RC->get(d_now.tv_sec, dnameName, QType(QType::DNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+        if (dnameName != qname && qtype != QType::DNAME) {
+          foundName = dnameName;
+          foundQT = QType(QType::DNAME);
+          break;
+        }
+      }
+    } while(!labels.empty());
+  }
 
+  if (foundName.empty()) {
+    LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
+    /* we don't require auth data for forward-recurse lookups */
+    if (t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+      foundName = qname;
+      foundQT = QType(QType::CNAME);
+    }
+  }
+
+  if(!foundName.empty()) {
     for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
       if (j->d_class != QClass::IN) {
         continue;
@@ -956,28 +984,28 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
           /* This means we couldn't figure out the state when this entry was cached,
              most likely because we hadn't computed the zone cuts yet. */
           /* make sure they are computed before validating */
-          DNSName subdomain(qname);
+          DNSName subdomain(foundName);
           /* if we are retrieving a DS, we only care about the state of the parent zone */
           if(qtype == QType::DS)
             subdomain.chopOff();
 
           computeZoneCuts(subdomain, g_rootdnsname, depth);
 
-          vState recordState = getValidationStatus(qname, false);
+          vState recordState = getValidationStatus(foundName, false);
           if (recordState == Secure) {
-            LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, validating.."<<endl);
-            state = SyncRes::validateRecordsWithSigs(depth, qname, QType(QType::CNAME), qname, cset, signatures);
+            LOG(prefix<<qname<<": got Indeterminate state from the "<<foundQT.getName()<<" cache, validating.."<<endl);
+            state = SyncRes::validateRecordsWithSigs(depth, foundName, foundQT, foundName, cset, signatures);
             if (state != Indeterminate) {
               LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, new validation result is "<<vStates[state]<<endl);
               if (state == Bogus) {
                 capTTL = s_maxbogusttl;
               }
-              updateValidationStatusInCache(qname, QType(QType::CNAME), wasAuth, state);
+              updateValidationStatusInCache(foundName, foundQT, wasAuth, state);
             }
           }
         }
 
-        LOG(prefix<<qname<<": Found cache CNAME hit for '"<< qname << "|CNAME" <<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl);
+        LOG(prefix<<qname<<": Found cache "<<foundQT.getName()<<" hit for '"<< foundName << "|"<<foundQT.getName()<<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl);
 
         DNSRecord dr=*j;
         dr.d_ttl -= d_now.tv_sec;
@@ -989,7 +1017,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
         for(const auto& signature : signatures) {
           DNSRecord sigdr;
           sigdr.d_type=QType::RRSIG;
-          sigdr.d_name=qname;
+          sigdr.d_name=foundName;
           sigdr.d_ttl=ttl;
           sigdr.d_content=signature;
           sigdr.d_place=DNSResourceRecord::ANSWER;
@@ -1003,25 +1031,54 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
           ret.push_back(authDR);
         }
 
-        if(qtype != QType::CNAME) { // perhaps they really wanted a CNAME!
-          set<GetBestNSAnswer>beenthere;
+        DNSName newTarget;
+        if (foundQT == QType::DNAME) {
+          if (qtype == QType::DNAME && qname == foundName) { // client wanted the DNAME, no need to synthesize a CNAME
+            res = 0;
+            return true;
+          }
+          // Synthesize a CNAME
+          auto dnameRR = getRR<DNAMERecordContent>(*j);
+          if (dnameRR == nullptr) {
+            throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|DNAME cache entry");
+          }
+          auto dnameSuffix = dnameRR->getTarget();
+          DNSName targetPrefix = qname.makeRelative(foundName);
+          dr.d_type = QType::CNAME;
+          dr.d_name = targetPrefix + foundName;
+          newTarget = targetPrefix + dnameSuffix;
+          dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newTarget));
+          ret.push_back(dr);
+
+          LOG(prefix<<qname<<": Synthesized "<<dr.d_name<<"|CNAME "<<newTarget<<endl);
+        }
+
+        if(qtype == QType::CNAME) { // perhaps they really wanted a CNAME!
+          res = 0;
+          return true;
+        }
 
-          vState cnameState = Indeterminate;
+        // We have a DNAME _or_ CNAME cache hit and the client wants something else than those two.
+        // Let's find the answer!
+        if (foundQT == QType::CNAME) {
           const auto cnameContent = getRR<CNAMERecordContent>(*j);
-          if (cnameContent) {
-            res=doResolve(cnameContent->getTarget(), qtype, ret, depth+1, beenthere, cnameState);
-            LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl);
-            updateValidationState(state, cnameState);
+          if (cnameContent == nullptr) {
+            throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|CNAME cache entry");
           }
+          newTarget = cnameContent->getTarget();
         }
-        else
-          res=0;
+
+        set<GetBestNSAnswer>beenthere;
+        vState cnameState = Indeterminate;
+        res = doResolve(newTarget, qtype, ret, depth+1, beenthere, cnameState);
+        LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the DNAME/CNAME quest: "<<vStates[cnameState]<<endl);
+        updateValidationState(state, cnameState);
 
         return true;
       }
     }
   }
-  LOG(prefix<<qname<<": No CNAME cache hit of '"<< qname << "|CNAME" <<"' found"<<endl);
+  LOG(prefix<<qname<<": No CNAME or DNAME cache hit of '"<< qname <<"' found"<<endl);
   return false;
 }
 
@@ -2177,11 +2234,12 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       continue;
     }
 
-    if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
+    if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname && !isDNAMEAnswer) {
       isCNAMEAnswer = true;
     }
-    if(!isDNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::DNAME && (!(qtype==QType(QType::DNAME))) && qname.isPartOf(rec.d_name)) {
+    if(!isDNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::DNAME && qtype != QType(QType::DNAME) && qname.isPartOf(rec.d_name)) {
       isDNAMEAnswer = true;
+      isCNAMEAnswer = false;
     }
 
     /* if we have a positive answer synthetized from a wildcard,
@@ -2255,6 +2313,10 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       }
       else {
         bool haveLogged = false;
+        if (isDNAMEAnswer && rec.d_type == QType::CNAME) {
+          LOG("NO - we already have a DNAME answer for this domain");
+          continue;
+        }
         if (!t_sstorage.domainmap->empty()) {
           // Check if we are authoritative for a zone in this answer
           DNSName tmp_qname(rec.d_name);

From 40e3c9881ae1fcad05204c1bf8d169dfd48359d3 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 12:00:51 +0100
Subject: [PATCH 021/127] Add DNAME cache tests

---
 pdns/recursordist/test-syncres_cc.cc | 93 +++++++++++++++++++++++-----
 1 file changed, 78 insertions(+), 15 deletions(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index e0e4ca17c4a0..8459786459ab 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -10857,7 +10857,24 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
   BOOST_CHECK(ret[2].d_type == QType::A);
   BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
 
-  // TODO add cached tests once the caching of DNAME is implemented
+  // Now check the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
 }
 
 BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
@@ -10887,17 +10904,20 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
   sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
       queries++;
 
-      if (type == QType::DS || type == QType::DNSKEY) {
-        bool proveCut=true;
-        auto auth{domain};
-        if (domain.countLabels() > 1) {
-          auth.chopOff();
-          proveCut = false;
-        }
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys, proveCut);
-      }
-
       if (isRootServer(ip)) {
+        if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        if (domain.countLabels() == 1 && type == QType::DS) { // powerdns|DS or example|DS
+          setLWResult(res, 0, true, false, true);
+          addDS(domain, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        // For the rest, delegate!
         if (domain.isPartOf(dnameOwner)) {
           setLWResult(res, 0, false, false, true);
           addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
@@ -10915,18 +10935,36 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
           return 1;
         }
       } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        if (domain == target && type == QType::DS) { // dname.powerdns|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
+        }
         if (domain == target) {
           setLWResult(res, 0, true, false, false);
           addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRRSIG(keys, res->d_records, dnameOwner, 300);
           addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
           return 1;
         }
       } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // example|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        if (domain == target && type == QType::DS) { // dname.example|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
+        }
         if (domain == cnameTarget) {
           setLWResult(res, 0, true, false, false);
           addRecordToLW(res, domain, QType::A, "192.0.2.2");
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRRSIG(keys, res->d_records, dnameTarget, 300);
         }
         return 1;
       }
@@ -10940,7 +10978,33 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
   BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
   BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
 
-  BOOST_CHECK_EQUAL(queries, 9);
+  BOOST_CHECK_EQUAL(queries, 11);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+  BOOST_CHECK(ret[4].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
+
+  // And the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
+
+  BOOST_CHECK_EQUAL(queries, 11);
 
   BOOST_CHECK(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
@@ -10958,7 +11022,6 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
   BOOST_CHECK(ret[4].d_type == QType::RRSIG);
   BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
 
-  // TODO add cached tests once the caching of DNAME is implemented
 }
 
 /*

From 60cb670d72a870eddaf0b2291649b386bb26d36c Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 13:57:45 +0100
Subject: [PATCH 022/127] DNAME: add insecure test

---
 pdns/recursordist/test-syncres_cc.cc | 138 +++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 8459786459ab..dbe8166b6352 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -11024,6 +11024,144 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
 
 }
 
+BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
+  /*
+   * The DNAME itself is signed, but the final A record is not
+   */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns");
+  const DNSName dnameTarget("example");
+
+  const DNSName target("dname.powerdns");
+  const DNSName cnameTarget("dname.example");
+
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (isRootServer(ip)) {
+        if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        if (domain == dnameOwner && type == QType::DS) { // powerdns|DS
+          setLWResult(res, 0, true, false, true);
+          addDS(domain, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        if (domain == dnameTarget && type == QType::DS) { // example|DS
+          return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
+        }
+        // For the rest, delegate!
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameOwner, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameTarget, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        if (domain == target && type == QType::DS) { // dname.powerdns|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
+        }
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          addRRSIG(keys, res->d_records, dnameOwner, 300);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == target && type == QType::DS) { // dname.example|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
+        }
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
+
+  BOOST_CHECK_EQUAL(queries, 9);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+  // And the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
+
+  BOOST_CHECK_EQUAL(queries, 9);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+}
+
 /*
 // cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
 

From 9516e835041200529b5cebc375a72a73168469af Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 16:12:40 +0100
Subject: [PATCH 023/127] Add DNAME regression tests

---
 .../basicDNSSEC.py                            | 125 ++++++++++++++++++
 .../recursortests.py                          |  30 ++++-
 2 files changed, 154 insertions(+), 1 deletion(-)

diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py
index e754dffa8488..aef9fc2a3436 100644
--- a/regression-tests.recursor-dnssec/basicDNSSEC.py
+++ b/regression-tests.recursor-dnssec/basicDNSSEC.py
@@ -147,3 +147,128 @@ def testSecureToInsecureCNAMEAnswer(self):
         self.assertRRsetInAnswer(res, expectedA)
         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
 
+    def testSecureDNAMEToSecureAnswer(self):
+        res = self.sendQuery('host1.dname-secure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('host1.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+        expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureDNAMEToSecureNXDomain(self):
+        res = self.sendQuery('nxd.dname-secure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('nxd.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToInsecureAnswer(self):
+        res = self.sendQuery('node1.dname-insecure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+        expectedCNAME = dns.rrset.from_text('node1.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+        expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToInsecureNXDomain(self):
+        res = self.sendQuery('nxd.dname-insecure.secure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'insecure.example.')
+        expectedCNAME = dns.rrset.from_text('nxd.dname-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.insecure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToBogusAnswer(self):
+        res = self.sendQuery('ted.dname-bogus.secure.example.', 'A')
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+        self.assertAnswerEmpty(res)
+
+    def testSecureDNAMEToBogusNXDomain(self):
+        res = self.sendQuery('nxd.dname-bogus.secure.example.', 'A')
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+        self.assertAnswerEmpty(res)
+
+    def testInsecureDNAMEtoSecureAnswer(self):
+        res = self.sendQuery('host1.dname-to-secure.insecure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('host1.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.dname-secure.example.')
+        expectedA = dns.rrset.from_text('host1.dname-secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.21')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureDNAMEToSecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-secure.dname-secure.secure.example.', 'A')
+
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME1 = dns.rrset.from_text('cname-to-secure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-secure.dname-secure.example.')
+        expectedCNAME2 = dns.rrset.from_text('cname-to-secure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
+        expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA', 'AD'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME1)
+        self.assertRRsetInAnswer(res, expectedCNAME2)
+        self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureDNAMEToInsecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-insecure.dname-secure.secure.example.', 'A')
+
+        expectedDNAME = dns.rrset.from_text('dname-secure.secure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME1 = dns.rrset.from_text('cname-to-insecure.dname-secure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'cname-to-insecure.dname-secure.example.')
+        expectedCNAME2 = dns.rrset.from_text('cname-to-insecure.dname-secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.insecure.example.')
+        expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertRRsetInAnswer(res, expectedCNAME1)
+        self.assertRRsetInAnswer(res, expectedCNAME2)
+        self.assertMatchingRRSIGInAnswer(res, expectedCNAME2)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
+
+    def testSecureDNAMEToBogusCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-bogus.dname-secure.secure.example.', 'A')
+
+        self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+        self.assertAnswerEmpty(res)
+
+    def testInsecureDNAMEtoSecureNXDomain(self):
+        res = self.sendQuery('nxd.dname-to-secure.insecure.example.', 'A')
+        expectedDNAME = dns.rrset.from_text('dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'DNAME', 'dname-secure.example.')
+        expectedCNAME = dns.rrset.from_text('nxd.dname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'nxd.dname-secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertRRsetInAnswer(res, expectedDNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)
diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index 46ca97c4677b..cfbd87bad4a6 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -85,6 +85,10 @@ class RecursorTest(unittest.TestCase):
 cname-secure.example.    3600 IN DS   49148 13 1 a10314452d5ec4d97fcc6d7e275d217261fe790f
 ns.cname-secure.example. 3600 IN A    {prefix}.15
 
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+dname-secure.example. 3600 IN DS 42043 13 2 11c67f46b7c4d5968bc5f6cc944d58377b762bda53ddb4f3a6dbe6faf7a9940f
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
 bogus.example.           3600 IN NS   ns.bogus.example.
 bogus.example.           3600 IN DS   65034 13 1 6df3bb50ea538e90eacdd7ae5419730783abb0ee
 ns.bogus.example.        3600 IN A    {prefix}.12
@@ -137,7 +141,22 @@ class RecursorTest(unittest.TestCase):
 *.cnamewildcardnxdomain.secure.example. 3600 IN CNAME doesntexist.secure.example.
 
 cname-to-formerr.secure.example. 3600 IN CNAME host1.insecure-formerr.example.
+
+dname-secure.secure.example. 3600 IN DNAME dname-secure.example.
+dname-insecure.secure.example. 3600 IN DNAME insecure.example.
+dname-bogus.secure.example. 3600 IN DNAME bogus.example.
         """,
+        'dname-secure.example': """
+dname-secure.example. 3600 IN SOA {soa}
+dname-secure.example. 3600 IN NS ns.dname-secure.example.
+ns.dname-secure.example. 3600 IN A {prefix}.13
+
+host1.dname-secure.example. IN A 192.0.2.21
+
+cname-to-secure.dname-secure.example. 3600 IN CNAME host1.secure.example.
+cname-to-insecure.dname-secure.example. 3600 IN CNAME node1.insecure.example.
+cname-to-bogus.dname-secure.example.    3600 IN CNAME ted.bogus.example.
+""",
         'cname-secure.example': """
 cname-secure.example.          3600 IN SOA   {soa}
 cname-secure.example.          3600 IN NS    ns.cname-secure.example.
@@ -165,6 +184,8 @@ class RecursorTest(unittest.TestCase):
 node1.insecure.example.  3600 IN A    192.0.2.6
 
 cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example.
+
+dname-to-secure.insecure.example. 3600 IN DNAME dname-secure.example.
         """,
         'optout.example': """
 optout.example.        3600 IN SOA  {soa}
@@ -262,6 +283,12 @@ class RecursorTest(unittest.TestCase):
 Private-key-format: v1.2
 Algorithm: 13 (ECDSAP256SHA256)
 PrivateKey: kvoV/g4IO/tefSro+FLJ5UC7H3BUf0IUtZQSUOfQGyA=
+""",
+
+        'dname-secure.example': """
+Private-key-format: v1.2
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: Ep9uo6+wwjb4MaOmqq7LHav2FLrjotVOeZg8JT1Qk04=
 """
     }
 
@@ -274,7 +301,7 @@ class RecursorTest(unittest.TestCase):
         '10': ['example'],
         '11': ['example'],
         '12': ['bogus.example', 'undelegated.secure.example', 'undelegated.insecure.example'],
-        '13': ['insecure.example', 'insecure.sub2.secure.example'],
+        '13': ['insecure.example', 'insecure.sub2.secure.example', 'dname-secure.example'],
         '14': ['optout.example'],
         '15': ['insecure.optout.example', 'secure.optout.example', 'cname-secure.example']
     }
@@ -333,6 +360,7 @@ def generateAuthConfig(cls, confdir):
 log-dns-queries=yes
 log-dns-details=yes
 loglevel=9
+dname-processing=yes
 distributor-threads=1""".format(confdir=confdir,
                                 bind_dnssec_db=bind_dnssec_db))
 

From dc0d34db7b2b8721e838f951146b51149c28859e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Tue, 5 Mar 2019 16:12:55 +0100
Subject: [PATCH 024/127] Update pdns/dnsrecords.hh

Co-Authored-By: pieterlexis <pieterlexis@users.noreply.github.com>
---
 pdns/dnsrecords.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/dnsrecords.hh b/pdns/dnsrecords.hh
index 4258f5b26f66..1031ddf59dd7 100644
--- a/pdns/dnsrecords.hh
+++ b/pdns/dnsrecords.hh
@@ -273,7 +273,7 @@ class DNAMERecordContent : public DNSRecordContent
 public:
   includeboilerplate(DNAME)
   DNAMERecordContent(const DNSName& content) : d_content(content){}
-  DNSName getTarget() const { return d_content; }
+  const DNSName& getTarget() const { return d_content; }
 private:
   DNSName d_content;
 };

From d083a8af13e721457db00bfb12ce31f9973b3f9f Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 16:43:00 +0100
Subject: [PATCH 025/127] DNAME: CNAME synthesis tests

---
 pdns/recursordist/test-syncres_cc.cc | 54 +++++++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index dbe8166b6352..7d707fa753e8 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -10804,9 +10804,15 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
   const DNSName target("dname.powerdns.com.");
   const DNSName cnameTarget("dname.powerdns.net");
 
+  const DNSName uncachedTarget("dname-uncached.powerdns.com.");
+  const DNSName uncachedCNAMETarget("dname-uncached.powerdns.net.");
+
+  const DNSName synthCNAME("cname-uncached.powerdns.com.");
+  const DNSName synthCNAMETarget("cname-uncached.powerdns.net.");
+
   size_t queries = 0;
 
-  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, uncachedTarget, uncachedCNAMETarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
       queries++;
 
       if (isRootServer(ip)) {
@@ -10834,6 +10840,10 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
           setLWResult(res, 0, true, false, false);
           addRecordToLW(res, domain, QType::A, "192.0.2.2");
         }
+        if (domain == uncachedCNAMETarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.3");
+        }
         return 1;
       }
       return 0;
@@ -10875,6 +10885,48 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
 
   BOOST_CHECK(ret[2].d_type == QType::A);
   BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+  // Check if we correctly return a synthesizd CNAME, should send out just 1 more query
+  ret.clear();
+  res = sr->beginResolve(uncachedTarget, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(queries, 5);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, uncachedTarget);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), uncachedCNAMETarget);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, uncachedCNAMETarget);
+
+  // Check if we correctly return the DNAME from cache when asked
+  ret.clear();
+  res = sr->beginResolve(dnameOwner, QType(QType::DNAME), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(queries, 5);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  // Check if we correctly return the synthesized CNAME from cache when asked
+  ret.clear();
+  res = sr->beginResolve(synthCNAME, QType(QType::CNAME), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(queries, 5);
+
+  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK(ret[1].d_name == synthCNAME);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), synthCNAMETarget);
 }
 
 BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {

From 71e9cc53742cf57571276f484d21e0606e077ceb Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 16:45:35 +0100
Subject: [PATCH 026/127] DNAME: skip one unneeded cache lookup

---
 pdns/syncres.cc | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 28216fbb0e49..81fa46916008 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -952,13 +952,14 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
     do {
       dnameName.prependRawLabel(labels.back());
       labels.pop_back();
+      if (dnameName == qname && qtype != QType::DNAME) { // The client does not want a DNAME, but we've reached the QNAME already. So there is no match
+        break;
+      }
       LOG(prefix<<qname<<": Looking for DNAME cache hit of '"<<dnameName<<"|DNAME"<<"'"<<endl);
       if (t_RC->get(d_now.tv_sec, dnameName, QType(QType::DNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
-        if (dnameName != qname && qtype != QType::DNAME) {
-          foundName = dnameName;
-          foundQT = QType(QType::DNAME);
-          break;
-        }
+        foundName = dnameName;
+        foundQT = QType(QType::DNAME);
+        break;
       }
     } while(!labels.empty());
   }

From 3643203e4a0b7c1360fcb7b3b1f1fbb5b76cead0 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 16:56:31 +0100
Subject: [PATCH 027/127] DNAME: use BOOST_REQUIRE where needed

---
 pdns/recursordist/test-syncres_cc.cc | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 7d707fa753e8..cba955f3c996 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -10857,7 +10857,7 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
 
   BOOST_CHECK_EQUAL(queries, 4);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
@@ -10876,7 +10876,7 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
 
   BOOST_CHECK_EQUAL(queries, 4);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
@@ -10893,11 +10893,11 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
   BOOST_CHECK_EQUAL(res, RCode::NoError);
   BOOST_CHECK_EQUAL(queries, 5);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
-  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
   BOOST_CHECK_EQUAL(ret[1].d_name, uncachedTarget);
   BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), uncachedCNAMETarget);
 
@@ -10910,7 +10910,7 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
   BOOST_CHECK_EQUAL(res, RCode::NoError);
   BOOST_CHECK_EQUAL(queries, 5);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
@@ -10920,11 +10920,11 @@ BOOST_AUTO_TEST_CASE(test_dname_processing) {
   BOOST_CHECK_EQUAL(res, RCode::NoError);
   BOOST_CHECK_EQUAL(queries, 5);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
-  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
   BOOST_CHECK(ret[1].d_name == synthCNAME);
   BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), synthCNAMETarget);
 }
@@ -11032,11 +11032,11 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
 
   BOOST_CHECK_EQUAL(queries, 11);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
-  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_REQUIRE(ret[1].d_type == QType::RRSIG);
   BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
 
   BOOST_CHECK(ret[2].d_type == QType::CNAME);
@@ -11058,7 +11058,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
 
   BOOST_CHECK_EQUAL(queries, 11);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
@@ -11177,7 +11177,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
 
   BOOST_CHECK_EQUAL(queries, 9);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 
@@ -11200,7 +11200,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
 
   BOOST_CHECK_EQUAL(queries, 9);
 
-  BOOST_CHECK(ret[0].d_type == QType::DNAME);
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
   BOOST_CHECK(ret[0].d_name == dnameOwner);
   BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
 

From 623b30032972ce6705d72ba9448ceeaa817651df Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 17:02:07 +0100
Subject: [PATCH 028/127] DNAME: remove useless piece of code

---
 pdns/syncres.cc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 81fa46916008..4456a48156e2 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2405,10 +2405,6 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
       expectSignature = false;
     }
 
-    if (isDNAMEAnswer && !isAA && i->first.place == DNSResourceRecord::ANSWER && i->first.type == QType::DNAME && qname.isPartOf(i->first.name)) {
-      isAA = true;
-    }
-
     if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) {
       /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the
          record describing that alias is necessarily authoritative.

From ee9b179cd4d5ff746421d32834697cad36dfee19 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 5 Mar 2019 17:07:57 +0100
Subject: [PATCH 029/127] DNAME: reserve extra spot in ret for synthesized
 CNAME

---
 pdns/syncres.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 4456a48156e2..f5d14e1307ad 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1012,7 +1012,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
         dr.d_ttl -= d_now.tv_sec;
         dr.d_ttl = std::min(dr.d_ttl, capTTL);
         const uint32_t ttl = dr.d_ttl;
-        ret.reserve(ret.size() + 1 + signatures.size() + authorityRecs.size());
+        ret.reserve(ret.size() + 2 + signatures.size() + authorityRecs.size());
         ret.push_back(dr);
 
         for(const auto& signature : signatures) {

From 92934404e837b81359601b4b16f2d3c83d9050c5 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 6 Mar 2019 10:37:39 +0100
Subject: [PATCH 030/127] DNAME: fix regression test

---
 regression-tests.recursor-dnssec/basicDNSSEC.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py
index aef9fc2a3436..04fc82308914 100644
--- a/regression-tests.recursor-dnssec/basicDNSSEC.py
+++ b/regression-tests.recursor-dnssec/basicDNSSEC.py
@@ -271,4 +271,3 @@ def testInsecureDNAMEtoSecureNXDomain(self):
         self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
         self.assertRRsetInAnswer(res, expectedCNAME)
         self.assertRRsetInAnswer(res, expectedDNAME)
-        self.assertMatchingRRSIGInAnswer(res, expectedDNAME)

From ee9360745e74862a148e35b6a1b47474f420c678 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 6 Mar 2019 13:34:21 +0100
Subject: [PATCH 031/127] DNAME: synthesize and check CNAME from response

---
 pdns/syncres.cc | 49 +++++++++++++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 12 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index f5d14e1307ad..db3dd5512b46 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1045,11 +1045,20 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
           }
           auto dnameSuffix = dnameRR->getTarget();
           DNSName targetPrefix = qname.makeRelative(foundName);
-          dr.d_type = QType::CNAME;
-          dr.d_name = targetPrefix + foundName;
-          newTarget = targetPrefix + dnameSuffix;
-          dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newTarget));
-          ret.push_back(dr);
+          try {
+            dr.d_type = QType::CNAME;
+            dr.d_name = targetPrefix + foundName;
+            newTarget = targetPrefix + dnameSuffix;
+            dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newTarget));
+            ret.push_back(dr);
+          } catch (const std::exception &e) {
+            // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2)
+            // But this is consistent with processRecords
+            throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + foundName.toLogString() +
+                                             "', DNAME target: '" + dnameSuffix.toLogString() + "', substituted name: '" +
+                                             targetPrefix.toLogString() + "." + dnameSuffix.toLogString() +
+                                             "' : " + e.what());
+          }
 
           LOG(prefix<<qname<<": Synthesized "<<dr.d_name<<"|CNAME "<<newTarget<<endl);
         }
@@ -2537,6 +2546,7 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
 {
   bool done = false;
   DNSName dnameTarget, dnameOwner;
+  uint32_t dnameTTL = 0;
 
   for(auto& rec : lwr.d_records) {
     if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN)
@@ -2599,6 +2609,9 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
     else if(rec.d_place==DNSResourceRecord::ANSWER && s_redirectionQTypes.count(rec.d_type) > 0 && // CNAME or DNAME answer
         s_redirectionQTypes.count(qtype.getCode()) == 0) { // But not in response to a CNAME or DNAME query
       if (rec.d_type == QType::CNAME && rec.d_name == qname) {
+        if (!dnameOwner.empty()) { // We synthesize ourselves
+          continue;
+        }
         ret.push_back(rec);
         if (auto content = getRR<CNAMERecordContent>(rec)) {
           newtarget=content->getTarget();
@@ -2608,6 +2621,17 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
         if (auto content = getRR<DNAMERecordContent>(rec)) {
           dnameOwner = rec.d_name;
           dnameTarget = content->getTarget();
+          dnameTTL = rec.d_ttl;
+          try {
+            newtarget = qname.makeRelative(dnameOwner) + dnameTarget;
+          } catch (const std::exception &e) {
+            // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2)
+            // But there is no way to set the RCODE from this function
+            throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + dnameOwner.toLogString() +
+                                             "', DNAME target: '" + dnameTarget.toLogString() + "', substituted name: '" +
+                                             qname.makeRelative(dnameOwner).toLogString() + "." + dnameTarget.toLogString() +
+                                             "' : " + e.what());
+          }
         }
       }
     }
@@ -2760,13 +2784,14 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
     }
   }
 
-  if (!dnameTarget.empty() && !newtarget.empty()) {
-    DNSName substTarget = qname.makeRelative(dnameOwner) + dnameTarget;
-    if (substTarget != newtarget) {
-      throw ImmediateServFailException("Received wrong DNAME substitution. qname='" + qname.toLogString() +
-           "', DNAME owner='" + dnameOwner.toLogString() + "', DNAME target='" + dnameTarget.toLogString() +
-           "', received CNAME='" + newtarget.toLogString() + "', substituted CNAME='" + substTarget.toLogString() + "'");
-    }
+  if (!dnameTarget.empty()) {
+    // Synthesize a CNAME
+    auto cnamerec = DNSRecord();
+    cnamerec.d_name = qname;
+    cnamerec.d_type = QType::CNAME;
+    cnamerec.d_ttl = dnameTTL;
+    cnamerec.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newtarget));
+    ret.push_back(cnamerec);
   }
   return done;
 }

From 44671635761cc86b789cfcfc31c4b32b009d9706 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 6 Mar 2019 13:36:33 +0100
Subject: [PATCH 032/127] DNAME: add some comments to the unit tests

---
 pdns/recursordist/test-syncres_cc.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index cba955f3c996..fbdb287a5b42 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -11000,7 +11000,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
           setLWResult(res, 0, true, false, false);
           addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
           addRRSIG(keys, res->d_records, dnameOwner, 300);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
           return 1;
         }
       } else if (ip == ComboAddress("192.0.2.2:53")) {
@@ -11152,7 +11152,7 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
           setLWResult(res, 0, true, false, false);
           addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
           addRRSIG(keys, res->d_records, dnameOwner, 300);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
           return 1;
         }
       } else if (ip == ComboAddress("192.0.2.2:53")) {

From 3e0d25f37e3f6097ca95da856f30efa3530bbd1f Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Fri, 8 Mar 2019 13:59:03 +0100
Subject: [PATCH 033/127] Update pdns/syncres.cc

Co-Authored-By: pieterlexis <pieterlexis@users.noreply.github.com>
---
 pdns/syncres.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index db3dd5512b46..e7002c20f7a0 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1043,7 +1043,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
           if (dnameRR == nullptr) {
             throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|DNAME cache entry");
           }
-          auto dnameSuffix = dnameRR->getTarget();
+          const auto& dnameSuffix = dnameRR->getTarget();
           DNSName targetPrefix = qname.makeRelative(foundName);
           try {
             dr.d_type = QType::CNAME;

From 88bc98dc2346cec87f11059d24719e93be427878 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 11 Mar 2019 10:13:01 +0100
Subject: [PATCH 034/127] DNAME: Add comment in the tests

---
 pdns/recursordist/test-syncres_cc.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index fbdb287a5b42..a02f9ba3d375 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -10955,6 +10955,9 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
 
   sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
       queries++;
+      /* We don't use the genericDSAndDNSKEYHandler here, as it would deny names existing at the wrong level of the tree, due to the way computeZoneCuts works
+       * As such, we need to do some more work to make the answers correct.
+       */
 
       if (isRootServer(ip)) {
         if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY

From 10ea4320ab0653f1dc875e4bed5b27bfb18511a4 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 11 Mar 2019 10:25:02 +0100
Subject: [PATCH 035/127] DNAME: add test for CNAME synthesis when none is sent

---
 pdns/recursordist/test-syncres_cc.cc | 85 ++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index a02f9ba3d375..d0a817896271 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -11217,6 +11217,91 @@ BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
   BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
 }
 
+BOOST_AUTO_TEST_CASE(test_dname_processing_no_CNAME) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns.com");
+  const DNSName dnameTarget("powerdns.net");
+
+  const DNSName target("dname.powerdns.com.");
+  const DNSName cnameTarget("dname.powerdns.net");
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (isRootServer(ip)) {
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          // No CNAME, recursor should synth
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+  // Now check the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+}
+
 /*
 // cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
 

From e686a798d15e886416e7875ec02769cf1cf1a7a1 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Mar 2019 10:43:23 +0100
Subject: [PATCH 036/127] DNAME: find CNAME first

---
 pdns/syncres.cc | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index e7002c20f7a0..fc8dc8d9fe5b 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -944,7 +944,14 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
   DNSName foundName;
   QType foundQT = QType(0); // 0 == QTYPE::ENT
 
-  if (qname != g_rootdnsname) {
+  LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
+  /* we don't require auth data for forward-recurse lookups */
+  if (t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
+    foundName = qname;
+    foundQT = QType(QType::CNAME);
+  }
+
+  if (foundName.empty() && qname != g_rootdnsname) {
     // look for a DNAME cache hit
     auto labels = qname.getRawLabels();
     DNSName dnameName(g_rootdnsname);
@@ -964,15 +971,6 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector
     } while(!labels.empty());
   }
 
-  if (foundName.empty()) {
-    LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
-    /* we don't require auth data for forward-recurse lookups */
-    if (t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
-      foundName = qname;
-      foundQT = QType(QType::CNAME);
-    }
-  }
-
   if(!foundName.empty()) {
     for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
       if (j->d_class != QClass::IN) {

From 29ec25aa434db2d57480ac553c2dae7a09dae37d Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 13 Mar 2019 10:59:54 +0100
Subject: [PATCH 037/127] DNAME: properly remove CNAME from auth answers

---
 pdns/syncres.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index fc8dc8d9fe5b..dbb2fd91e9e0 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2620,6 +2620,15 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
           dnameOwner = rec.d_name;
           dnameTarget = content->getTarget();
           dnameTTL = rec.d_ttl;
+          if (!newtarget.empty()) { // We had a CNAME before, remove it from ret so we don't cache it
+            ret.erase(std::remove_if(
+                  ret.begin(),
+                  ret.end(),
+                  [&qname](DNSRecord& rr) {
+                    return (rr.d_place == DNSResourceRecord::ANSWER && rr.d_type == QType::CNAME && rr.d_name == qname);
+                  }),
+                  ret.end());
+          }
           try {
             newtarget = qname.makeRelative(dnameOwner) + dnameTarget;
           } catch (const std::exception &e) {

From 4d76766d0b0158a12c9ca94d047f0015e5f23e23 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Mar 2019 12:09:53 +0100
Subject: [PATCH 038/127] pdnsutil: error on broken IPs in masters field

---
 pdns/backends/gsql/gsqlbackend.cc | 22 +++++++++++-----------
 pdns/pdnsutil.cc                  | 17 ++++++++++++++---
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 95f850c8116d..29c890a8ab4a 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -292,14 +292,16 @@ bool GSQLBackend::getDomainInfo(const DNSName &domain, DomainInfo &di, bool getS
   } catch (...) {
     return false;
   }
+  string type=d_result[0][5];
+  di.account=d_result[0][6];
+  di.kind = DomainInfo::stringToKind(type);
+
   vector<string> masters;
   stringtok(masters, d_result[0][2], " ,\t");
   for(const auto& m : masters)
     di.masters.emplace_back(m, 53);
   di.last_check=pdns_stou(d_result[0][3]);
   di.notified_serial = pdns_stou(d_result[0][4]);
-  string type=d_result[0][5];
-  di.account=d_result[0][6];
   di.backend=this;
 
   di.serial = 0;
@@ -316,8 +318,6 @@ bool GSQLBackend::getDomainInfo(const DNSName &domain, DomainInfo &di, bool getS
     }
   }
 
-  di.kind = DomainInfo::stringToKind(type);
-
   return true;
 }
 
@@ -1265,6 +1265,13 @@ void GSQLBackend::getAllDomains(vector<DomainInfo> *domains, bool include_disabl
       } catch (...) {
         continue;
       }
+
+      if (pdns_iequals(row[3], "MASTER"))
+        di.kind = DomainInfo::Master;
+      else if (pdns_iequals(row[3], "SLAVE"))
+        di.kind = DomainInfo::Slave;
+      else
+        di.kind = DomainInfo::Native;
   
       if (!row[4].empty()) {
         vector<string> masters;
@@ -1280,13 +1287,6 @@ void GSQLBackend::getAllDomains(vector<DomainInfo> *domains, bool include_disabl
       di.last_check = pdns_stou(row[6]);
       di.account = row[7];
 
-      if (pdns_iequals(row[3], "MASTER"))
-        di.kind = DomainInfo::Master;
-      else if (pdns_iequals(row[3], "SLAVE"))
-        di.kind = DomainInfo::Slave;
-      else
-        di.kind = DomainInfo::Native;
-  
       di.backend = this;
   
       domains->push_back(di);
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index cd753330f5d5..e7de035cff2b 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -239,10 +239,23 @@ bool rectifyAllZones(DNSSECKeeper &dk, bool quiet = false)
 
 int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, const vector<DNSResourceRecord>* suppliedrecords=0)
 {
+  uint64_t numerrors=0, numwarnings=0;
+
+  DomainInfo di;
+  try {
+    B.getDomainInfo(zone, di);
+  } catch(const PDNSException &e) {
+    if (di.kind == DomainInfo::Slave) {
+      cout<<"[Error] non-IP address for masters: "<<e.reason<<endl;
+      numerrors++;
+    }
+  }
+
   SOAData sd;
   if(!B.getSOAUncached(zone, sd)) {
     cout<<"[Error] No SOA record present, or active, in zone '"<<zone<<"'"<<endl;
-    cout<<"Checked 0 records of '"<<zone<<"', 1 errors, 0 warnings."<<endl;
+    numerrors++;
+    cout<<"Checked 0 records of '"<<zone<<"', "<<numerrors<<" errors, 0 warnings."<<endl;
     return 1;
   }
 
@@ -256,8 +269,6 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, const vect
   vector<string> checkKeyErrors;
   bool validKeys=dk.checkKeys(zone, &checkKeyErrors);
 
-  uint64_t numerrors=0, numwarnings=0;
-
   if (haveNSEC3) {
     if(isSecure && zone.wirelength() > 222) {
       numerrors++;

From 27efa4be12a39dc25a5d5fb768d035ceb864628f Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Mar 2019 12:47:26 +0100
Subject: [PATCH 039/127] auth: report DomainInfo errors in the API

---
 pdns/ws-auth.cc | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index d2c3f9ae0db3..df59b7eaf1d8 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -620,6 +620,11 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo&
     string master = value.string_value();
     if (master.empty())
       throw ApiException("Master can not be an empty string");
+    try {
+      ComboAddress m(master);
+    } catch (const PDNSException &e) {
+      throw ApiException("Master (" + master + ") is not an IP address: " + e.reason);
+    }
     zonemaster.push_back(master);
   }
 
@@ -1689,8 +1694,12 @@ static void apiServerZoneDetail(HttpRequest* req, HttpResponse* resp) {
 
   UeberBackend B;
   DomainInfo di;
-  if (!B.getDomainInfo(zonename, di)) {
-    throw HttpNotFoundException();
+  try {
+    if (!B.getDomainInfo(zonename, di)) {
+      throw HttpNotFoundException();
+    }
+  } catch(const PDNSException &e) {
+    throw HttpInternalServerErrorException("Could not retrieve Domain Info: " + e.reason);
   }
 
   if(req->method == "PUT") {

From 2f9dad3733e88b0eb9170560ee3004e444d594b7 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Mar 2019 14:28:49 +0100
Subject: [PATCH 040/127] GSQLBackend::getUnfreshSlaveInfos: log data errors
 properly

---
 pdns/backends/gsql/gsqlbackend.cc | 46 +++++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 29c890a8ab4a..9287010f5117 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -341,23 +341,51 @@ void GSQLBackend::getUnfreshSlaveInfos(vector<DomainInfo> *unfreshDomains)
 
   for(const auto& row : d_result) { // id,name,master,last_check
     DomainInfo sd;
-    ASSERT_ROW_COLUMNS("info-all-slaves-query", row, 4);
+    try {
+      ASSERT_ROW_COLUMNS("info-all-slaves-query", row, 4);
+    } catch(const PDNSException &e) {
+      g_log<<Logger::Warning<<e.reason<<endl;
+      continue;
+    }
+
+    try {
+      sd.zone = DNSName(row[1]);
+    } catch(const PDNSException &e) {
+      g_log<<Logger::Warning<<"Domain name '"<<row[1]<<"' is not a valid DNS name: "<<e.reason<<endl;
+      continue;
+    }
+
     try {
       sd.id=pdns_stou(row[0]);
-      sd.zone= DNSName(row[1]);
+    } catch (const std::exception &e) {
+      g_log<<Logger::Warning<<"Could not convert id ("<<row[0]<<") for domain '"<<sd.zone<<"' into an integer: "<<e.what()<<endl;
+      continue;
+    }
 
-      vector<string> masters;
-      stringtok(masters, row[2], ", \t");
-      for(const auto& m : masters)
+    vector<string> masters;
+    stringtok(masters, row[2], ", \t");
+    for(const auto& m : masters) {
+      try {
         sd.masters.emplace_back(m, 53);
+      } catch(const PDNSException &e) {
+        g_log<<Logger::Warning<<"Could not parse master address ("<<m<<") for zone '"<<sd.zone<<"': "<<e.reason<<endl;
+      }
+    }
+    if (sd.masters.empty()) {
+      g_log<<Logger::Warning<<"No masters for slave zone '"<<sd.zone<<"' found in the database"<<endl;
+      continue;
+    }
 
+    try {
       sd.last_check=pdns_stou(row[3]);
-      sd.backend=this;
-      sd.kind=DomainInfo::Slave;
-      allSlaves.push_back(sd);
-    } catch (...) {
+    } catch (const std::exception &e) {
+      g_log<<Logger::Warning<<"Could not convert last_check ("<<row[3]<<") for domain '"<<sd.zone<<"' into an integer: "<<e.what()<<endl;
       continue;
     }
+
+    sd.backend=this;
+    sd.kind=DomainInfo::Slave;
+    allSlaves.push_back(sd);
   }
 
   for (auto& slave : allSlaves) {

From 72abd9ef4cd272f9a870e0d7af425e51b565b302 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Mar 2019 16:26:13 +0100
Subject: [PATCH 041/127] Webserver: Don't swallow errors from getAllDomains

---
 pdns/backends/gsql/gsqlbackend.cc | 9 +++++++--
 pdns/ws-auth.cc                   | 6 +++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 9287010f5117..b3af298619c7 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -1304,8 +1304,13 @@ void GSQLBackend::getAllDomains(vector<DomainInfo> *domains, bool include_disabl
       if (!row[4].empty()) {
         vector<string> masters;
         stringtok(masters, row[4], " ,\t");
-        for(const auto& m : masters)
-          di.masters.emplace_back(m, 53);
+        for(const auto& m : masters) {
+          try {
+            di.masters.emplace_back(m, 53);
+          } catch(const PDNSException &e) {
+            throw PDNSException("Could not parse master address (" + m + ") for zone '" + di.zone.toLogString() + "': " + e.reason);
+          }
+        }
       }
 
       SOAData sd;
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index df59b7eaf1d8..83f9f30b1619 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1679,7 +1679,11 @@ static void apiServerZones(HttpRequest* req, HttpResponse* resp) {
       domains.push_back(di);
     }
   } else {
-    B.getAllDomains(&domains, true); // incl. disabled
+    try {
+      B.getAllDomains(&domains, true); // incl. disabled
+    } catch(const PDNSException &e) {
+      throw HttpInternalServerErrorException("Could not retrieve all domain information: " + e.reason);
+    }
   }
 
   Json::array doc;

From 51912a5e31553266a95fbaa9e1e442d3316ff3bf Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 15 Mar 2019 14:05:20 +0100
Subject: [PATCH 042/127] GSQLBackend: fix logging nits

---
 pdns/backends/gsql/gsqlbackend.cc | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index b3af298619c7..7d6696d021ca 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -350,8 +350,8 @@ void GSQLBackend::getUnfreshSlaveInfos(vector<DomainInfo> *unfreshDomains)
 
     try {
       sd.zone = DNSName(row[1]);
-    } catch(const PDNSException &e) {
-      g_log<<Logger::Warning<<"Domain name '"<<row[1]<<"' is not a valid DNS name: "<<e.reason<<endl;
+    } catch(const std::runtime_error &e) {
+      g_log<<Logger::Warning<<"Domain name '"<<row[1]<<"' is not a valid DNS name: "<<e.what()<<endl;
       continue;
     }
 
@@ -1294,12 +1294,16 @@ void GSQLBackend::getAllDomains(vector<DomainInfo> *domains, bool include_disabl
         continue;
       }
 
-      if (pdns_iequals(row[3], "MASTER"))
+      if (pdns_iequals(row[3], "MASTER")) {
         di.kind = DomainInfo::Master;
-      else if (pdns_iequals(row[3], "SLAVE"))
+      } else if (pdns_iequals(row[3], "SLAVE")) {
         di.kind = DomainInfo::Slave;
-      else
+      } else if (pdns_iequals(row[3], "NATIVE")) {
         di.kind = DomainInfo::Native;
+      } else {
+        g_log<<Logger::Warning<<"Could not parse domain kind '"<<row[3]<<"' as one of 'MASTER', 'SLAVE' or 'NATIVE'. Setting zone kind to 'NATIVE'"<<endl;
+        di.kind = DomainInfo::Native;
+      }
   
       if (!row[4].empty()) {
         vector<string> masters;

From 08be8a8a36b96ee17611aa7edb3143848f7bc573 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 15 Mar 2019 14:11:27 +0100
Subject: [PATCH 043/127] GSQLBackend::getAllDomains: don't throw on a broken
 master address

---
 pdns/backends/gsql/gsqlbackend.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 7d6696d021ca..412a3768cd1b 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -1312,7 +1312,7 @@ void GSQLBackend::getAllDomains(vector<DomainInfo> *domains, bool include_disabl
           try {
             di.masters.emplace_back(m, 53);
           } catch(const PDNSException &e) {
-            throw PDNSException("Could not parse master address (" + m + ") for zone '" + di.zone.toLogString() + "': " + e.reason);
+            g_log<<Logger::Warning<<"Could not parse master address ("<<m<<") for zone '"<<di.zone<<"': "<<e.reason;
           }
         }
       }

From ecc8bfeed86429ce0c4900f17dedd5b6efd85299 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 15 Mar 2019 15:29:37 +0100
Subject: [PATCH 044/127] GSQLBackend::getUnfreshSlaveInfos: log row assertion
 only once

---
 pdns/backends/gsql/gsqlbackend.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 412a3768cd1b..691ff810a575 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -339,12 +339,16 @@ void GSQLBackend::getUnfreshSlaveInfos(vector<DomainInfo> *unfreshDomains)
 
   vector<DomainInfo> allSlaves;
 
+  bool loggedAssertRowColumns = false;
   for(const auto& row : d_result) { // id,name,master,last_check
     DomainInfo sd;
     try {
       ASSERT_ROW_COLUMNS("info-all-slaves-query", row, 4);
     } catch(const PDNSException &e) {
-      g_log<<Logger::Warning<<e.reason<<endl;
+      if (!loggedAssertRowColumns) {
+        g_log<<Logger::Warning<<e.reason<<endl;
+      }
+      loggedAssertRowColumns = true;
       continue;
     }
 

From 84a0889a52a6053238dddf35e96c5bad8fae0d74 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 27 Mar 2019 00:50:25 +0100
Subject: [PATCH 045/127] auth: add referral response tests for DS queries

---
 regression-tests.rootzone/tests/axfr/expected_result   |  5 +++++
 .../tests/axfr/expected_result.dnssec                  | 10 +++++++++-
 .../tests/axfr/expected_result.nsec3                   |  8 ++++++++
 .../tests/axfr/expected_result.nsec3-optout            |  8 ++++++++
 .../tests/ds-at-ent-from-glue/command                  |  1 +
 .../tests/ds-at-ent-from-glue/description              |  2 ++
 .../tests/ds-at-ent-from-glue/expected_result          |  5 +++++
 .../tests/ds-at-ent-from-glue/expected_result.dnssec   |  6 ++++++
 regression-tests.rootzone/tests/ds-at-ent/command      |  1 +
 regression-tests.rootzone/tests/ds-at-ent/description  |  1 +
 .../tests/ds-at-ent/expected_result                    |  5 +++++
 .../tests/ds-at-ent/expected_result.dnssec             |  6 ++++++
 regression-tests.rootzone/tests/ds-at-glue/command     |  1 +
 regression-tests.rootzone/tests/ds-at-glue/description |  1 +
 .../tests/ds-at-glue/expected_result                   |  5 +++++
 .../tests/ds-at-glue/expected_result.dnssec            |  6 ++++++
 regression-tests.rootzone/zones/ROOT                   |  6 ++++++
 17 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100755 regression-tests.rootzone/tests/ds-at-ent-from-glue/command
 create mode 100644 regression-tests.rootzone/tests/ds-at-ent-from-glue/description
 create mode 100644 regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result
 create mode 100644 regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result.dnssec
 create mode 100755 regression-tests.rootzone/tests/ds-at-ent/command
 create mode 100644 regression-tests.rootzone/tests/ds-at-ent/description
 create mode 100644 regression-tests.rootzone/tests/ds-at-ent/expected_result
 create mode 100644 regression-tests.rootzone/tests/ds-at-ent/expected_result.dnssec
 create mode 100755 regression-tests.rootzone/tests/ds-at-glue/command
 create mode 100644 regression-tests.rootzone/tests/ds-at-glue/description
 create mode 100644 regression-tests.rootzone/tests/ds-at-glue/expected_result
 create mode 100644 regression-tests.rootzone/tests/ds-at-glue/expected_result.dnssec

diff --git a/regression-tests.rootzone/tests/axfr/expected_result b/regression-tests.rootzone/tests/axfr/expected_result
index 0b76cb425d40..29b81b58ad28 100644
--- a/regression-tests.rootzone/tests/axfr/expected_result
+++ b/regression-tests.rootzone/tests/axfr/expected_result
@@ -5,6 +5,11 @@ a.gtld-servers.net.	172800	IN	A	192.5.6.30
 a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
 a.root-servers.net.	518400	IN	A	198.41.0.4
 a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+barney.advsys.co.uk.	172800	IN	A	217.23.160.50
 net.	172800	IN	NS	a.gtld-servers.net.
 net.	86400	IN	DS	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
+nsa.nic.uk.	172800	IN	A	156.154.100.3
+nsa.nic.uk.	172800	IN	AAAA	2001:502:ad09::3
 org.	172800	IN	NS	a.gtld-servers.net.
+uk.	172800	IN	NS	nsa.nic.uk.
+uk.	86400	IN	DS	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
diff --git a/regression-tests.rootzone/tests/axfr/expected_result.dnssec b/regression-tests.rootzone/tests/axfr/expected_result.dnssec
index f89385cf385a..db244622a2bc 100644
--- a/regression-tests.rootzone/tests/axfr/expected_result.dnssec
+++ b/regression-tests.rootzone/tests/axfr/expected_result.dnssec
@@ -11,11 +11,19 @@ a.gtld-servers.net.	172800	IN	A	192.5.6.30
 a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
 a.root-servers.net.	518400	IN	A	198.41.0.4
 a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+barney.advsys.co.uk.	172800	IN	A	217.23.160.50
 net.	172800	IN	NS	a.gtld-servers.net.
 net.	86400	IN	DS	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
 net.	86400	IN	NSEC	org. NS DS RRSIG NSEC
 net.	86400	IN	RRSIG	DS 13 1 86400 [expiry] [inception] [keytag] . ...
 net.	86400	IN	RRSIG	NSEC 13 1 86400 [expiry] [inception] [keytag] . ...
+nsa.nic.uk.	172800	IN	A	156.154.100.3
+nsa.nic.uk.	172800	IN	AAAA	2001:502:ad09::3
 org.	172800	IN	NS	a.gtld-servers.net.
-org.	86400	IN	NSEC	. NS RRSIG NSEC
+org.	86400	IN	NSEC	uk. NS RRSIG NSEC
 org.	86400	IN	RRSIG	NSEC 13 1 86400 [expiry] [inception] [keytag] . ...
+uk.	172800	IN	NS	nsa.nic.uk.
+uk.	86400	IN	DS	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
+uk.	86400	IN	NSEC	. NS DS RRSIG NSEC
+uk.	86400	IN	RRSIG	DS 13 1 86400 [expiry] [inception] [keytag] . ...
+uk.	86400	IN	RRSIG	NSEC 13 1 86400 [expiry] [inception] [keytag] . ...
diff --git a/regression-tests.rootzone/tests/axfr/expected_result.nsec3 b/regression-tests.rootzone/tests/axfr/expected_result.nsec3
index aa6d56d3c0f9..28e62f8985ad 100644
--- a/regression-tests.rootzone/tests/axfr/expected_result.nsec3
+++ b/regression-tests.rootzone/tests/axfr/expected_result.nsec3
@@ -13,11 +13,19 @@ a.gtld-servers.net.	172800	IN	A	192.5.6.30
 a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
 a.root-servers.net.	518400	IN	A	198.41.0.4
 a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+barney.advsys.co.uk.	172800	IN	A	217.23.160.50
 net.	172800	IN	NS	a.gtld-servers.net.
 net.	86400	IN	DS	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
 net.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS DS RRSIG
 net.	86400	IN	RRSIG	DS 13 1 86400 [expiry] [inception] [keytag] . ...
 net.	86400	IN	RRSIG	NSEC3 13 1 86400 [expiry] [inception] [keytag] . ...
+nsa.nic.uk.	172800	IN	A	156.154.100.3
+nsa.nic.uk.	172800	IN	AAAA	2001:502:ad09::3
 org.	172800	IN	NS	a.gtld-servers.net.
 org.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS
 org.	86400	IN	RRSIG	NSEC3 13 1 86400 [expiry] [inception] [keytag] . ...
+uk.	172800	IN	NS	nsa.nic.uk.
+uk.	86400	IN	DS	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
+uk.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS DS RRSIG
+uk.	86400	IN	RRSIG	DS 13 1 86400 [expiry] [inception] [keytag] . ...
+uk.	86400	IN	RRSIG	NSEC3 13 1 86400 [expiry] [inception] [keytag] . ...
diff --git a/regression-tests.rootzone/tests/axfr/expected_result.nsec3-optout b/regression-tests.rootzone/tests/axfr/expected_result.nsec3-optout
index ed8d610f2cfe..d86c7120534f 100644
--- a/regression-tests.rootzone/tests/axfr/expected_result.nsec3-optout
+++ b/regression-tests.rootzone/tests/axfr/expected_result.nsec3-optout
@@ -13,9 +13,17 @@ a.gtld-servers.net.	172800	IN	A	192.5.6.30
 a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
 a.root-servers.net.	518400	IN	A	198.41.0.4
 a.root-servers.net.	518400	IN	AAAA	2001:503:ba3e::2:30
+barney.advsys.co.uk.	172800	IN	A	217.23.160.50
 net.	172800	IN	NS	a.gtld-servers.net.
 net.	86400	IN	DS	35886 8 2 7862b27f5f516ebe19680444d4ce5e762981931842c465f00236401d8bd973ee
 net.	86400	IN	NSEC3	1 1 1 abcd [next owner] NS DS RRSIG
 net.	86400	IN	RRSIG	DS 13 1 86400 [expiry] [inception] [keytag] . ...
 net.	86400	IN	RRSIG	NSEC3 13 1 86400 [expiry] [inception] [keytag] . ...
+nsa.nic.uk.	172800	IN	A	156.154.100.3
+nsa.nic.uk.	172800	IN	AAAA	2001:502:ad09::3
 org.	172800	IN	NS	a.gtld-servers.net.
+uk.	172800	IN	NS	nsa.nic.uk.
+uk.	86400	IN	DS	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
+uk.	86400	IN	NSEC3	1 1 1 abcd [next owner] NS DS RRSIG
+uk.	86400	IN	RRSIG	DS 13 1 86400 [expiry] [inception] [keytag] . ...
+uk.	86400	IN	RRSIG	NSEC3 13 1 86400 [expiry] [inception] [keytag] . ...
diff --git a/regression-tests.rootzone/tests/ds-at-ent-from-glue/command b/regression-tests.rootzone/tests/ds-at-ent-from-glue/command
new file mode 100755
index 000000000000..5eb6bf5cd5f1
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent-from-glue/command
@@ -0,0 +1 @@
+cleandig co.uk DS
diff --git a/regression-tests.rootzone/tests/ds-at-ent-from-glue/description b/regression-tests.rootzone/tests/ds-at-ent-from-glue/description
new file mode 100644
index 000000000000..f73191c97459
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent-from-glue/description
@@ -0,0 +1,2 @@
+A DS query at empty non-terminal (derived from glue) level.
+Should result in a referral response.
diff --git a/regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result b/regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result
new file mode 100644
index 000000000000..c6b505054f7d
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result
@@ -0,0 +1,5 @@
+1	uk.	IN	NS	172800	nsa.nic.uk.
+2	nsa.nic.uk.	IN	A	172800	156.154.100.3
+2	nsa.nic.uk.	IN	AAAA	172800	2001:502:ad09::3
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='co.uk.', qtype=DS
diff --git a/regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result.dnssec b/regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result.dnssec
new file mode 100644
index 000000000000..f714a769c8f3
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent-from-glue/expected_result.dnssec
@@ -0,0 +1,6 @@
+1	uk.	IN	DS	86400	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
+1	uk.	IN	NS	172800	nsa.nic.uk.
+2	nsa.nic.uk.	IN	A	172800	156.154.100.3
+2	nsa.nic.uk.	IN	AAAA	172800	2001:502:ad09::3
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='co.uk.', qtype=DS
diff --git a/regression-tests.rootzone/tests/ds-at-ent/command b/regression-tests.rootzone/tests/ds-at-ent/command
new file mode 100755
index 000000000000..5eb6bf5cd5f1
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent/command
@@ -0,0 +1 @@
+cleandig co.uk DS
diff --git a/regression-tests.rootzone/tests/ds-at-ent/description b/regression-tests.rootzone/tests/ds-at-ent/description
new file mode 100644
index 000000000000..77ce502b1966
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent/description
@@ -0,0 +1 @@
+A DS query at empty non-terminal level. Should result in a referral response.
diff --git a/regression-tests.rootzone/tests/ds-at-ent/expected_result b/regression-tests.rootzone/tests/ds-at-ent/expected_result
new file mode 100644
index 000000000000..c6b505054f7d
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent/expected_result
@@ -0,0 +1,5 @@
+1	uk.	IN	NS	172800	nsa.nic.uk.
+2	nsa.nic.uk.	IN	A	172800	156.154.100.3
+2	nsa.nic.uk.	IN	AAAA	172800	2001:502:ad09::3
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='co.uk.', qtype=DS
diff --git a/regression-tests.rootzone/tests/ds-at-ent/expected_result.dnssec b/regression-tests.rootzone/tests/ds-at-ent/expected_result.dnssec
new file mode 100644
index 000000000000..f714a769c8f3
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-ent/expected_result.dnssec
@@ -0,0 +1,6 @@
+1	uk.	IN	DS	86400	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
+1	uk.	IN	NS	172800	nsa.nic.uk.
+2	nsa.nic.uk.	IN	A	172800	156.154.100.3
+2	nsa.nic.uk.	IN	AAAA	172800	2001:502:ad09::3
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='co.uk.', qtype=DS
diff --git a/regression-tests.rootzone/tests/ds-at-glue/command b/regression-tests.rootzone/tests/ds-at-glue/command
new file mode 100755
index 000000000000..37428bf1605f
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-glue/command
@@ -0,0 +1 @@
+cleandig barney.advsys.co.uk DS
diff --git a/regression-tests.rootzone/tests/ds-at-glue/description b/regression-tests.rootzone/tests/ds-at-glue/description
new file mode 100644
index 000000000000..9ed8708277b2
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-glue/description
@@ -0,0 +1 @@
+A DS query at glue level. Should result in a referral response.
diff --git a/regression-tests.rootzone/tests/ds-at-glue/expected_result b/regression-tests.rootzone/tests/ds-at-glue/expected_result
new file mode 100644
index 000000000000..8bff8257849d
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-glue/expected_result
@@ -0,0 +1,5 @@
+1	uk.	IN	NS	172800	nsa.nic.uk.
+2	nsa.nic.uk.	IN	A	172800	156.154.100.3
+2	nsa.nic.uk.	IN	AAAA	172800	2001:502:ad09::3
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='barney.advsys.co.uk.', qtype=DS
diff --git a/regression-tests.rootzone/tests/ds-at-glue/expected_result.dnssec b/regression-tests.rootzone/tests/ds-at-glue/expected_result.dnssec
new file mode 100644
index 000000000000..07271b403738
--- /dev/null
+++ b/regression-tests.rootzone/tests/ds-at-glue/expected_result.dnssec
@@ -0,0 +1,6 @@
+1	uk.	IN	DS	86400	43876 8 2 a107ed2ac1bd14d924173bc7e827a1153582072394f9272ba37e2353bc659603
+1	uk.	IN	NS	172800	nsa.nic.uk.
+2	nsa.nic.uk.	IN	A	172800	156.154.100.3
+2	nsa.nic.uk.	IN	AAAA	172800	2001:502:ad09::3
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='barney.advsys.co.uk.', qtype=DS
diff --git a/regression-tests.rootzone/zones/ROOT b/regression-tests.rootzone/zones/ROOT
index b183bdd63f01..8fd586e68b11 100644
--- a/regression-tests.rootzone/zones/ROOT
+++ b/regression-tests.rootzone/zones/ROOT
@@ -11,3 +11,9 @@ org.			172800	IN	NS	a.gtld-servers.net.
 
 a.gtld-servers.net.	172800	IN	A	192.5.6.30
 a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e:0:0:0:2:30
+
+uk.			86400	IN	DS	43876 8 2 A107ED2AC1BD14D924173BC7E827A1153582072394F9272BA37E2353BC659603
+uk.			172800	IN	NS	nsa.nic.uk.
+nsa.nic.uk.		172800	IN	AAAA	2001:502:ad09::3
+nsa.nic.uk.		172800	IN	A	156.154.100.3
+barney.advsys.co.uk.	172800	IN	A	217.23.160.50

From fd65c85dc9ae30fb8734cf6b5d6a81f6136e1778 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 27 Mar 2019 00:51:57 +0100
Subject: [PATCH 046/127] auth: fix referral response for DS queries

---
 pdns/packethandler.cc | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 72888474af8c..40ae41871d56 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1448,19 +1448,38 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       return 0;
     }
 
-    if(rrset.empty()) {
-      DLOG(g_log<<"checking if qtype is DS"<<endl);
-      if(p->qtype.getCode() == QType::DS)
-      {
+
+    // referral for DS query
+    if(p->qtype.getCode() == QType::DS) {
+      DLOG(g_log<<"Qtype is DS"<<endl);
+      bool doReferral = true;
+      if(d_dk.doesDNSSEC()) {
+        for(auto& loopRR: rrset) {
+          if(loopRR.auth) {
+            doReferral = false;
+            break;
+          }
+        }
+      } else {
+        for(auto& loopRR: rrset) {
+          if(loopRR.dr.d_type == QType::DS) {
+            doReferral = false;
+            break;
+          }
+        }
+      }
+      if(doReferral) {
         DLOG(g_log<<"DS query found no direct result, trying referral now"<<endl);
         if(tryReferral(p, r, sd, target, retargetcount))
         {
-          DLOG(g_log<<"got referral for DS query"<<endl);
+          DLOG(g_log<<"Got referral for DS query"<<endl);
           goto sendit;
         }
       }
+    }
 
 
+    if(rrset.empty()) {
       DLOG(g_log<<Logger::Warning<<"Found nothing in the by-name ANY, but let's try wildcards.."<<endl);
       bool wereRetargeted(false), nodata(false);
       DNSName wildcard;

From 475fc44ee8d1fc21bb9fe0beffa5fd5b1799277f Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 3 Apr 2019 14:10:22 +0200
Subject: [PATCH 047/127] A way to fix
 https://github.com/PowerDNS/pdns/issues/7646. It might not be the right
 place, though, but it prevents fatal exception on unparseable A (or AAAA)
 addresss for nameserver addresses needed to send notifies.

---
 pdns/communicator.hh | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/pdns/communicator.hh b/pdns/communicator.hh
index 5413e4dacf23..2cb0f70feb3c 100644
--- a/pdns/communicator.hh
+++ b/pdns/communicator.hh
@@ -259,10 +259,25 @@ public:
     
     if(b) {
         b->lookup(QType(QType::ANY),name);
-        DNSZoneRecord rr;
-        while(b->get(rr))
-          if(rr.dr.d_type == QType::A || rr.dr.d_type==QType::AAAA)
-            addresses.push_back(rr.dr.d_content->getZoneRepresentation());   // SOL if you have a CNAME for an NS
+        bool ok;
+        do {
+          DNSZoneRecord rr;
+          try {
+            ok = b->get(rr);
+          }
+          catch (PDNSException &ae) {
+            g_log << Logger::Error << "Skipping record: " << ae.reason << endl;
+            continue;
+          }
+          catch (std::exception &e) {
+            g_log << Logger::Error << "Skipping record: " << e.what() << endl;
+            continue;
+          }
+          if (ok) {
+            if (rr.dr.d_type == QType::A || rr.dr.d_type == QType::AAAA)
+              addresses.push_back(rr.dr.d_content->getZoneRepresentation());   // SOL if you have a CNAME for an NS
+          }
+        } while (ok);
     }
     return addresses;
   }

From cb22b82e6e97374e0eadcc03c56dd8e7f1328bf3 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 3 Apr 2019 16:00:12 +0200
Subject: [PATCH 048/127] Rearrange; to avoid uninitialized var and bail out
 after exception, b might be inconsistent in that case.

---
 pdns/communicator.hh | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/pdns/communicator.hh b/pdns/communicator.hh
index 2cb0f70feb3c..831b2cecf534 100644
--- a/pdns/communicator.hh
+++ b/pdns/communicator.hh
@@ -258,26 +258,25 @@ public:
     this->resolve_name(&addresses, name);
     
     if(b) {
-        b->lookup(QType(QType::ANY),name);
-        bool ok;
-        do {
+      b->lookup(QType(QType::ANY),name);
+      while (true) {
+        try {
           DNSZoneRecord rr;
-          try {
-            ok = b->get(rr);
-          }
-          catch (PDNSException &ae) {
-            g_log << Logger::Error << "Skipping record: " << ae.reason << endl;
-            continue;
-          }
-          catch (std::exception &e) {
-            g_log << Logger::Error << "Skipping record: " << e.what() << endl;
-            continue;
-          }
-          if (ok) {
-            if (rr.dr.d_type == QType::A || rr.dr.d_type == QType::AAAA)
-              addresses.push_back(rr.dr.d_content->getZoneRepresentation());   // SOL if you have a CNAME for an NS
-          }
-        } while (ok);
+          if (!b->get(rr))
+            break;
+          if (rr.dr.d_type == QType::A || rr.dr.d_type == QType::AAAA)
+            addresses.push_back(rr.dr.d_content->getZoneRepresentation());   // SOL if you have a CNAME for an NS
+        }
+        // After an exception, b can be inconsistent so break
+        catch (PDNSException &ae) {
+          g_log << Logger::Error << "Skipping record(s): " << ae.reason << endl;
+          break;
+        }
+        catch (std::exception &e) {
+          g_log << Logger::Error << "Skipping record(s): " << e.what() << endl;
+          break;
+        }
+      }
     }
     return addresses;
   }

From c6e6b0559cfcff8537ee95c4f3d7c02477fd81a3 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 3 Apr 2019 16:24:09 +0200
Subject: [PATCH 049/127] Better logging, so the operator knows where to look.

---
 pdns/communicator.hh       | 6 +++---
 pdns/mastercommunicator.cc | 2 +-
 pdns/tcpreceiver.cc        | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pdns/communicator.hh b/pdns/communicator.hh
index 831b2cecf534..c63534dc232b 100644
--- a/pdns/communicator.hh
+++ b/pdns/communicator.hh
@@ -251,7 +251,7 @@ private:
 class FindNS
 {
 public:
-  vector<string> lookup(const DNSName &name, UeberBackend *b)
+  vector<string> lookup(const DNSName &name, UeberBackend *b, const DNSName& zone)
   {
     vector<string> addresses;
 
@@ -269,11 +269,11 @@ public:
         }
         // After an exception, b can be inconsistent so break
         catch (PDNSException &ae) {
-          g_log << Logger::Error << "Skipping record(s): " << ae.reason << endl;
+          g_log << Logger::Error << "Could not lookup address for nameserver " << name << " in zone " << zone << ", cannot notify: " << ae.reason << endl;
           break;
         }
         catch (std::exception &e) {
-          g_log << Logger::Error << "Skipping record(s): " << e.what() << endl;
+          g_log << Logger::Error << "Could not lookup address for nameserver " << name << " in zone " << zone << ", cannot notify: " << e.what() << endl;
           break;
         }
       }
diff --git a/pdns/mastercommunicator.cc b/pdns/mastercommunicator.cc
index b5841132cfad..04803474994a 100644
--- a/pdns/mastercommunicator.cc
+++ b/pdns/mastercommunicator.cc
@@ -56,7 +56,7 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B)
       nsset.insert(getRR<NSRecordContent>(rr.dr)->getNS().toString());
 
     for(set<string>::const_iterator j=nsset.begin();j!=nsset.end();++j) {
-      vector<string> nsips=fns.lookup(DNSName(*j), B);
+      vector<string> nsips=fns.lookup(DNSName(*j), B, di.zone);
       if(nsips.empty())
         g_log<<Logger::Warning<<"Unable to queue notification of domain '"<<di.zone<<"': nameservers do not resolve!"<<endl;
       else
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 706305c87aa7..b227c303671a 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -493,7 +493,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
         while(B->get(rr)) 
           nsset.insert(DNSName(rr.content));
         for(const auto & j: nsset) {
-          vector<string> nsips=fns.lookup(j, s_P->getBackend());
+          vector<string> nsips=fns.lookup(j, s_P->getBackend(),q->qdomain);
           for(vector<string>::const_iterator k=nsips.begin();k!=nsips.end();++k) {
             // cerr<<"got "<<*k<<" from AUTO-NS"<<endl;
             if(*k == q->getRemote().toString())

From 18e5a5ba7281ab7dd0397ec9189ce4fb9749dc35 Mon Sep 17 00:00:00 2001
From: phonedph1 <phoned@gmail.com>
Date: Wed, 3 Apr 2019 18:53:40 +0000
Subject: [PATCH 050/127] start to document the jsonstat

---
 .../docs/http-api/endpoint-jsonstat.rst       | 60 +++++++++++++++++++
 pdns/recursordist/docs/http-api/index.rst     |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 pdns/recursordist/docs/http-api/endpoint-jsonstat.rst

diff --git a/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst b/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst
new file mode 100644
index 000000000000..088afc168c19
--- /dev/null
+++ b/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst
@@ -0,0 +1,60 @@
+jsonstat endpoint
+=================
+
+.. http:get:: /jsonstat
+
+  Get statistics from recursor in JSON format.
+  The ``Accept`` request header is ignored.
+  This endpoint accepts a ``command`` and ``name`` query for different statistics:
+
+  * ``get-query-ring``: Retrieve statistics from the query subsection. ``name`` can be ``servfail-queries`` or ``queries``.
+  * ``get-remote-ring``: Retrieve statistics from the remotes subsection. ``name`` can be ``remotes``, ``bogus-remotes``, ``large-answer-remotes``, or ``timeouts``.
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-query-ring&name=servfail-queries HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-query-ring&name=queries HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-remote-ring&name=remotes HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-remote-ring&name=bogus-remotes HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-remote-ring&name=large-answer-remotes HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-remote-ring&name=timeouts HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+
diff --git a/pdns/recursordist/docs/http-api/index.rst b/pdns/recursordist/docs/http-api/index.rst
index 41e6f6bce121..9fd799638717 100644
--- a/pdns/recursordist/docs/http-api/index.rst
+++ b/pdns/recursordist/docs/http-api/index.rst
@@ -64,3 +64,4 @@ All API endpoints for the PowerDNS Recursor are documented here:
   endpoint-cache
   endpoint-failure
   endpoint-rpz-stats
+  endpoint-jsonstat

From 65ae96092bece0be8122ce922e61f96fbdd02b54 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 2 Apr 2019 16:16:25 +0200
Subject: [PATCH 051/127] dumresp: Add TCP support

---
 pdns/dumresp.cc | 160 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 134 insertions(+), 26 deletions(-)

diff --git a/pdns/dumresp.cc b/pdns/dumresp.cc
index 8d12c5121f25..354eba7461bb 100644
--- a/pdns/dumresp.cc
+++ b/pdns/dumresp.cc
@@ -30,9 +30,9 @@
 #include <thread>
 StatBag S;
 
-std::atomic<uint64_t>* g_counter;
+static std::atomic<uint64_t>* g_counter;
 
-void printStatus()
+static void printStatus()
 {
   auto prev= g_counter->load();
   for(;;) {
@@ -42,47 +42,151 @@ void printStatus()
   }
 }
 
-void usage() {
-  cerr<<"Syntax: dumresp LOCAL-ADDRESS LOCAL-PORT NUMBER-OF-PROCESSES"<<endl;
+static void usage() {
+  cerr<<"Syntax: dumresp LOCAL-ADDRESS LOCAL-PORT NUMBER-OF-PROCESSES [tcp]"<<endl;
+}
+
+static void turnQueryIntoResponse(dnsheader* dh)
+{
+  (*g_counter)++;
+
+  dh->qr=1;
+  dh->ad=0;
+}
+
+static void tcpConnectionHandler(int sock)
+try
+{
+  char buffer[1500];
+  auto dh = reinterpret_cast<struct dnsheader*>(buffer);
+
+  for (;;) {
+    uint16_t len = 0;
+    ssize_t got = read(sock, &len, sizeof(len));
+
+    if (got == 0) {
+      break;
+    }
+
+    if (got != sizeof(len))
+      unixDie("read 1");
+
+    len = ntohs(len);
+
+    if (len < sizeof(dnsheader))
+      unixDie("too small");
+
+    if (len > sizeof(buffer))
+      unixDie("too large");
+
+    got = read(sock, buffer, len);
+    if (got != len)
+      unixDie("read 2: " + std::to_string(got) + " / " + std::to_string(len));
+
+    if (dh->qr)
+      continue;
+
+    turnQueryIntoResponse(dh);
+
+    uint16_t wirelen = htons(len);
+    if (write(sock, &wirelen, sizeof(wirelen)) != sizeof(wirelen))
+      unixDie("send 1");
+
+    if (write(sock, buffer, len) < 0)
+      unixDie("send 2");
+  }
+
+  close(sock);
+}
+catch(const std::exception& e) {
+  cerr<<"TCP connection handler got an exception: "<<e.what()<<endl;
+}
+
+static void tcpAcceptor(const ComboAddress local)
+{
+  Socket tcpSocket(local.sin4.sin_family, SOCK_STREAM);
+#ifdef SO_REUSEPORT
+  int one=1;
+  if(setsockopt(tcpSocket.getHandle(), SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
+    unixDie("setsockopt for REUSEPORT");
+#endif
+
+  tcpSocket.bind(local);
+  tcpSocket.listen(1024);
+
+  ComboAddress rem("::1");
+  auto socklen = rem.getSocklen();
+
+  for (;;) {
+    int sock = accept(tcpSocket.getHandle(), reinterpret_cast<struct sockaddr*>(&rem), &socklen);
+    if (sock == -1) {
+        continue;
+    }
+
+    std::thread connectionHandler(tcpConnectionHandler, sock);
+    connectionHandler.detach();
+  }
 }
 
 int main(int argc, char** argv)
 try
 {
+  bool tcp = false;
+
   for(int i = 1; i < argc; i++) {
-    if((string) argv[i] == "--help"){
+    if(std::string(argv[i]) == "--help"){
       usage();
       return(EXIT_SUCCESS);
     }
 
-    if((string) argv[i] == "--version"){
+    if(std::string(argv[i]) == "--version"){
       cerr<<"dumresp "<<VERSION<<endl;
       return(EXIT_SUCCESS);
     }
   }
 
-  if(argc != 4) {
+  if(argc == 5) {
+    if (std::string(argv[4]) == "tcp") {
+      tcp = true;
+    }
+    else {
+      usage();
+      exit(EXIT_FAILURE);
+    }
+  }
+  else if(argc != 4) {
     usage();
     exit(EXIT_FAILURE);
   }
 
-  auto ptr = mmap(NULL, sizeof(std::atomic<uint64_t>), PROT_READ | PROT_WRITE,
+  auto ptr = mmap(nullptr, sizeof(std::atomic<uint64_t>), PROT_READ | PROT_WRITE,
 		  MAP_SHARED | MAP_ANONYMOUS, -1, 0);
 
   g_counter = new(ptr) std::atomic<uint64_t>();
-  
+
+  int numberOfListeners = atoi(argv[3]);
+  ComboAddress local(argv[1], atoi(argv[2]));
+
   int i=1;
-  for(; i < atoi(argv[3]); ++i) {
+  for(; i < numberOfListeners; ++i) {
     if(!fork())
       break;
   }
-  if(i==1) {
+
+  if (i==1) {
     std::thread t(printStatus);
     t.detach();
+
+    if (tcp) {
+      for (int j = 0; j < numberOfListeners; j++) {
+        cout<<"Listening to TCP "<<local.toStringWithPort()<<endl;
+        std::thread tcpAcceptorThread(tcpAcceptor, local);
+        tcpAcceptorThread.detach();
+      }
+    }
   }
-  
-  ComboAddress local(argv[1], atoi(argv[2]));
-  Socket s(local.sin4.sin_family, SOCK_DGRAM);  
+
+  Socket s(local.sin4.sin_family, SOCK_DGRAM);
 #ifdef SO_REUSEPORT
   int one=1;
   if(setsockopt(s.getHandle(), SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) < 0)
@@ -90,28 +194,32 @@ try
 #endif
 
   s.bind(local);
-  cout<<"Bound to "<<local.toStringWithPort()<<endl;
-  char buffer[1500];
-  struct dnsheader* dh = (struct dnsheader*)buffer;
-  int len;
-  ComboAddress rem=local;
+  cout<<"Bound to UDP "<<local.toStringWithPort()<<endl;
+
+  ComboAddress rem = local;
   socklen_t socklen = rem.getSocklen();
+  char buffer[1500];
+  auto dh = reinterpret_cast<struct dnsheader*>(buffer);
+
   for(;;) {
-    len=recvfrom(s.getHandle(), buffer, sizeof(buffer), 0, (struct sockaddr*)&rem, &socklen);
-    (*g_counter)++;
+    uint16_t len = recvfrom(s.getHandle(), buffer, sizeof(buffer), 0, reinterpret_cast<struct sockaddr*>(&rem), &socklen);
+
     if(len < 0)
       unixDie("recvfrom");
 
+    if (len < sizeof(dnsheader))
+      unixDie("too small " + std::to_string(len));
+
     if(dh->qr)
       continue;
-    dh->qr=1;
-    dh->ad=0;
-    if(sendto(s.getHandle(), buffer, len, 0,  (struct sockaddr*)&rem, socklen) < 0)
-      unixDie("sendto");
 
+    turnQueryIntoResponse(dh);
+
+    if(sendto(s.getHandle(), buffer, len, 0,  reinterpret_cast<const struct sockaddr*>(&rem), socklen) < 0)
+      unixDie("sendto");
   }
 }
-catch(std::exception& e)
+catch(const std::exception& e)
 {
   cerr<<"Fatal error: "<<e.what()<<endl;
   exit(EXIT_FAILURE);

From 0a3614bf7659b956863c0dc72383b0895d0cd5ab Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 5 Apr 2019 14:37:19 +0200
Subject: [PATCH 052/127] dumresp: Document the new 'tcp' option

---
 docs/manpages/dumresp.1.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/manpages/dumresp.1.rst b/docs/manpages/dumresp.1.rst
index 510d33828331..8a836a404086 100644
--- a/docs/manpages/dumresp.1.rst
+++ b/docs/manpages/dumresp.1.rst
@@ -4,7 +4,7 @@ dumresp
 Synopsis
 --------
 
-**dumresp** *LOCAL-ADDRESS* *LOCAL-PORT* *NUMBER-OF-PROCESSES*
+**dumresp** *LOCAL-ADDRESS* *LOCAL-PORT* *NUMBER-OF-PROCESSES* [tcp]
 
 Description
 -----------
@@ -18,7 +18,8 @@ the port.
 Options
 -------
 
-None
+tcp: Whether to listen and accept TCP connections in addition to
+UDP packets. Defaults to false.
 
 See also
 --------

From 982e54af4a2decd6f1606ce4e0f3aa783cccbf3f Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 053/127] docs: Improve "BIND-mode operation" for DNSSEC

Also:
* Mention that not just keys are part of this database, but also DNSSEC
  domain metadata.
* Link to the pdns.conf setting.
---
 docs/dnssec/modes-of-operation.rst | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst
index f6679dafbd3f..25525eb05453 100644
--- a/docs/dnssec/modes-of-operation.rst
+++ b/docs/dnssec/modes-of-operation.rst
@@ -162,13 +162,14 @@ The signing and hashing algorithms are described in :ref:`dnssec-online-signing`
 BIND-mode operation
 -------------------
 
-The :doc:`bindbackend <../backends/bind>` can manage keys in an
-SQLite3 database without launching a separate gsqlite3 backend.
-
-To use this mode, add
-``bind-dnssec-db=/var/db/bind-dnssec-db.sqlite3`` to pdns.conf, and run
-``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3``. Then,
-restart PowerDNS.
+The :doc:`bindbackend <../backends/bind>` can manage keys and other
+DNSSEC-related :doc:`domain metadata <../domainmetadata>` in an SQLite3
+database without launching a separate gsqlite3 backend.
+
+To use this mode, run
+``pdnsutil create-bind-db /var/db/bind-dnssec-db.sqlite3`` and set
+:ref:`setting-bind-dnssec-db` in pdns.conf to the path of the created
+database. Then, restart PowerDNS.
 
 .. note::
   This SQLite database is different from the database used for the regular :doc:`SQLite 3 backend <../backends/generic-sqlite3>`.

From 14b74d7a4b5b00d195e5642979571d8c997d04da Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 054/127] docs: align meta-data -> metadata

This occurrence was the only one spelled like 'meta-data', all others are
spelled as 'metadata'.
---
 docs/index.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.rst b/docs/index.rst
index f288312e4911..ca5a8e7dd872 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -6,7 +6,7 @@ supports a large number of backends. These backends can either be plain
 zone files or be more dynamic in nature.
 
 PowerDNS has the concepts of 'backends'. A backend is a datastore that
-the server will consult that contains DNS records (and some meta-data).
+the server will consult that contains DNS records (and some metadata).
 The backends range from database backends (:doc:`MySQL <backends/generic-mysql>`, :doc:`PostgreSQL <backends/generic-postgresql>`, :doc:`Oracle <backends/oracle>`)
 and :doc:`Bind-zonefiles <backends/bind>` to :doc:`co-processes <backends/pipe>` and :doc:`JSON API's <backends/remote>`.
 

From f404c4c680c20e6455e1e9b5b72f3e7a14a67920 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 055/127] docs: remove unintentional blockquotes in HTML

Having leading spaces in either:
* Lists
* RST directives, such as
  .. toctree::

will lead to the listing being wrapped in an HTML <blockquote> element with
also the styling as such. This is probably unintentional and at least
inconsistent with other occurrences.
---
 docs/backends/lua.rst                       | 20 ++++-----
 docs/backends/remote.rst                    |  6 +--
 docs/changelog/4.1.rst                      |  2 +-
 docs/common/security-policy.rst             |  7 ++--
 docs/index.rst                              | 12 +++---
 docs/lua-records/functions.rst              | 46 ++++++++++-----------
 docs/lua-records/index.rst                  |  2 +-
 docs/lua-records/reference/comboaddress.rst | 16 +++----
 docs/lua-records/reference/index.rst        |  2 +-
 docs/lua-records/reference/misc.rst         | 20 ++++-----
 docs/modes-of-operation.rst                 | 12 +++---
 docs/running.rst                            |  2 +-
 12 files changed, 73 insertions(+), 74 deletions(-)

diff --git a/docs/backends/lua.rst b/docs/backends/lua.rst
index aef67350c5ed..610f3f5c64bb 100644
--- a/docs/backends/lua.rst
+++ b/docs/backends/lua.rst
@@ -47,16 +47,16 @@ There is a couple of new functions for you to use in Lua:
 
 All these ``log_facilities`` is available: 
 
- * ``log_all`` 
- * ``log_ntlog`` 
- * ``log_alert`` 
- * ``log_critical`` 
- * ``log_error`` 
- * ``log_warning`` 
- * ``log_notice,`` 
- * ``log_info`` 
- * ``log_debug`` 
- * ``log_none``
+* ``log_all``
+* ``log_ntlog``
+* ``log_alert``
+* ``log_critical``
+* ``log_error``
+* ``log_warning``
+* ``log_notice,``
+* ``log_info``
+* ``log_debug``
+* ``log_none``
 
 ``dnspacket()``
 ~~~~~~~~~~~~~~~
diff --git a/docs/backends/remote.rst b/docs/backends/remote.rst
index 61d794ca3403..6a54b933d01d 100644
--- a/docs/backends/remote.rst
+++ b/docs/backends/remote.rst
@@ -326,9 +326,9 @@ Returns the value(s) for variable kind for zone name. You **must**
 always return something, if there are no values, you shall return empty
 set or false.
 
- *  Mandatory: No
- *  Parameters: name
- *  Reply: hash of key to array of strings
+*  Mandatory: No
+*  Parameters: name
+*  Reply: hash of key to array of strings
 
 Example JSON/RPC
 ''''''''''''''''
diff --git a/docs/changelog/4.1.rst b/docs/changelog/4.1.rst
index 0b37c2614c98..94cfe8f649bb 100644
--- a/docs/changelog/4.1.rst
+++ b/docs/changelog/4.1.rst
@@ -922,7 +922,7 @@ Changelogs for 4.1.x
     :tags: Tools, Improvements
     :pullreq: 4584
 
-     Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).
+    Allow setting the account of a zone via pdnsutil (Tuxis Internet Engineering).
 
   .. change::
     :tags: Internals, New Features
diff --git a/docs/common/security-policy.rst b/docs/common/security-policy.rst
index 4c2b36460940..6114a3656080 100644
--- a/docs/common/security-policy.rst
+++ b/docs/common/security-policy.rst
@@ -19,7 +19,6 @@ Do note that only the PowerDNS software is in scope for the HackerOne program, n
 
 Disclosure Policy
 ^^^^^^^^^^^^^^^^^
- - Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- - Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- - We will always credit researchers in our :doc:`../security-advisories/index`.
-
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
+- We will always credit researchers in our :doc:`../security-advisories/index`.
diff --git a/docs/index.rst b/docs/index.rst
index ca5a8e7dd872..7ad7ee8dac53 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -20,9 +20,9 @@ This documentation is also available as a `PDF document <PowerDNS-Authoritative.
 Getting Started
 ---------------
 
- * :doc:`Install the Authoritative Server <installation>`
- * :doc:`Configure the Server <settings>`
- * :doc:`Configure the backend(s) <backends/index>`
+* :doc:`Install the Authoritative Server <installation>`
+* :doc:`Configure the Server <settings>`
+* :doc:`Configure the backend(s) <backends/index>`
 
 Getting Support
 ---------------
@@ -31,9 +31,9 @@ You may also help others (please do).
 
 Public support is available via several different channels:
 
-  * This documentation
-  * `The mailing list <https://www.powerdns.com/mailing-lists.html>`_
-  * ``#powerdns`` on `irc.oftc.net <irc://irc.oftc.net/#powerdns>`_
+* This documentation
+* `The mailing list <https://www.powerdns.com/mailing-lists.html>`_
+* ``#powerdns`` on `irc.oftc.net <irc://irc.oftc.net/#powerdns>`_
 
 The PowerDNS company can provide help or support you in private as well.
 For first class and rapid support, please contact powerdns.support@powerdns.com, or see the `.com website <https://www.powerdns.com/support-services-consulting.html>`__.
diff --git a/docs/lua-records/functions.rst b/docs/lua-records/functions.rst
index d180c76b5230..3b30327dab42 100644
--- a/docs/lua-records/functions.rst
+++ b/docs/lua-records/functions.rst
@@ -188,17 +188,17 @@ Reverse DNS functions
   
   **Formatting options:**
 
-    - ``%1%`` to ``%4%`` are individual octets
-        - Example record query: ``1.0.0.127.in-addr.arpa`` 
-        - ``%1%`` = 127
-        - ``%2%`` = 0
-        - ``%3%`` = 0
-        - ``%4%`` = 1
-    - ``%5%`` joins the four decimal octets together with dashes
-        - Example: ``%5%.static.example.com`` is equivalent to ``%1%-%2%-%3%-%4%.static.example.com``
-    - ``%6%`` converts each octet from decimal to hexadecimal and joins them together
-        - Example: A query for ``15.0.0.127.in-addr.arpa`` 
-        - ``%6`` would be ``7f00000f`` (127 is 7f, and 15 is 0f in hexadecimal)
+  - ``%1%`` to ``%4%`` are individual octets
+      - Example record query: ``1.0.0.127.in-addr.arpa``
+      - ``%1%`` = 127
+      - ``%2%`` = 0
+      - ``%3%`` = 0
+      - ``%4%`` = 1
+  - ``%5%`` joins the four decimal octets together with dashes
+      - Example: ``%5%.static.example.com`` is equivalent to ``%1%-%2%-%3%-%4%.static.example.com``
+  - ``%6%`` converts each octet from decimal to hexadecimal and joins them together
+      - Example: A query for ``15.0.0.127.in-addr.arpa``
+      - ``%6`` would be ``7f00000f`` (127 is 7f, and 15 is 0f in hexadecimal)
 
   **NOTE:** At the current time, only forward dotted format works with :func:`createForward` (i.e. ``127.0.0.1.static.example.com``)
   
@@ -255,18 +255,18 @@ Reverse DNS functions
   
   Formatting options:
    
-    - ``%1%`` to ``%32%`` are individual characters (nibbles)
-        - **Example PTR record query:** ``a.0.0.0.1.0.0.2.ip6.arpa``
-        - ``%1%`` = 2
-        - ``%2%`` = 0
-        - ``%3%`` = 0
-        - ``%4%`` = 1
-    - ``%33%`` converts the compressed address format into a dashed format, e.g. ``2001:a::1`` to ``2001-a--1``
-    - ``%34%`` to ``%41%`` represent the 8 uncompressed 2-byte chunks
-        - **Example:** PTR query for ``2001:a:b::123``
-        - ``%34%`` - returns ``2001`` (chunk 1)
-        - ``%35%`` - returns ``000a`` (chunk 2)
-        - ``%41%`` - returns ``0123`` (chunk 8)
+  - ``%1%`` to ``%32%`` are individual characters (nibbles)
+      - **Example PTR record query:** ``a.0.0.0.1.0.0.2.ip6.arpa``
+      - ``%1%`` = 2
+      - ``%2%`` = 0
+      - ``%3%`` = 0
+      - ``%4%`` = 1
+  - ``%33%`` converts the compressed address format into a dashed format, e.g. ``2001:a::1`` to ``2001-a--1``
+  - ``%34%`` to ``%41%`` represent the 8 uncompressed 2-byte chunks
+      - **Example:** PTR query for ``2001:a:b::123``
+      - ``%34%`` - returns ``2001`` (chunk 1)
+      - ``%35%`` - returns ``000a`` (chunk 2)
+      - ``%41%`` - returns ``0123`` (chunk 8)
   
   **NOTE:** At the current time, only dashed compressed format works for this function (i.e. ``2001-a-b--1.static6.example.com``)
   
diff --git a/docs/lua-records/index.rst b/docs/lua-records/index.rst
index 3c2a9b0864ac..d44dbe1a0b03 100644
--- a/docs/lua-records/index.rst
+++ b/docs/lua-records/index.rst
@@ -200,7 +200,7 @@ explicitly, either globally (``enable-lua-records``) or per zone
 Reference
 ---------
 
- .. toctree::
+.. toctree::
   :maxdepth: 2
 
   functions
diff --git a/docs/lua-records/reference/comboaddress.rst b/docs/lua-records/reference/comboaddress.rst
index 56156e269769..7d79eeec03a2 100644
--- a/docs/lua-records/reference/comboaddress.rst
+++ b/docs/lua-records/reference/comboaddress.rst
@@ -73,14 +73,14 @@ ComboAddressSet objects
 We provide a convenient object class that can store unique ComboAddresses in no particular
 order and allows fast retrieval of individual elements based on their values
 
-  .. code-block:: lua
-
-    addr = newCA("1.2.3.4")
-    myset = newCAS()
-    myset:add(addr)
-    if myset:check(addr) then -- prints "found!"
-      print('found!')
-    end
+.. code-block:: lua
+
+  addr = newCA("1.2.3.4")
+  myset = newCAS()
+  myset:add(addr)
+  if myset:check(addr) then -- prints "found!"
+    print('found!')
+  end
 
 Functions and methods of a ``ComboAddressSet``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/docs/lua-records/reference/index.rst b/docs/lua-records/reference/index.rst
index dbf23422a453..2ab827e1d879 100644
--- a/docs/lua-records/reference/index.rst
+++ b/docs/lua-records/reference/index.rst
@@ -1,7 +1,7 @@
 LUA Reference
 -------------
 
- .. toctree::
+.. toctree::
   :maxdepth: 2
 
   comboaddress
diff --git a/docs/lua-records/reference/misc.rst b/docs/lua-records/reference/misc.rst
index 89e1f0f6ec52..c9f28d7f5b36 100644
--- a/docs/lua-records/reference/misc.rst
+++ b/docs/lua-records/reference/misc.rst
@@ -10,16 +10,16 @@ Other functions
   :param string message: The message to log
   :param int loglevel: The urgency level of the message. Defaults to `pdns.loglevels.Warning`
 
- You can use the following constants as log levels :
-
-   - `pdns.loglevels.Alert`
-   - `pdns.loglevels.Critical`
-   - `pdns.loglevels.Debug`
-   - `pdns.loglevels.Emergency`
-   - `pdns.loglevels.Info`
-   - `pdns.loglevels.Notice`
-   - `pdns.loglevels.Warning`
-   - `pdns.loglevels.Error`
+  You can use the following constants as log levels :
+
+  - `pdns.loglevels.Alert`
+  - `pdns.loglevels.Critical`
+  - `pdns.loglevels.Debug`
+  - `pdns.loglevels.Emergency`
+  - `pdns.loglevels.Info`
+  - `pdns.loglevels.Notice`
+  - `pdns.loglevels.Warning`
+  - `pdns.loglevels.Error`
 
 .. function:: pdnsrandom([maximum])
 
diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index bf76cf28e970..15af055bedcc 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -201,12 +201,12 @@ itself as a slave for that zone.
 Before a supermaster notification succeeds, the following conditions
 must be met:
 
- - :ref:`setting-supermaster` support must be enabled
- - The supermaster must carry a SOA record for the notified domain
- - The supermaster IP must be present in the 'supermaster' table
- - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
- - If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
- - If you turn off :ref:`setting-allow-unsigned-supermaster`, then your supermaster(s) are required to sign their notifications.
+- :ref:`setting-supermaster` support must be enabled
+- The supermaster must carry a SOA record for the notified domain
+- The supermaster IP must be present in the 'supermaster' table
+- The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
+- If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
+- If you turn off :ref:`setting-allow-unsigned-supermaster`, then your supermaster(s) are required to sign their notifications.
 
 .. warning::
   If you use another PowerDNS server as master and have
diff --git a/docs/running.rst b/docs/running.rst
index 42b1ed8322a5..9900b9673662 100644
--- a/docs/running.rst
+++ b/docs/running.rst
@@ -138,7 +138,7 @@ commands:
 -  ``mrtg``: Dump statistics in mrtg format. See the performance
    :ref:`counters` documentation.
 
- .. note::
+.. note::
   Packages provided by Operating System vendors might support
   different or less commands.
 

From c21bf56cf55c94e1c000bbe160e270fcc11b4e23 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 056/127] docs: fix formatting of 'PKCS#11 support' page

Also:
* slightly reword some things where necessary
* Ubuntu 12.nothing/14.nothing do not exist, added assumed '.04'.
---
 docs/dnssec/pkcs11.rst | 175 ++++++++++++++++++-----------------------
 1 file changed, 77 insertions(+), 98 deletions(-)

diff --git a/docs/dnssec/pkcs11.rst b/docs/dnssec/pkcs11.rst
index 89f77246bc02..2325d0955377 100644
--- a/docs/dnssec/pkcs11.rst
+++ b/docs/dnssec/pkcs11.rst
@@ -27,38 +27,32 @@ To test this feature, a software HSM can be used. It is **not
 recommended** to use this in production.
 
 Instructions on how to setup SoftHSM to work with the feature after
-compilation on ubuntu/debian (tested with Ubuntu 12 and 14). -
-``apt-get install softhsm p11-kit opensc`` - create directory
-/etc/pkcs11/modules - Add file called 'softhsm' there with (on newer
-versions, use softhsm.module)
-``module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so     managed: yes``
-- Verify it works: ``p11-kit -l`` - Create at least two tokens (ksk and
-zsk) with (slot-number starts from 0)
+compilation on Ubuntu/Debian (tested with Ubuntu 12.04 and 14.04).
 
-::
+- ``apt-get install softhsm p11-kit opensc``
+- create directory ``/etc/pkcs11/modules``
+- create a file ``softhsm`` (``softhsm.module`` on newer versions),
+  with contents:::
 
-    ```
-    sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
-    ```
-
--  Using pkcs11-tool, initialize your new keys.
+    module: /home/cmouse/softhsm/lib/softhsm/libsofthsm.so     managed: yes
 
-   ::
+- Verify that it works: ``p11-kit -l``
+- Create at least two tokens (ksk and zsk) with (slot-number starts from 0)::
 
-       sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
+    sudo softhsm --init-token --slot slot-number --label zone-ksk|zone-zsk --pin some-pin --so-pin another-pin
 
--  Assign the keys using (note that token label is not necessarily same
-   as object label, see p11-kit -l)
+-  Using pkcs11-tool, initialize your new keys.::
 
-   ::
+    sudo pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk|zone-zsk --slot-index slot-number
 
-       pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
+-  Assign the keys using (note that token label is not necessarily same
+   as object label, see p11-kit -l)::
 
--  Verify that everything worked, you should see valid data there
+    pdnsutil hsm assign zone rsasha256 ksk|zsk softhsm token-label pin zone-ksk|zsk
 
-   ::
+-  Verify that everything worked, you should see valid data there::
 
-       pdnsutil show-zone zone
+    pdnsutil show-zone zone
 
 -  SoftHSM signatures are fast enough to be used in live environment.
 
@@ -66,84 +60,69 @@ Using CryptAS
 -------------
 
 Instructions on how to use CryptAS
-```Athena IDProtect Key USB Token V2J`` <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`__
-Smart Card token on Ubuntu 14. - install the manufacturer\`s support
-software on your system and initialize the Smart Card token as per
-instructions (do not use PIV). - apt-get install p11-kit opensc - create
-directory /etc/pkcs11/modules - Add file called 'athena.module' with
-content
+`Athena IDProtect Key USB Token V2J <http://www.cryptoshop.com/products/smartcards/idprotect-key-j-laser.html>`_
+Smart Card token on Ubuntu 14.04.
 
-::
+- Install the manufacturer's support software on your system and initialize
+  the Smart Card token as per instructions (do not use PIV).
+- ``apt-get install p11-kit opensc``
+- Create directory ``/etc/pkcs11/modules``.
+- Create file named ``athena.module`` with contents::
 
-    ```
     module: /lib64/libASEP11.so
     managed: yes
-    ```
-
--  Verify it worked, it should resemble output below. do not continue if
-   this does not show up.
-
-   ::
-
-       $ p11-kit -l
-       athena: /lib64/libASEP11.so
-           library-description: ASE Cryptoki
-           library-manufacturer: Athena Smartcard Solutions
-           library-version: 3.1
-           token: IDProtect#0A50123456789
-               manufacturer: Athena Smartcard Solutions
-               model: IDProtect
-               serial-number: 0A50123456789
-               hardware-version: 1.0
-               firmware-version: 1.0
-               flags:
-                      rng
-                      login-required
-                      user-pin-initialized
-                      token-initialized
-
--  Using pkcs11-tool, initialize your new keys. After this IDProtect
-   Manager no longer can show your token certificates and keys, at least
-   on version v6.23.04.
-
-   ::
-
-       pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
-       pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
-
--  Verify that keys are there.
-
-   ::
-
-       $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
-       Using slot 0 with a present token (0x0)
-       Public Key Object; RSA 2048 bits
-         label:      zone-ksk
-         Usage:      encrypt, verify, wrap
-       Public Key Object; RSA 2048 bits
-         label:      zone-zsk
-         Usage:      encrypt, verify, wrap
-       Private Key Object; RSA
-         label:      zone-ksk
-         Usage:      decrypt, sign, unwrap
-       Private Key Object; RSA
-         label:      zone-zsk
-         Usage:      decrypt, sign, unwrap
-
--  Assign the keys using
-
-   ::
-
-       pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
-
--  Verify that everything worked, you should see valid data there.
-
-   ::
-
-       pdnsutil show-zone zone
-
--  Note that the physical token is pretty slow, so you have to use it as
-   hidden master. It has been observed to produce about
-   1.5signatures/second.
-
 
+- Verify it worked, it should resemble output below. Do not continue if
+  this does not show up. ::
+
+    $ p11-kit -l
+    athena: /lib64/libASEP11.so
+        library-description: ASE Cryptoki
+        library-manufacturer: Athena Smartcard Solutions
+        library-version: 3.1
+        token: IDProtect#0A50123456789
+            manufacturer: Athena Smartcard Solutions
+            model: IDProtect
+            serial-number: 0A50123456789
+            hardware-version: 1.0
+            firmware-version: 1.0
+            flags:
+                  rng
+                  login-required
+                  user-pin-initialized
+                  token-initialized
+
+- Using pkcs11-tool, initialize your new keys. After this IDProtect
+  Manager no longer can show your token certificates and keys, at least
+  on version v6.23.04. ::
+
+    pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-ksk
+    pkcs11-tool --module=/home/cmouse/softhsm/lib/softhsm/libsofthsm.so -l -p some-pin -k --key-type RSA:2048 -a zone-zsk
+
+- Verify that keys are there::
+
+    $ pkcs11-tool --module=/lib64/libASEP11.so -l -p some-pin -O
+    Using slot 0 with a present token (0x0)
+    Public Key Object; RSA 2048 bits
+      label:      zone-ksk
+      Usage:      encrypt, verify, wrap
+    Public Key Object; RSA 2048 bits
+      label:      zone-zsk
+      Usage:      encrypt, verify, wrap
+    Private Key Object; RSA
+      label:      zone-ksk
+      Usage:      decrypt, sign, unwrap
+    Private Key Object; RSA
+      label:      zone-zsk
+      Usage:      decrypt, sign, unwrap
+
+- Assign the keys using::
+
+    pdnsutil hsm assign zone rsasha256 ksk|zsk athena IDProtect#0A50123456789 pin zone-ksk|zsk
+
+- Verify that everything worked, you should see valid data there. ::
+
+    pdnsutil show-zone zone
+
+- Note that the physical token is pretty slow, so you have to use it as
+  hidden master. It has been observed to produce about 1.5 signatures/second.

From 69e1e56a881295b2c51121dee14e0a422452932c Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 057/127] docs: Add 'hidden master' approach in DNSSEC security

This approach is referred to in the public domain as well as once in the
PowerDNS changelog, but not described in any way before this change.
---
 docs/dnssec/modes-of-operation.rst |  7 +++++--
 docs/dnssec/operational.rst        | 10 ++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst
index 25525eb05453..a92abbaf956a 100644
--- a/docs/dnssec/modes-of-operation.rst
+++ b/docs/dnssec/modes-of-operation.rst
@@ -122,12 +122,15 @@ PowerDNS also serves the DNSKEY records in live-signing mode. Their TTL
 is derived from the SOA records *minimum* field. When using NSEC3, the
 TTL of the NSEC3PARAM record is also derived from that field.
 
+.. _dnssec_presigned_records:
+
 Pre-signed records
 ------------------
 
 In this mode, PowerDNS serves zones that already contain DNSSEC records.
-Such zones can either be slaved from a remote master, or can be signed
-using tools like OpenDNSSEC, ldns-signzone, and dnssec-signzone.
+Such zones can either be slaved from a remote master in online signing
+mode, or can be pre-signed using tools like OpenDNSSEC, ldns-signzone,
+and dnssec-signzone.
 
 Even in this mode, PowerDNS will synthesize NSEC(3) records itself
 because of its architecture. RRSIGs of these NSEC(3) will still need to
diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst
index a0687bcfc646..f3cfce1ce7db 100644
--- a/docs/dnssec/operational.rst
+++ b/docs/dnssec/operational.rst
@@ -203,6 +203,16 @@ In some settings, having such (private) keying material available online
 is considered undesirable. In this case, consider running in pre-signed
 mode.
 
+A slightly more complex approach is running a *hidden* master in simple
+online signing mode, but on a highly secured system unreachable for the
+public. Internet-connected slaves can then transfer the zones pre-signed
+from this master over a secure private network. This topology offers
+substantial security benefits with regards to key material while
+maintaining ease of daily operation by PowerDNS's features in online
+mode.
+
+See also :ref:`dnssec_presigned_records`.
+
 Performance
 -----------
 

From 633489be02df94ece6e837cbdcb984ee0ddcd343 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 058/127] docs: Fix formatting of some code blocks

---
 docs/appendices/backend-writers-guide.rst     |   4 +-
 docs/backends/generic-mysql.rst               |   1 +
 docs/backends/generic-odbc.rst                |   3 +-
 docs/backends/generic-oracle.rst              |   1 +
 docs/backends/generic-postgresql.rst          |   1 +
 docs/backends/generic-sql.rst                 |  20 ++-
 docs/backends/generic-sqlite3.rst             |   7 +-
 docs/backends/ldap.rst                        |  10 +-
 docs/backends/lua.rst                         |  12 +-
 docs/backends/opendbx.rst                     |  22 +--
 docs/backends/oracle.rst                      |  60 +++----
 docs/backends/remote.rst                      | 150 +++++++++---------
 docs/changelog/pre-4.0.rst                    |   4 +-
 docs/dnssec/index.rst                         |   2 +-
 docs/dnssec/migration.rst                     |   8 +-
 docs/dnssec/operational.rst                   |   8 +-
 docs/dnsupdate.rst                            |  22 +--
 docs/domainmetadata.rst                       |  12 +-
 docs/guides/alias.rst                         |   2 +-
 docs/guides/basic-database.rst                |   7 +-
 docs/guides/kskroll.rst                       |   6 +-
 docs/guides/recursion.rst                     |  10 +-
 docs/guides/virtual-instances.rst             |   4 +-
 docs/guides/zskroll.rst                       |   6 +-
 docs/installation.rst                         |  14 +-
 docs/migration.rst                            |   8 +-
 docs/modes-of-operation.rst                   |   4 +-
 .../powerdns-advisory-2012-01.rst             |   4 +-
 docs/settings.rst                             |   8 +-
 docs/tsig.rst                                 |  14 +-
 30 files changed, 220 insertions(+), 214 deletions(-)

diff --git a/docs/appendices/backend-writers-guide.rst b/docs/appendices/backend-writers-guide.rst
index 4766771f77d6..d47a35dc1841 100644
--- a/docs/appendices/backend-writers-guide.rst
+++ b/docs/appendices/backend-writers-guide.rst
@@ -643,9 +643,9 @@ Supermaster/Superslave capability
 A backend that wants to act as a 'superslave' for a master should
 implement the following method:
 
-::
+.. code-block:: cpp
 
-                class DNSBackend 
+                class DNSBackend
                 {
                    virtual bool superMasterBackend(const string &ip, const string &domain, const vector<DNSResourceRecord>&nsset, string *account, DNSBackend **db)
                 };
diff --git a/docs/backends/generic-mysql.rst b/docs/backends/generic-mysql.rst
index edc0ed9580f8..0e125ea7c1ad 100644
--- a/docs/backends/generic-mysql.rst
+++ b/docs/backends/generic-mysql.rst
@@ -33,6 +33,7 @@ material, and other information upon deletion of a domain from the
 domains table. The following SQL does the job:
 
 .. literalinclude:: ../../modules/gmysqlbackend/enable-foreign-keys.mysql.sql
+   :language: SQL
 
 Using MySQL replication
 -----------------------
diff --git a/docs/backends/generic-odbc.rst b/docs/backends/generic-odbc.rst
index 69fa1b5f43a8..6c6b3997a773 100644
--- a/docs/backends/generic-odbc.rst
+++ b/docs/backends/generic-odbc.rst
@@ -114,6 +114,7 @@ This schema can also be found in the PowerDNS source as
 This is the schema for 4.2. For 4.1, please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/godbcbackend/schema.mssql.sql>`_.
 
 .. literalinclude:: ../../modules/godbcbackend/schema.mssql.sql
+   :language: SQL
 
 Load this into the database as follows:
 
@@ -133,7 +134,7 @@ Configuring PowerDNS
 
 Add the options required to your ``pdns.conf``:
 
-::
+.. code-block:: ini
 
     launch=godbc
     godbc-datasource=pdns1
diff --git a/docs/backends/generic-oracle.rst b/docs/backends/generic-oracle.rst
index 31f08c2e2fd4..59fa2e74cadf 100644
--- a/docs/backends/generic-oracle.rst
+++ b/docs/backends/generic-oracle.rst
@@ -27,6 +27,7 @@ need or want to add ``namespace`` statements.
 Below, you will find the schema for 4.2. If you are using 4.1 or earlier, please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/goraclebackend/schema.goracle.sql>`_.
 
 .. literalinclude:: ../../modules/goraclebackend/schema.goracle.sql
+   :language: SQL
 
 This schema contains all elements needed for master, slave and
 superslave operation.
diff --git a/docs/backends/generic-postgresql.rst b/docs/backends/generic-postgresql.rst
index 824233413d12..41738ec9ca55 100644
--- a/docs/backends/generic-postgresql.rst
+++ b/docs/backends/generic-postgresql.rst
@@ -97,3 +97,4 @@ Default schema
 This is the 4.2 schema. Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gpgsqlbackend/schema.pgsql.sql>`_.
 
 .. literalinclude:: ../../modules/gpgsqlbackend/schema.pgsql.sql
+   :language: SQL
diff --git a/docs/backends/generic-sql.rst b/docs/backends/generic-sql.rst
index b1e2027f1179..b98eb04bb08d 100644
--- a/docs/backends/generic-sql.rst
+++ b/docs/backends/generic-sql.rst
@@ -48,17 +48,15 @@ And wait a while for PowerDNS to pick up the addition - which happens
 within one minute (this is determined by the
 :ref:`setting-slave-cycle-interval`
 setting). There is no need to inform PowerDNS that a new domain was
-added. Typical output is:
-
-.. code-block:: SQL
-
-    Apr 09 13:34:29 All slave domains are fresh
-    Apr 09 13:35:29 1 slave domain needs checking
-    Apr 09 13:35:29 Domain example.com is stale, master serial 1, our serial 0
-    Apr 09 13:35:30 [gPgSQLBackend] Connected to database
-    Apr 09 13:35:30 AXFR started for 'example.com'
-    Apr 09 13:35:30 AXFR done for 'example.com'
-    Apr 09 13:35:30 [gPgSQLBackend] Closing connection
+added. Typical output is::
+
+  Apr 09 13:34:29 All slave domains are fresh
+  Apr 09 13:35:29 1 slave domain needs checking
+  Apr 09 13:35:29 Domain example.com is stale, master serial 1, our serial 0
+  Apr 09 13:35:30 [gPgSQLBackend] Connected to database
+  Apr 09 13:35:30 AXFR started for 'example.com'
+  Apr 09 13:35:30 AXFR done for 'example.com'
+  Apr 09 13:35:30 [gPgSQLBackend] Closing connection
 
 From now on, PowerDNS is authoritative for the 'example.com' zone and
 will respond accordingly for queries within that zone.
diff --git a/docs/backends/generic-sqlite3.rst b/docs/backends/generic-sqlite3.rst
index 31066a92135d..b0e723aceea8 100644
--- a/docs/backends/generic-sqlite3.rst
+++ b/docs/backends/generic-sqlite3.rst
@@ -93,11 +93,10 @@ Using the SQLite backend
 ------------------------
 
 The last thing you need to do is telling PowerDNS to use the SQLite
-backend.
+backend in pdns.conf:
 
-::
+.. code-block:: ini
 
-    # in pdns.conf
     launch=gsqlite3
     gsqlite3-database=<path to your SQLite database>
 
@@ -105,7 +104,7 @@ Then you can start PowerDNS and it should notify you that a connection
 to the database was made.
 
 Compiling the SQLite backend
------------------------------
+----------------------------
 
 Before you can begin compiling PowerDNS with the SQLite backend you need
 to have the SQLite utility and library installed on your system. You can
diff --git a/docs/backends/ldap.rst b/docs/backends/ldap.rst
index b2f58c9bb9bb..76111e2b65a6 100644
--- a/docs/backends/ldap.rst
+++ b/docs/backends/ldap.rst
@@ -65,7 +65,7 @@ Add them to the ``pdns.conf`` file.
 
 To launch the ldap backend:
 
-::
+.. code-block:: ini
 
     launch=ldap
 
@@ -450,7 +450,7 @@ standard compliant LDAP server. ``zone2ldap`` needs the BIND
 ``named.conf`` (usually located in /etc) as input and writes the dns
 record entries in ldif format to stdout:
 
-::
+.. code-block:: shell
 
     zone2ldap
        --basedn=YOUR_BASE_DN \
@@ -460,7 +460,7 @@ record entries in ldif format to stdout:
 Alternatively zone2ldap can be used to convert only single zone files
 instead all zones:
 
-::
+.. code-block:: shell
 
     zone2ldap
        --basedn=YOUR_BASE_DN \
@@ -487,7 +487,7 @@ creates a file in LDIF format with the necessary LDAP updates including
 the "associatedDomain" and "dc" attributes. The utility is executed on
 the command line by:
 
-::
+.. code-block:: shell
 
     ./bind2pdns-ldap
        --host=HOSTNAME_OR_IP \
@@ -525,7 +525,7 @@ into a file and call ``zone2ldap`` with the file name as option to the
 which can be imported into the LDAP tree. The bash script except below
 automates this:
 
-::
+.. code-block:: shell
 
     DNSSERVER=127.0.0.1
     DOMAINS="example.com 10.10.in-addr.arpa"
diff --git a/docs/backends/lua.rst b/docs/backends/lua.rst
index 610f3f5c64bb..b7d39dcb2b99 100644
--- a/docs/backends/lua.rst
+++ b/docs/backends/lua.rst
@@ -102,9 +102,9 @@ The following script can be used to test the server:
 
 This will yield the following result:
 
-::
+.. code-block:: shell
 
-    $dig any www.test.com @127.0.0.1 -p5300 +multiline
+    $ dig any www.test.com @127.0.0.1 -p5300 +multiline
     ; <<>> DiG 9.7.3 <<>> any www.test.com @127.0.0.1 -p5300 +multiline
     ;; global options: +cmd
     ;; Got answer:
@@ -152,7 +152,9 @@ luafunctions if you want. For example:
 
 .. _setting-lua-f_lookup:
 
-``lua-f_lookup = mynewfunction``
+.. code-block:: ini
+
+  lua-f_lookup = mynewfunction
 
 will call the function ``mynewfunction`` for the lookup-routine.
 
@@ -168,7 +170,9 @@ You can have an error function in Lua when Lua gives back a error.
 
 First make your error function then you put this in ``pdns.conf``:
 
-``lua-f_exec_error = YOUR_METHOD``
+.. code-block:: ini
+
+  lua-f_exec_error = YOUR_METHOD
 
 DNSSEC
 ------
diff --git a/docs/backends/opendbx.rst b/docs/backends/opendbx.rst
index 81a19fc8e0cd..768bc2836714 100644
--- a/docs/backends/opendbx.rst
+++ b/docs/backends/opendbx.rst
@@ -293,7 +293,7 @@ Supported without changes since OpenDBX 1.0.0 but requires to set
 (including the trailing slash or backslash, depending on your operating
 system) and opendbx-database to the name of the file.
 
-.. code-block:: SQL
+.. code-block:: ini
 
     opendbx-host-read = /path/to/file/
     opendbx-host-write = /path/to/file/
@@ -302,7 +302,7 @@ system) and opendbx-database to the name of the file.
 SQLite Schema
 ~~~~~~~~~~~~~
 
-::
+.. code-block:: SQL
 
     CREATE TABLE "domains" (
         "id" INTEGER NOT NULL PRIMARY KEY,
@@ -370,7 +370,7 @@ SQLite Schema
 SQLite3 Schema
 ~~~~~~~~~~~~~~
 
-::
+.. code-block:: SQL
 
     CREATE TABLE "domains" (
         "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
@@ -442,7 +442,7 @@ Requires :ref:`setting-opendbx-database` set to the path of
 the database file and doesn't support the default statement for starting
 transactions. Please add the following lines to your pdns.conf:
 
-::
+.. code-block:: ini
 
     opendbx-database = /var/lib/firebird2/data/powerdns.gdb
     opendbx-sql-transactbegin = SET TRANSACTION
@@ -452,7 +452,7 @@ tool with the parameter ``-page 4096``. Otherwise, you will get an error
 (key size exceeds implementation restriction for index
 "pdns\_unq\_domains\_name") when creating the tables.
 
-::
+.. code-block:: SQL
 
     CREATE TABLE "domains" (
         "id" INTEGER NOT NULL,
@@ -560,13 +560,13 @@ configuration file of the dblib client library) and doesn't support the
 default statement for starting transactions. Please add the following
 lines to your pdns.conf:
 
-::
+.. code-block:: ini
 
     opendbx-host-read = MSSQL2k
     opendbx-host-write = MSSQL2k
     opendbx-sql-transactbegin = BEGIN TRANSACTION
 
-::
+.. code-block:: SQL
 
     SET quoted_identifier ON;
 
@@ -650,13 +650,13 @@ section in the configuration file of the ctlib client library) and
 doesn't support the default statement for starting transactions. Please
 add the following lines to your pdns.conf:
 
-::
+.. code-block:: ini
 
     opendbx-host-read = SYBASE
     opendbx-host-write = SYBASE
     opendbx-sql-transactbegin = BEGIN TRANSACTION
 
-::
+.. code-block:: SQL
 
     SET quoted_identifier ON;
 
@@ -736,11 +736,11 @@ Oracle
 Uses a different syntax for transactions and requires the following
 additional line in your pdns.conf:
 
-::
+.. code-block:: ini
 
     opendbx-sql-transactbegin = SET TRANSACTION NAME 'AXFR'
 
-::
+.. code-block:: SQL
 
     CREATE TABLE "domains" (
         "id" INTEGER NOT NULL,
diff --git a/docs/backends/oracle.rst b/docs/backends/oracle.rst
index 8445e694ec1e..ba9b7c34bd70 100644
--- a/docs/backends/oracle.rst
+++ b/docs/backends/oracle.rst
@@ -352,7 +352,7 @@ oracle-basic-query
 
 Looking for records based on owner name and type. Default:
 
-::
+.. code-block:: SQL
 
     SELECT fqdn, ttl, type, content, zone_id, last_change, auth
     FROM Records
@@ -363,7 +363,7 @@ oracle-basic-id-query
 
 Looking for records from one zone based on owner name and type. Default:
 
-::
+.. code-block:: SQL
 
     SELECT fqdn, ttl, type, content, zone_id, last_change, auth
     FROM Records
@@ -374,7 +374,7 @@ oracle-any-query
 
 Looking for records based on owner name. Default:
 
-::
+.. code-block:: SQL
 
     SELECT fqdn, ttl, type, content, zone_id, last_change, auth
     FROM Records
@@ -387,7 +387,7 @@ oracle-any-id-query
 
 Looking for records from one zone based on owner name. Default:
 
-::
+.. code-block:: SQL
 
     SELECT fqdn, ttl, type, content, zone_id, last_change, auth
     FROM Records
@@ -401,7 +401,7 @@ oracle-list-query
 
 Looking for all records from one zone. Default:
 
-::
+.. code-block:: SQL
 
     SELECT fqdn, ttl, type, content, zone_id, last_change, auth
     FROM Records
@@ -418,7 +418,7 @@ oracle-get-zone-metadata-query
 Fetch the content of the metadata entries of type ':kind' for the zone
 called ':name', in their original order. Default:
 
-::
+.. code-block:: SQL
 
     SELECT md.meta_content
     FROM Zones z JOIN ZoneMetadata md ON z.id = md.zone_id
@@ -432,7 +432,7 @@ Delete all metadata entries of type ':kind' for the zone called ':name'.
 You can skip this if you do not plan to manage zones with the
 ``pdnsutil`` tool. Default:
 
-::
+.. code-block:: SQL
 
     DELETE FROM ZoneMetadata md
     WHERE zone_id = (SELECT id FROM Zones z WHERE z.name = lower(:name))
@@ -444,7 +444,7 @@ oracle-set-zone-metadata-query
 Create a metadata entry. You can skip this if you do not plan to manage
 zones with the ``pdnsutil`` tool. Default:
 
-::
+.. code-block:: SQL
 
     INSERT INTO ZoneMetadata (zone_id, meta_type, meta_ind, meta_content)
     VALUES (
@@ -457,7 +457,7 @@ oracle-get-tsig-key-query
 
 Retrieved the TSIG key specified by ':name'. Default:
 
-::
+.. code-block:: SQL
 
     SELECT algorithm, secret
     FROM TSIGKeys
@@ -471,7 +471,7 @@ oracle-get-zone-keys-query
 
 Retrieve the DNSSEC signing keys for a zone. Default:
 
-::
+.. code-block:: SQL
 
     SELECT k.id, k.flags, k.active, k.keydata
     FROM ZoneDNSKeys k JOIN Zones z ON z.id = k.zone_id
@@ -483,7 +483,7 @@ oracle-del-zone-key-query
 Delete a DNSSEC signing key. You can skip this if you do not plan to
 manage zones with the ``pdnsutil`` tool. Default:
 
-::
+.. code-block:: SQL
 
     DELETE FROM ZoneDNSKeys WHERE id = :keyid
 
@@ -493,9 +493,9 @@ oracle-add-zone-key-query
 Add a DNSSEC signing key. You can skip this if you do not plan to manage
 zones with the ``pdnsutil`` tool. Default:
 
-::
+.. code-block:: SQL
 
-    INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata) "
+    INSERT INTO ZoneDNSKeys (id, zone_id, flags, active, keydata)
     VALUES (
       zonednskeys_id_seq.NEXTVAL,
       (SELECT id FROM Zones WHERE name = lower(:name)),
@@ -510,7 +510,7 @@ oracle-set-zone-key-state-query
 Enable or disable a DNSSEC signing key. You can skip this if you do not
 plan to manage zones with the **pdnsutil** tool. Default:
 
-::
+.. code-block:: SQL
 
     UPDATE ZoneDNSKeys SET active = :active WHERE id = :keyid
 
@@ -526,7 +526,7 @@ variables, not a query.
 
 Default:
 
-::
+.. code-block:: SQL
 
     BEGIN
       get_canonical_prev_next(:zoneid, :name, :prev, :next);
@@ -539,7 +539,7 @@ Given an NSEC3 hash, this call needs to return its predecessor and
 successor in NSEC3 zone ordering into ``:prev`` and ``:next``, and the
 FQDN of the predecessor into ``:unhashed``. Default:
 
-::
+.. code-block:: SQL
 
     BEGIN
       get_hashed_prev_next(:zoneid, :hash, :unhashed, :prev, :next);
@@ -554,7 +554,7 @@ oracle-zone-info-query
 Get some basic information about the named zone before doing
 master/slave things. Default:
 
-::
+.. code-block:: SQL
 
     SELECT id, name, type, last_check, serial, notified_serial
     FROM Zones
@@ -567,7 +567,7 @@ Delete all records for a zone in preparation for an incoming zone
 transfer. This happens inside a transaction, so if the transfer fails,
 the old zone content will still be there. Default:
 
-::
+.. code-block:: SQL
 
     DELETE FROM Records WHERE zone_id = :zoneid
 
@@ -578,7 +578,7 @@ Insert a record into the zone during an incoming zone transfer. This
 happens inside the same transaction as delete-zone, so we will not end
 up with a partially transferred zone. Default:
 
-::
+.. code-block:: SQL
 
     INSERT INTO Records (id, fqdn, zone_id, ttl, type, content)
     VALUES (records_id_seq.NEXTVAL, lower(:name), :zoneid, :ttl, :type, :content)
@@ -592,7 +592,7 @@ empty non-terminals, set the ``auth`` bit and NSEC3 hashes, and
 generally do any post-processing your schema requires. The do-nothing
 default:
 
-::
+.. code-block:: SQL
 
     DECLARE
       zone_id INTEGER := :zoneid;
@@ -610,7 +610,7 @@ Return a list of zones that need to be checked and their master servers.
 Return multiple rows, identical except for the master address, for zones
 with more than one master. Default:
 
-::
+.. code-block:: SQL
 
     SELECT z.id, z.name, z.last_check, z.serial, zm.master
     FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
@@ -623,7 +623,7 @@ oracle-zone-set-last-check-query
 
 Set the last check timestamp after a successful check. Default:
 
-::
+.. code-block:: SQL
 
     UPDATE Zones SET last_check = :lastcheck WHERE id = :zoneid
 
@@ -633,7 +633,7 @@ oracle-updated-masters-query
 Return a list of zones that need to have ``NOTIFY`` packets sent out.
 Default:
 
-::
+.. code-block:: SQL
 
     SELECT id, name, serial, notified_serial
     FROM Zones
@@ -645,7 +645,7 @@ oracle-zone-set-notified-serial-query
 
 Set the last notified serial after packets have been sent. Default:
 
-::
+.. code-block:: SQL
 
     UPDATE Zones SET notified_serial = :serial WHERE id = :zoneid
 
@@ -656,7 +656,7 @@ Return a list of hosts that should be notified, in addition to any
 nameservers in the NS records, when sending ``NOTIFY`` packets for the
 named zone. Default:
 
-::
+.. code-block:: SQL
 
     SELECT an.hostaddr
     FROM Zones z JOIN ZoneAlsoNotify an ON z.id = an.zone_id
@@ -667,7 +667,7 @@ oracle-zone-masters-query
 
 Return a list of masters for the zone specified by id. Default:
 
-::
+.. code-block:: SQL
 
     SELECT master
     FROM Zonemasters
@@ -679,7 +679,7 @@ oracle-is-zone-master-query
 Return a row if the specified host is a registered master for the named
 zone. Default:
 
-::
+.. code-block:: SQL
 
     SELECT zm.master
     FROM Zones z JOIN Zonemasters zm ON z.id = zm.zone_id
@@ -694,7 +694,7 @@ oracle-accept-supernotification-query
 If a supernotification should be accepted from ':ip', for the master
 nameserver ':ns', return a label for this supermaster. Default:
 
-::
+.. code-block:: SQL
 
     SELECT name
     FROM Supermasters
@@ -706,7 +706,7 @@ oracle-insert-slave-query
 A supernotification has just been accepted, and we need to create an
 entry for the new zone. Default:
 
-::
+.. code-block:: SQL
 
     INSERT INTO Zones (id, name, type)
     VALUES (zones_id_seq.NEXTVAL, lower(:zone), 'SLAVE')
@@ -718,7 +718,7 @@ oracle-insert-master-query
 We need to register the first master server for the newly created zone.
 Default:
 
-::
+.. code-block:: SQL
 
     INSERT INTO Zonemasters (zone_id, master)
     VALUES (:zoneid, :ip)
diff --git a/docs/backends/remote.rst b/docs/backends/remote.rst
index 6a54b933d01d..49e74b4afc04 100644
--- a/docs/backends/remote.rst
+++ b/docs/backends/remote.rst
@@ -50,7 +50,7 @@ Usage
 The only configuration options for backend are remote-connection-string
 and remote-dnssec.
 
-::
+.. code-block:: ini
 
     remote-connection-string=<type>:<param>=<value>,<param>=<value>...
 
@@ -63,7 +63,7 @@ Unix connector
 
 parameters: path, timeout (default 2000ms)
 
-::
+.. code-block:: ini
 
     remote-connection-string=unix:path=/path/to/socket
 
@@ -72,7 +72,7 @@ Pipe connector
 
 parameters: command,timeout (default 2000ms)
 
-::
+.. code-block:: ini
 
     remote-connection-string=pipe:command=/path/to/executable,timeout=2000
 
@@ -81,7 +81,7 @@ HTTP connector
 
 parameters: url, url-suffix, post, post_json, timeout (default 2000ms)
 
-::
+.. code-block:: ini
 
     remote-connection-string=http:url=http://localhost:63636/dns,url-suffix=.php
 
@@ -107,7 +107,7 @@ ZeroMQ connector
 
 parameters: endpoint, timeout (default 2000ms)
 
-::
+.. code-block:: ini
 
     remote-connection-string=zeromq:endpoint=ipc:///tmp/tmp.sock
 
@@ -159,13 +159,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"initialize", "parameters":{"command":"/path/to/something", "timeout":"2000", "something":"else"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -191,13 +191,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"lookup", "parameters":{"qtype":"ANY", "qname":"www.example.com.", "remote":"192.0.2.24", "local":"192.0.2.1", "real-remote":"192.0.2.24", "zone-id":-1}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
 
@@ -241,13 +241,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"list", "parameters":{"zonename":"example.com.","domain_id":-1}}
 
 Response (split into lines for ease of reading)
 
-::
+.. code-block:: json
 
     {"result":[
       {"qtype":"SOA", "qname":"example.com", "content":"dns1.icann.org. hostmaster.icann.org. 2012081600 7200 3600 1209600 3600", "ttl": 3600},
@@ -294,15 +294,15 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"getbeforeandafternamesabsolute", "params":{"id":0,"qname":"www.example.com"}}
 
 Response:
 
-::
+.. code-block:: json
 
-    {”result":{"before":"ns1","after":""}}
+    {"result":{"before":"ns1","after":""}}
 
 Example HTTP/RPC
 ''''''''''''''''
@@ -315,9 +315,9 @@ Query:
 
 Response:
 
-::
+.. code-block:: json
 
-    {”result":{"before":"ns1","after":""}}
+    {"result":{"before":"ns1","after":""}}
 
 ``getAllDomainMetadata``
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -335,13 +335,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"getalldomainmetadata", "parameters":{"name":"example.com"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":{"PRESIGNED":["0"]}}
 
@@ -380,13 +380,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"getdomainmetadata", "parameters":{"name":"example.com.","kind":"PRESIGNED"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":["0"]}
 
@@ -424,13 +424,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"setdomainmetadata","parameters":{"name":"example.com","kind":"PRESIGNED","value":["YES"]}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -476,13 +476,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"getdomainkeys","parameters":{"name":"example.com."}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":[{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
     Algorithm: 8 (RSASHA256)
@@ -538,7 +538,7 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"adddomainkey", "parameters":{"key":{"id":1,"flags":256,"active":true,"content":"Private-key-format: v1.2
     Algorithm: 8 (RSASHA256)
@@ -553,7 +553,7 @@ Query:
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -602,13 +602,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
-    {"method":"removedomainkey","parameters":"{"name":"example.com","id":1}}
+    {"method":"removedomainkey","parameters":{"name":"example.com","id":1}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -644,13 +644,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"activatedomainkey","parameters":{"name":"example.com","id":1}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -686,13 +686,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"deactivatedomainkey","parameters":{"name":"example.com","id":1}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result": true}
 
@@ -728,15 +728,15 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"gettsigkey","parameters":{"name":"example.com."}}
 
 Response:
 
-::
+.. code-block:: json
 
-    {"result":{"algorithm":"hmac-md5","content:"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
+    {"result":{"algorithm":"hmac-md5","content":"kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys="}}
 
 Example HTTP/RPC
 ''''''''''''''''
@@ -776,15 +776,15 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"getdomaininfo","parameters":{"name":"example.com"}}
 
 Response:
 
-::
+.. code-block:: json
 
-    {"result":{id:1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
+    {"result":{"id":1,"zone":"example.com","kind":"NATIVE","serial":2002010100}}
 
 Example HTTP/RPC
 ''''''''''''''''
@@ -818,13 +818,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"setnotified","parameters":{"id":1,"serial":2002010100}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -864,13 +864,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"isMaster","parameters":{"name":"example.com","ip":"198.51.100.0.1"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -909,19 +909,19 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"superMasterBackend","parameters":{"ip":"198.51.100.0.1","domain":"example.com","nsset":[{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns1.example.com","ttl":300,"auth":true},{"qtype":"NS","qname":"example.com","qclass":1,"content":"ns2.example.com","ttl":300,"auth":true}]}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
 Alternative response:
 
-::
+.. code-block:: json
 
     {"result":{"account":"my account","nameserver":"ns2.example.com"}}
 
@@ -970,13 +970,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"createSlaveDomain","parameters":{"ip":"198.51.100.0.1","domain":"pirate.example.net"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1015,13 +1015,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"replaceRRSet","parameters":{"domain_id":2,"qname":"replace.example.com","qtype":"A","trxid":1370416133,"rrset":[{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"1.1.1.1","ttl":300,"auth":true}]}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1062,13 +1062,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"feedRecord","parameters":{"rr":{"qtype":"A","qname":"replace.example.com","qclass":1,"content":"127.0.0.1","ttl":300,"auth":true},"trxid":1370416133}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1114,13 +1114,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"feedEnts","parameters":{"domain_id":2,"trxid":1370416133,"nonterm":["_sip._udp","_udp"]}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1161,13 +1161,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"feedEnts3","parameters":{"domain_id":2,"domain":"example.com","times":1,"salt":"9642","narrow":false,"trxid":1370416356,"nonterm":["_sip._udp","_udp"]}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1208,13 +1208,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"startTransaction","parameters":{"trxid":1234,"domain_id":1,"domain":"example.com"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1255,13 +1255,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"commitTransaction","parameters":{"trxid":1234}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1299,13 +1299,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"abortTransaction","parameters":{"trxid":1234}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":true}
 
@@ -1344,13 +1344,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"calculateSOASerial","parameters":{"domain":"unit.test","sd":{"qname":"unit.test","nameserver":"ns.unit.test","hostmaster":"hostmaster.unit.test","ttl":300,"serial":1,"refresh":2,"retry":3,"expire":4,"default_ttl":5,"domain_id":-1,"scopeMask":0}}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":2013060501}
 
@@ -1391,13 +1391,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"directBackendCmd","parameters":{"query":"PING"}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":"PONG"}
 
@@ -1437,13 +1437,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method": "getAllDomains", "parameters": {"include_disabled": true}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"native"}]}
 
@@ -1480,13 +1480,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method":"searchRecords","parameters":{"pattern":"www.example*","maxResults":100}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
 
@@ -1523,13 +1523,13 @@ Example JSON/RPC
 
 Query:
 
-::
+.. code-block:: json
 
     {"method": "getUpdatedMasters", "parameters": {}}
 
 Response:
 
-::
+.. code-block:: json
 
     {"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"master"}]}
 
@@ -1561,7 +1561,7 @@ Scenario: SOA lookup via pipe, unix or zeromq connector
 
 Query:
 
-::
+.. code-block:: json
 
     { 
       "method": "lookup",
@@ -1574,7 +1574,7 @@ Query:
 
 Reply:
 
-::
+.. code-block:: json
 
     {
       "result": 
@@ -1599,7 +1599,7 @@ Query:
 
 Reply:
 
-::
+.. code-block:: json
 
     {
       "result":
diff --git a/docs/changelog/pre-4.0.rst b/docs/changelog/pre-4.0.rst
index a6246ea2db43..2c16c085a46e 100644
--- a/docs/changelog/pre-4.0.rst
+++ b/docs/changelog/pre-4.0.rst
@@ -5042,7 +5042,7 @@ After the SOA of example.org was raised
 If however our slaves would ignore us, as some are prone to do, we can
 send some additional notifications
 
-::
+.. code-block:: shell
 
     $ sudo pdns_control notify example.org
     Added to queue
@@ -5055,7 +5055,7 @@ send some additional notifications
 Conversely, if PowerDNS needs to be reminded to retrieve a zone from a
 master, a command is provided
 
-::
+.. code-block:: shell
 
     $ sudo pdns_control retrieve forfun.net
     Added retrieval request for 'forfun.net' from master 212.187.98.67
diff --git a/docs/dnssec/index.rst b/docs/dnssec/index.rst
index dad7dcd01a1b..85fa195e60ff 100644
--- a/docs/dnssec/index.rst
+++ b/docs/dnssec/index.rst
@@ -19,7 +19,7 @@ automatically.
 
 As an example, securing an existing zone can be as simple as:
 
-::
+.. code-block:: shell
 
     $ pdnsutil secure-zone powerdnssec.org
 
diff --git a/docs/dnssec/migration.rst b/docs/dnssec/migration.rst
index 53d6a412e56c..0ba6656c8716 100644
--- a/docs/dnssec/migration.rst
+++ b/docs/dnssec/migration.rst
@@ -24,21 +24,21 @@ all the changes in database schemas as shown in the :doc:`upgrade documentation
 
 To deliver a correctly signed zone with the :ref:`dnssec-pdnsutil-dnssec-defaults`, invoke:
 
-::
+.. code-block:: shell
 
     pdnsutil secure-zone ZONE
 
 To view the DS records for this zone (to transfer to the parent zone),
 run
 
-::
+.. code-block:: shell
 
     pdnsutil show-zone ZONE
 
 For a more traditional setup with a KSK and a ZSK, use the following
 sequence of commands:
 
-::
+.. code-block:: shell
 
     pdnsutil add-zone-key ZONE ksk 2048 active rsasha256
     pdnsutil add-zone-key ZONE zsk 1024 active rsasha256
@@ -85,7 +85,7 @@ The ``pdnsutil`` tool features the option to import zone keys in the
 industry standard private key format, version 1.2. To import an existing
 KSK, use
 
-::
+.. code-block:: shell
 
     pdnsutil import-zone-key ZONE FILENAME ksk
 
diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst
index f3cfce1ce7db..ce3db3e05ecd 100644
--- a/docs/dnssec/operational.rst
+++ b/docs/dnssec/operational.rst
@@ -19,7 +19,7 @@ zone.
 Going insecure
 --------------
 
-::
+.. code-block:: shell
 
     pdnsutil disable-dnssec ZONE
 
@@ -34,13 +34,13 @@ Setting the NSEC modes and parameters
 As stated earlier, PowerDNS uses NSEC by default. If you want to use
 NSEC3 instead, issue:
 
-::
+.. code-block:: shell
 
     pdnsutil set-nsec3 ZONE [PARAMETERS]
 
 e.g.
 
-::
+.. code-block:: shell
 
     pdnsutil set-nsec3 example.net '1 0 1 ab'
 
@@ -56,7 +56,7 @@ The quoted part is the content of the NSEC3PARAM records, as defined in
 
 To convert a zone from NSEC3 to NSEC operations, run:
 
-::
+.. code-block:: shell
 
     pdnsutil unset-nsec3 ZONE
 
diff --git a/docs/dnsupdate.rst b/docs/dnsupdate.rst
index 94ed0b0fc06f..c65eae1eb3ca 100644
--- a/docs/dnsupdate.rst
+++ b/docs/dnsupdate.rst
@@ -120,19 +120,19 @@ This setting allows you to set the TSIG key required to do an DNS
 update. If you have GSS-TSIG enabled, you can use Kerberos principals
 here. An example, using :program:`pdnsutil` to create the key:
 
-::
+.. code-block:: shell
 
-    pdnsutil generate-tsig-key test hmac-md5
+    $ pdnsutil generate-tsig-key test hmac-md5
     Create new TSIG key test hmac-md5 kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=
-    
+
+::
+
     sql> insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
     sql> select id from domains where name='example.org';
     5
     sql> insert into domainmetadata (domain_id, kind, content) values (5, 'TSIG-ALLOW-DNSUPDATE', 'test');
 
-An example of how to use a TSIG key with the :program:`nsupdate` command:
-
-::
+An example of how to use a TSIG key with the :program:`nsupdate` command::
 
     nsupdate <<!
     server <ip> <port>
@@ -252,14 +252,14 @@ Setting up dhcpd
 We're going to use a TSIG key for security. We're going to generate a
 key using the following command:
 
-::
+.. code-block:: shell
 
     dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpdupdate
 
 This generates two files (Kdhcpdupdate.*.key and
 Kdhcpdupdate.*.private). You're interested in the .key file:
 
-::
+.. code-block:: shell
 
     # ls -l Kdhcp*
     -rw------- 1 root root  53 Aug 26 19:29 Kdhcpdupdate.+157+20493.key
@@ -338,7 +338,7 @@ dynamic updates from **dhcpd**.
 Enabled DNS update (:rfc:`2136`) support functionality in PowerDNS by adding
 the following to the PowerDNS configuration file (pdns.conf).
 
-::
+.. code-block:: ini
 
     dnsupdate=yes
     allow-dnsupdate-from=
@@ -467,7 +467,7 @@ There are many same things available as in recursor Lua scripts, but
 there is also resolve(qname, qtype) which returns array of records.
 Example:
 
-::
+.. code-block:: lua
 
     resolve("www.google.com", pdns.A)
 
@@ -477,7 +477,7 @@ resolve does not perform local lookup.
 
 Simple example script:
 
-.. code:: lua
+.. code-block:: lua
 
     --- This script is not suitable for production use
 
diff --git a/docs/domainmetadata.rst b/docs/domainmetadata.rst
index c3c6ece7fc2a..926628037ff7 100644
--- a/docs/domainmetadata.rst
+++ b/docs/domainmetadata.rst
@@ -30,7 +30,7 @@ that tries to allow all potential slaves in.
 
 Example:
 
-::
+.. code-block:: shell
 
     pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
 
@@ -38,10 +38,10 @@ Each ACL has its own row in the database:
 
 ::
 
-    select id from domains where name='example.com';
+    sql> select id from domains where name='example.com';
     7
-    insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
-    insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
+    sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
+    sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
 
 To disallow all IP's, except those explicitly allowed by domainmetadata
 records, add ``allow-axfr-ips=`` to ``pdns.conf``.
@@ -82,14 +82,14 @@ When notifying this domain, also notify this nameserver (can occur
 multiple times). The nameserver may have contain an optional port
 number. e.g.:
 
-::
+.. code-block:: shell
 
     pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300
     pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
 
 Or in SQL:
 
-::
+.. code-block:: SQL
 
     insert into domainmetadata (domain_id, kind, content) values (7,'ALSO-NOTIFY','192.0.2.1:5300');
     insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8:53::1');
diff --git a/docs/guides/alias.rst b/docs/guides/alias.rst
index 19e2e7946d66..419d32e0d4c7 100644
--- a/docs/guides/alias.rst
+++ b/docs/guides/alias.rst
@@ -9,7 +9,7 @@ Server 4.1.0 or higher, set the :ref:`setting-resolver`
 setting to an existing resolver and enable
 :ref:`setting-expand-alias`:
 
-::
+.. code-block:: ini
 
     resolver=[::1]:5300
     expand-alias=yes
diff --git a/docs/guides/basic-database.rst b/docs/guides/basic-database.rst
index 0a832e37c739..2dac35834f67 100644
--- a/docs/guides/basic-database.rst
+++ b/docs/guides/basic-database.rst
@@ -6,7 +6,7 @@ is called 'gmysql', and needs to be configured in ``pdns.conf``. Add the
 following lines, adjusted for your local setup (specifically, you may
 not want to use the 'root' user):
 
-::
+.. code-block:: ini
 
     launch=gmysql
     gmysql-host=127.0.0.1
@@ -49,6 +49,7 @@ Connect to MySQL as a user with sufficient privileges and issue the
 following commands:
 
 .. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
+   :language: SQL
 
 Now we have a database and an empty table. PowerDNS should now be able
 to launch in monitor mode and display no errors:
@@ -66,7 +67,7 @@ to launch in monitor mode and display no errors:
 In a different shell, a sample query sent to the server should now
 return quickly without data:
 
-::
+.. code-block:: shell
 
     $ dig +short www.example.com @127.0.0.1
     $
@@ -110,7 +111,7 @@ Now we need to add some records to our database (in a separate shell):
 
 If we now requery our database, ``www.example.com`` should be present:
 
-::
+.. code-block:: shell
 
     $ dig +short www.example.com @127.0.0.1
     192.0.2.10
diff --git a/docs/guides/kskroll.rst b/docs/guides/kskroll.rst
index f50ccc0728b3..ee48f23549a4 100644
--- a/docs/guides/kskroll.rst
+++ b/docs/guides/kskroll.rst
@@ -13,7 +13,7 @@ both a KSK and a CSK.
 To start the rollover, add an **active** new KSK to the zone
 (example.net in this case):
 
-::
+.. code-block:: shell
 
     pdnsutil add-zone-key example.net ksk active
 
@@ -24,7 +24,7 @@ If this zone is of the type 'MASTER', increase the SOA serial. The
 rollover is now in the "New KSK" stage. Retrieve the DS record(s) for
 the new KSK:
 
-::
+.. code-block:: shell
 
     pdnsutil show-zone example.net
 
@@ -38,7 +38,7 @@ rollover is now in the "DS Change" state and can continue to the
   The key-id for the old KSK is shown in the output of
   ``pdnsutil show-zone example.net``.
 
-::
+.. code-block:: shell
 
     pdnsutil remove-zone-key example.net KEY-ID
 
diff --git a/docs/guides/recursion.rst b/docs/guides/recursion.rst
index c43536add733..bca561d6aeb0 100644
--- a/docs/guides/recursion.rst
+++ b/docs/guides/recursion.rst
@@ -50,7 +50,7 @@ should be removed:
 To make the authoritative server listen on the local loopback address
 and port 5300 change the following in ``pdns.conf``:
 
-::
+.. code-block:: ini
 
     local-ipv6=
     local-address=127.0.0.1
@@ -87,7 +87,7 @@ Authoritative Server. This is done using the
 ``recursor.conf``. The domains should be forwarded to 127.0.0.1:5300
 (the new address and port of the Authoritative Server):
 
-::
+.. code-block:: ini
 
     forward-zones=private.example.com=127.0.0.1:5300
     forward-zones+=another.example.com=127.0.0.1:5300
@@ -133,7 +133,7 @@ should be removed:
 To make the authoritative server listen on the local loopback address
 and port 5300 change the following in ``pdns.conf``:
 
-::
+.. code-block:: ini
 
     local-ipv6=
     local-address=127.0.0.1
@@ -153,7 +153,7 @@ Configure the recursor to listen on the local loopback interface on a
 different port than the Authoritative Server. Set the following in
 ``recursor.conf``:
 
-::
+.. code-block:: ini
 
     local-address=127.0.0.1
     local-port=5301
@@ -164,7 +164,7 @@ Authoritative Server. This is done using the
 ``recursor.conf``. The domains should be forwarded to 127.0.0.1:5300
 (the new address and port of the Authoritative Server):
 
-::
+.. code-block:: ini
 
     forward-zones=private.example.com=127.0.0.1:5300
     forward-zones+=another.example.com=127.0.0.1:5300
diff --git a/docs/guides/virtual-instances.rst b/docs/guides/virtual-instances.rst
index 7794a77f58d1..87251ceefca0 100644
--- a/docs/guides/virtual-instances.rst
+++ b/docs/guides/virtual-instances.rst
@@ -40,13 +40,13 @@ Assuming your instance is called ``myinstance`` and
 ``pdns-myinstance.conf`` exists in the configuration directory, the
 following command will start the service:
 
-::
+.. code-block:: shell
 
     systemctl start pdns@myinstance.service
 
 Similarly you can enable it at boot:
 
-::
+.. code-block:: shell
 
     systemctl enable pdns@myinstance.service
 
diff --git a/docs/guides/zskroll.rst b/docs/guides/zskroll.rst
index a139bd319629..aa7631a07ccf 100644
--- a/docs/guides/zskroll.rst
+++ b/docs/guides/zskroll.rst
@@ -12,7 +12,7 @@ First, create a new inactive ZSK for the zone (if one already exists,
 you can skip this step), we add an ECDSA 256 bit key (algorithm 13)
 here:
 
-::
+.. code-block:: shell
 
     pdnsutil add-zone-key example.net zsk inactive ecdsa256
 
@@ -23,7 +23,7 @@ database and wait for the slaves to pickup the zone change.
 To change the RRSIGs on your records, the new key must be made active.
 Note: you can get the key-ids with ``pdnsutil show-zone example.net``:
 
-::
+.. code-block:: shell
 
     pdnsutil activate-zone-key example.net new-key-id
     pdnsutil deactivate-zone-key example.net previous-key-id
@@ -33,7 +33,7 @@ the "new RRSIGs" stage of the roll over.
 
 The last step is to remove the old key from the completely:
 
-::
+.. code-block:: shell
 
     pdnsutil remove-zone-key example.net previous-key-id
 
diff --git a/docs/installation.rst b/docs/installation.rst
index 6e1753d8eca4..0d6bd6da9e11 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -17,7 +17,7 @@ Debian-based Systems
 PowerDNS Authoritative Server is available through the
 `apt <https://packages.debian.org/pdns-server>`__ system.
 
-::
+.. code-block:: shell
 
     # apt-get install pdns-server
 
@@ -25,7 +25,7 @@ Debian splits the backends into `several different
 packages <https://packages.debian.org/pdns-backend>`__, install the
 required backend as follows:
 
-::
+.. code-block:: shell
 
     # apt-get install pdns-backend-$backend
 
@@ -39,13 +39,13 @@ or from `the PowerDNS repositories <https://repo.powerdns.com>`__:
 
 Add either to your list of repositories and install PowerDNS by issuing:
 
-::
+.. code-block:: shell
 
     # yum install pdns
 
 The different backends can be installed using
 
-::
+.. code-block:: shell
 
     # yum install pdns-backend-$backend
 
@@ -57,13 +57,13 @@ PowerDNS Authoritative Server is available through the
 
 For the package:
 
-::
+.. code-block:: shell
 
     # pkg install dns/powerdns
 
 To have your system build the port:
 
-::
+.. code-block:: shell
 
     cd /usr/ports/dns/powerdns/ && make install clean
 
@@ -72,7 +72,7 @@ Mac OS X
 
 PowerDNS Authoritative Server is available through Homebrew:
 
-::
+.. code-block:: shell
 
     $ brew install pdns
 
diff --git a/docs/migration.rst b/docs/migration.rst
index bfcab43a164f..0a81af1d51fe 100644
--- a/docs/migration.rst
+++ b/docs/migration.rst
@@ -28,7 +28,7 @@ In order to migrate to a Generic SQL backend, add all your domains to
 the 'domains' table with the IP of your current master. On your current
 master, make sure that this master allows AXFRs to this new slave.
 
-::
+.. code-block:: SQL
 
     INSERT INTO domains (name,type,master) VALUES ('example.net', 'SLAVE', '198.51.100.101');
 
@@ -36,7 +36,7 @@ Then start PowerDNS and wait for all the zones to be transferred. If
 this server is the new :ref:`master <master-operation>`, change the type of
 domain in the database:
 
-::
+.. code-block:: SQL
 
     UPDATE domains set type='MASTER' where type='SLAVE';
 
@@ -45,7 +45,7 @@ and restart PowerDNS.
 
 Or, if you want to use :ref:`native <native-operation>`:
 
-::
+.. code-block:: SQL
 
     UPDATE domains set type='NATIVE' where type='SLAVE';
 
@@ -116,7 +116,7 @@ See `its manpage <manpages/zone2sql.1>` for more information.
 
 An example call to ``zone2sql`` could be:
 
-::
+.. code-block:: shell
 
     zone2sql --named-conf=/path/to/named.conf --gmysql | mysql -u pdns -p pdns-db
 
diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index 15af055bedcc..d8d79aef5516 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -246,7 +246,7 @@ the ``domainmetadata`` table for the domain. Supposing the domain we
 want has an ``id`` of 3, the following SQL statement will enable the Lua
 script ``my.lua`` for that domain:
 
-::
+.. code-block:: SQL
 
     INSERT INTO domainmetadata (domain_id, kind, content) VALUES (3, "LUA-AXFR-SCRIPT", "/lua/my.lua");
 
@@ -270,7 +270,7 @@ incoming record as normal.
 
 Consider the following simple example:
 
-::
+.. code-block:: lua
 
         function axfrfilter(remoteip, zone, record)
 
diff --git a/docs/security-advisories/powerdns-advisory-2012-01.rst b/docs/security-advisories/powerdns-advisory-2012-01.rst
index 0c82fd2349be..cd4165284919 100644
--- a/docs/security-advisories/powerdns-advisory-2012-01.rst
+++ b/docs/security-advisories/powerdns-advisory-2012-01.rst
@@ -37,7 +37,7 @@ Alternatively, on Linux systems with a working iptables setup,
 'responses' sent to the PowerDNS Authoritative Server 'question' address
 can be blocked by issuing:
 
-::
+.. code-block:: shell
 
           iptables -I INPUT -p udp --dst $AUTHIP --dport 53 \! -f -m u32 --u32 "0>>22&0x3C@8>>15&0x01=1" -j DROP 
         
@@ -57,7 +57,7 @@ announcement.
 For those running custom PowerDNS versions, just applying this patch may
 be easier:
 
-::
+.. code-block:: diff
 
     --- pdns/common_startup.cc   (revision 2326)
     +++ pdns/common_startup.cc   (working copy)
diff --git a/docs/settings.rst b/docs/settings.rst
index eab1244d2700..49d6371c53bd 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -682,7 +682,7 @@ Which backends to launch and order to query them in. Launches backends.
 In its most simple form, supply all backends that need to be launched.
 e.g.
 
-::
+.. code-block:: ini
 
     launch=bind,gmysql,remote
 
@@ -690,7 +690,7 @@ If you find that you need to query a backend multiple times with
 different configuration, you can specify a name for later
 instantiations. e.g.:
 
-::
+.. code-block:: ini
 
     launch=gmysql,gmysql:server2
 
@@ -1153,7 +1153,9 @@ To notify all IP addresses apart from the 192.168.0.0/24 subnet use the followin
   Otherwise there will be error trying to resolve address.
 
   For example, slaves support both IPv4 and IPv6, but PowerDNS master have only IPv4,
-  so allow only IPv4 with ``only-notify``::
+  so allow only IPv4 with ``only-notify``:
+
+  .. code-block:: ini
 
     only-notify=0.0.0.0/0
 
diff --git a/docs/tsig.rst b/docs/tsig.rst
index f4074b2596f4..df97df2e74eb 100644
--- a/docs/tsig.rst
+++ b/docs/tsig.rst
@@ -34,7 +34,9 @@ with the key name in the content field. For example::
     $ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
 
 Another of importing and activating TSIG keys into the database is using
-:doc:`pdnsutil <manpages/pdnsutil.1>`::
+:doc:`pdnsutil <manpages/pdnsutil.1>`:
+
+.. code-block:: shell
 
     pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
     pdnsutil activate-tsig-key powerdnssec.org test master
@@ -70,9 +72,7 @@ The actual TSIG key must also be provisioned, as outlined in the
 previous section.
 
 For the Generic SQL backends, configuring the use of TSIG for AXFR
-requests could be achieved as follows:
-
-::
+requests could be achieved as follows::
 
     insert into tsigkeys (name, algorithm, secret) values ('test', 'hmac-md5', 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=');
     select id from domains where name='powerdnssec.org';
@@ -82,7 +82,7 @@ requests could be achieved as follows:
 This can also be done using
 :doc:`/manpages/pdnsutil.1`:
 
-::
+.. code-block:: shell
 
     pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
     pdnsutil activate-tsig-key powerdnssec.org test slave
@@ -91,9 +91,7 @@ This setup corresponds to the ``TSIG-ALLOW-AXFR`` access rule defined in
 the previous section.
 
 In the interest of interoperability, the configuration above is (not
-quite) similar to the following BIND statements:
-
-::
+quite) similar to the following BIND statements::
 
     key test. {
             algorithm hmac-md5;

From 36d10f0f6c47635d0665d9063c7bce4eb1429a55 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 059/127] docs: reword sentence in DNSSEC intro

"confirmation can be gotten" sounds weird to me.
---
 docs/dnssec/intro.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/dnssec/intro.rst b/docs/dnssec/intro.rst
index 09517b6439dc..239b67460a8f 100644
--- a/docs/dnssec/intro.rst
+++ b/docs/dnssec/intro.rst
@@ -14,7 +14,7 @@ is used for verification. The private part is used for signing and is
 never published.
 
 To make sure that the internet knows that the key that is used for
-signing is the authentic key, confirmation can be gotten from the parent
+signing is the authentic key, confirmation can be obtained from the parent
 zone. This means that to become operational, a zone operator will have
 to publish a representation of the signing key to the parent zone, often
 a ccTLD or a gTLD. This representation is called a DS record, and is a

From 76a678b6757f5e8a4787ab89fd8451dc2e2b4fac Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 060/127] docs: fix link in Lua backend

Two problems with the existing link:
* target was non-existent (anchor is different in Sphinx)
* nested markup for monospaced text on link is not possible, see
  https://stackoverflow.com/q/4743845/1254292
---
 docs/backends/lua.rst | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/backends/lua.rst b/docs/backends/lua.rst
index b7d39dcb2b99..c95702114bea 100644
--- a/docs/backends/lua.rst
+++ b/docs/backends/lua.rst
@@ -66,6 +66,8 @@ This will give you back three parameters with ``remote_ip``,
 
 Can only be used in the functions ``list()`` and ``getsoa()``.
 
+.. _backends_lua_fun_getarg:
+
 ``getarg("PARAMETER")``
 ~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -75,8 +77,8 @@ pdns.conf file.
 ``mustdo("PARAMETER")``
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-This is the same as ```getarg()`` <#getarg>`__ but return a boolean
-instead of a string.
+This is the same as :ref:`getarg() <backends_lua_fun_getarg>`, but returns
+a boolean instead of a string.
 
 You also have all the different QTypes in a table called 'QTypes'.
 

From 3c0f81fcae5ba743adda17b71a09166f83cbb98b Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:21 +0200
Subject: [PATCH 061/127] docs: Fix formatting of Lua2 backend API

Without a blank line between the paragraphs in the descriptions of
RST description lists [1], the list items will not render as list items,
but as a long single paragraph.

[1]: http://docutils.sourceforge.net/docs/user/rst/quickref.html#definition-lists
---
 docs/backends/lua2.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/backends/lua2.rst b/docs/backends/lua2.rst
index 7b079a0d4e68..e12c1441e1d3 100644
--- a/docs/backends/lua2.rst
+++ b/docs/backends/lua2.rst
@@ -46,6 +46,7 @@ INPUT:
 
 OUTPUT:
  Expects a array which has tables with following keys:
+
  - DNSName name - resource record name (can also be string)
  - string type - type of resource record (can also be QType or valid integer)
  - string content - resource record content
@@ -85,6 +86,7 @@ INPUT:
 
 OUTPUT:
  Return false if not supported or found, otherwise expects a table with keys:
+
  - string account - Associated account of this domain (default: <empty>)
  - string kind - Domain kind (NATIVE,MASTER,SLAVE) (default: NATIVE)
  - int id - Associated domain ID (default: -1)
@@ -147,6 +149,7 @@ INPUT:
 
 OUTPUT:
  Return false if not found or supported, otherwise expects array of tables with keys:
+
  - int id - Key ID
  - int flags - Key flags
  - bool active - Is key active
@@ -165,6 +168,7 @@ INPUT:
 
 OUTPUT:
  Table with keys:
+
  - unhashed - DNSName of the unhashed relative to domain
  - before - (hashed) name of previous record relative to domain
  - after - (hashed) name of next record relative to domain

From 274d02444b9ed6a8fb9763960c69f38e2e8d19ec Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 062/127] docs: Fix link in Lua2 backend

---
 docs/backends/lua2.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/backends/lua2.rst b/docs/backends/lua2.rst
index e12c1441e1d3..f08815de2f36 100644
--- a/docs/backends/lua2.rst
+++ b/docs/backends/lua2.rst
@@ -76,6 +76,8 @@ OUTPUT:
 
 NOTES:
  This function is **optional**.
+
+.. _backends_lua2_dns_get_domaininfo:
  
 ``dns_get_domaininfo(domain)``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -108,7 +110,8 @@ NOTES:
 Get domain information for all domains.
 
 OUTPUT:
- Return false if not supported or found, otherwise return a table of string, domaininfo. See ``dns_get_domaininfo```.
+ Return false if not supported or found, otherwise return a table of string,
+ domaininfo. See :ref:`dns_get_domaininfo() <backends_lua2_dns_get_domaininfo>`.
 
 NOTES:
  This function is **optional**, except if you need master functionality.

From da7a5d84fbbbaf08560d82f681201ab1c4c18619 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 063/127] docs: Other minor fixes

* Make sentence actually part of the 'versionchanged' directive on the
  settings page. Fixes sphinx-build warning.
* LDAP backend formatting changes so that ldap:// URIs don't get
  linkified.
* Fix sphinx-build warning about under and over underlined sections.
---
 docs/backends/generic-postgresql.rst | 2 +-
 docs/backends/ldap.rst               | 6 +++---
 docs/settings.rst                    | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/backends/generic-postgresql.rst b/docs/backends/generic-postgresql.rst
index 41738ec9ca55..c77187683413 100644
--- a/docs/backends/generic-postgresql.rst
+++ b/docs/backends/generic-postgresql.rst
@@ -82,7 +82,7 @@ Enable DNSSEC processing for this backend. Default: no.
 .. _setting-gpgsql-extra-connection-parameters:
 
 ``gpgsql-extra-connection-parameters``
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Extra connection parameters to forward to postgres. If you want to pin a
 specific certificate for the connection you should set this to
diff --git a/docs/backends/ldap.rst b/docs/backends/ldap.rst
index 76111e2b65a6..266be52bba7b 100644
--- a/docs/backends/ldap.rst
+++ b/docs/backends/ldap.rst
@@ -74,7 +74,7 @@ To launch the ldap backend:
 ``ldap-host``
 ^^^^^^^^^^^^^
 
-(default "ldap://127.0.0.1:389/") : The values assigned to this
+(default "``ldap://127.0.0.1:389/``") : The values assigned to this
 parameter can be LDAP URIs (e.g. ``ldap://127.0.0.1/`` or
 ``ldaps://127.0.0.1/``) describing the connection to the LDAP server.
 There can be multiple LDAP URIs specified for load balancing and high
@@ -89,7 +89,7 @@ followed by a colon and the port).
 ^^^^^^^^^^^^^^^^^
 
 (default "no") : Use TLS encrypted connections to the LDAP server. This
-is only allowed if ldap-host is a ldap:// URI or a host name / IP
+is only allowed if ldap-host is an ``ldap://`` URI or a host name / IP
 address.
 
 .. _setting-ldap-timeout:
@@ -629,4 +629,4 @@ SASL support
 ^^^^^^^^^^^^
 
 Support for more authentication methods would be handy. Anyone
-interested may `contribute <https://github.com/PowerDNS/pdns>`__.?
+interested may `contribute <https://github.com/PowerDNS/pdns>`__.
diff --git a/docs/settings.rst b/docs/settings.rst
index 49d6371c53bd..e8647faa2898 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -155,7 +155,7 @@ Static pre-shared authentication key for access to the REST API.
 
 .. versionadded:: 4.0.0
 .. versionchanged:: 4.2.0
-This setting has been removed in 4.2.0.
+  This setting has been removed in 4.2.0.
 
 Disallow data modification through the REST API when set.
 
@@ -324,7 +324,7 @@ The value of :ref:`metadata-api-rectify` if it is not set on the zone.
 .. _setting-default-ksk-algorithm:
 
 ``default-ksk-algorithm``
---------------------------
+-------------------------
 
 -  String
 -  Default: ecdsa256

From 5a311890aa24f5aeeb1fe299876b022fc55b97a3 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 064/127] docs: HTTP API tsigkeys example shows wrong body

Two errors fixed:
* The JSON body parameter key 'key' was provided twice. I think it should
  have been the 'name' key.
* One value wasn't terminated with a double quote.

The HTTP code block parser warned about this in the sphinx-build output.
---
 docs/http-api/tsigkey.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/http-api/tsigkey.rst b/docs/http-api/tsigkey.rst
index 83b3db55f195..5509e21d569e 100644
--- a/docs/http-api/tsigkey.rst
+++ b/docs/http-api/tsigkey.rst
@@ -36,7 +36,7 @@ Modifying the key material
   X-Api-Key: secret
   Content-Type: application/json
 
-  {"key": "mytsigkey, "key": "GQNyFy1QagMUarHmiSgsIJajghdTGJGVcN5TRVwgbclzxGyhQR1uYLCOyJ/uj9uj12jyeLwzJuW12wCI9PYv7Q=="}
+  {"name": "mytsigkey", "key": "GQNyFy1QagMUarHmiSgsIJajghdTGJGVcN5TRVwgbclzxGyhQR1uYLCOyJ/uj9uj12jyeLwzJuW12wCI9PYv7Q=="}
 
 .. code-block:: http
 

From a771f67f26211ac78a82516351fb3c9572050da7 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 065/127] docs: formatting fixes for 'Dynamic DNS Update' page

* Fix a broken link to the domain metadata.
* Prettify method listing paragraph.
---
 docs/dnsupdate.rst | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/docs/dnsupdate.rst b/docs/dnsupdate.rst
index c65eae1eb3ca..8c6842eaef2f 100644
--- a/docs/dnsupdate.rst
+++ b/docs/dnsupdate.rst
@@ -90,7 +90,7 @@ Per zone settings
 -----------------
 
 For permissions, a number of per zone settings are available via the
-:doc:`domain metadata `<domainmetadata>`.
+:doc:`domain metadata <domainmetadata>`.
 
 .. _metadata-allow-dnsupdate-from:
 
@@ -454,17 +454,18 @@ each record at a time and you can approve or reject any or all.
 
 The object has following methods available:
 
-- DNSName getQName() - name to update
-- DNSName getZonename() - zone name
-- int getQType() - record type, it can be 255(ANY) for delete.
-- ComboAddress getLocal() - local socket address
-- ComboAddress getRemote() - remote socket address
-- Netmask getRealRemote() - real remote address (or netmask if EDNS Subnet is used)
-- DNSName getTsigName() - TSIG **key** name (you can assume it is validated here)
-- string getPeerPrincipal() - Return peer principal name (user@DOMAIN, service/machine.name@DOMAIN, host/MACHINE$@DOMAIN)
+- ``DNSName getQName()`` - name to update
+- ``DNSName getZonename()`` - zone name
+- ``int getQType()`` - record type, it can be 255(ANY) for delete.
+- ``ComboAddress getLocal()`` - local socket address
+- ``ComboAddress getRemote()`` - remote socket address
+- ``Netmask getRealRemote()`` - real remote address (or netmask if EDNS Subnet is used)
+- ``DNSName getTsigName()`` - TSIG **key** name (you can assume it is validated here)
+- ``string getPeerPrincipal()`` - Return peer principal name (``user@DOMAIN``,
+  ``service/machine.name@DOMAIN``, ``host/MACHINE$@DOMAIN``)
 
 There are many same things available as in recursor Lua scripts, but
-there is also resolve(qname, qtype) which returns array of records.
+there is also ``resolve(qname, qtype)`` which returns array of records.
 Example:
 
 .. code-block:: lua

From 3ee1b9c9376f6fcb5e7f56e5938d8132196660b4 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 066/127] docs: Use 'sudo' to install packages

This also fixes the rendering of the shell command - was highlighted as
comment.
---
 docs/installation.rst | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/installation.rst b/docs/installation.rst
index 0d6bd6da9e11..2b25b06f492a 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -19,7 +19,7 @@ PowerDNS Authoritative Server is available through the
 
 .. code-block:: shell
 
-    # apt-get install pdns-server
+    $ sudo apt-get install pdns-server
 
 Debian splits the backends into `several different
 packages <https://packages.debian.org/pdns-backend>`__, install the
@@ -27,7 +27,7 @@ required backend as follows:
 
 .. code-block:: shell
 
-    # apt-get install pdns-backend-$backend
+    $ sudo apt-get install pdns-backend-$backend
 
 Redhat-based Systems
 ~~~~~~~~~~~~~~~~~~~~
@@ -41,13 +41,13 @@ Add either to your list of repositories and install PowerDNS by issuing:
 
 .. code-block:: shell
 
-    # yum install pdns
+    $ sudo yum install pdns
 
 The different backends can be installed using
 
 .. code-block:: shell
 
-    # yum install pdns-backend-$backend
+    $ sudo yum install pdns-backend-$backend
 
 FreeBSD
 ~~~~~~~
@@ -59,7 +59,7 @@ For the package:
 
 .. code-block:: shell
 
-    # pkg install dns/powerdns
+    $ sudo pkg install dns/powerdns
 
 To have your system build the port:
 

From 9ae11fa4d899e79a29b19438774728eff285ae52 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 067/127] docs: Emphasize no data should return in example

The line with just a '$' confused be until I've read the sentence above it
again.
---
 docs/guides/basic-database.rst | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/docs/guides/basic-database.rst b/docs/guides/basic-database.rst
index 2dac35834f67..8396096ef02b 100644
--- a/docs/guides/basic-database.rst
+++ b/docs/guides/basic-database.rst
@@ -65,12 +65,11 @@ to launch in monitor mode and display no errors:
     15:39:55 [gMySQLbackend] MySQL connection succeeded
 
 In a different shell, a sample query sent to the server should now
-return quickly without data:
+return quickly *without* data:
 
 .. code-block:: shell
 
-    $ dig +short www.example.com @127.0.0.1
-    $
+    $ dig +short www.example.com @127.0.0.1  # should print nothing
 
 .. warning::
   When debugging DNS problems, don't use ``host``. Please use

From 74be66a8b30d54a2732afe107f3388a93884d6cf Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 068/127] docs: fix links in 'Adding new DNS record types'

nested markup for monospaced text on link is not possible, see
https://stackoverflow.com/q/4743845/1254292
---
 docs/guides/addingrecords.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/guides/addingrecords.rst b/docs/guides/addingrecords.rst
index de3f630674fd..37a3c1c36d77 100644
--- a/docs/guides/addingrecords.rst
+++ b/docs/guides/addingrecords.rst
@@ -47,10 +47,10 @@ Next, it defines that the rest of the record is the actual certificate
 methods are supplied for all DNS data types in use.
 
 Now add ``TLSARecordContent::report()`` to
-```reportOtherTypes()`` <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L594>`__.
+`reportOtherTypes() <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/dnsrecords.cc#L594>`__.
 
 And that's it. For completeness, add TLSA and 52 to the QType enum in
-```qtype.hh`` <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/qtype.hh#L116>`__,
+`qtype.hh <https://github.com/PowerDNS/pdns/blob/5a3409cbb4314b84f1171a69c7337386568fa886/pdns/qtype.hh#L116>`__,
 which makes it easier to refer to the TLSA record in code if so
 required.
 

From 12388955907a0209e66a952e096948d823236f20 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 069/127] docs: Hide the toctree on 'Backends' index page

Effectively, all the backends are listed in the nicely formatted table
already.
---
 docs/backends/index.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/backends/index.rst b/docs/backends/index.rst
index caa25276aa2a..b4149d056748 100644
--- a/docs/backends/index.rst
+++ b/docs/backends/index.rst
@@ -44,6 +44,7 @@ These backends have :doc:`features unique <generic-sql>` to the generic SQL back
 
 .. toctree::
   :maxdepth: 1
+  :hidden:
 
   bind
   generic-sql

From d5eff893d1ac98de63c54252a5c6a48ce1b8f9b5 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 070/127] docs: Change occurrences of "note" to admonition

---
 docs/backends/bind.rst | 10 +++++++---
 docs/changelog/4.0.rst |  7 ++++---
 docs/settings.rst      |  9 +++++----
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index 0dc1bf9efb00..4ee4cb13a26f 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -22,7 +22,11 @@ information about zones from it. It makes no attempt to honour other
 configuration flags, which you should configure (when available) using
 the PowerDNS native configuration.
 
-**note**: Because this backend retrieves its configuration from a text file and not a database, the HTTP API is unable to process changes for this backend. This effectively makes the API read-only for zones hosted by the BIND backend.  
+.. note::
+  Because this backend retrieves its configuration from a text file and
+  not a database, the HTTP API is unable to process changes for this
+  backend. This effectively makes the API read-only for zones hosted by
+  the BIND backend.
 
 Configuration Parameters
 ------------------------
@@ -195,5 +199,5 @@ are picked up in the same way as master and slave zones, see
 Native zones in the BIND backend are supported since version 4.1.0 of
 the PowerDNS Authoritative Server.
 
-**note**: Any zone with no ``type`` set (an error in BIND) is assumed to
-be native.
+.. note::
+  Any zone with no ``type`` set (an error in BIND) is assumed to be native.
diff --git a/docs/changelog/4.0.rst b/docs/changelog/4.0.rst
index d23088680914..587831457013 100644
--- a/docs/changelog/4.0.rst
+++ b/docs/changelog/4.0.rst
@@ -442,9 +442,10 @@ PowerDNS Authoritative Server 4.0.0-rc2
 
 Released June 29th 2016
 
-**note**: rc1 was tagged in git but never officially released. Kees
-Monshouwer discovered an issue in the gmysql backend that would
-terminate the daemon on a connection error, this fixed in rc2.
+.. note::
+  rc1 was tagged in git but never officially released. Kees
+  Monshouwer discovered an issue in the gmysql backend that would
+  terminate the daemon on a connection error, this fixed in rc2.
 
 This Release Candidate adds IXFR consumption and fixes some issues with
 prepared statements:
diff --git a/docs/settings.rst b/docs/settings.rst
index e8647faa2898..4f3028eb0148 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -620,11 +620,12 @@ A/AAAA).
 If this is disabled (the default), ALIAS records will not expanded and
 the server will will return NODATA for A/AAAA queries for such names.
 
-**note**: :ref:`setting-resolver` must also be set for ALIAS
-expansion to work!
+.. note::
+  :ref:`setting-resolver` must also be set for ALIAS expansion to work!
 
-**note**: In PowerDNS Authoritative Server 4.0.x, this setting did not
-exist and ALIAS was always expanded.
+.. note::
+  In PowerDNS Authoritative Server 4.0.x, this setting did not exist and
+  ALIAS was always expanded.
 
 .. _setting-forward-dnsupdate:
 

From 81b050b3be7b3c0fe920671f96d06f5816313d94 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 071/127] docs: fix several typos

---
 docs/appendices/compiling.rst | 2 +-
 docs/settings.rst             | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/appendices/compiling.rst b/docs/appendices/compiling.rst
index 8972ecf6f2ee..a29d768bd7ce 100644
--- a/docs/appendices/compiling.rst
+++ b/docs/appendices/compiling.rst
@@ -17,7 +17,7 @@ Each backend has a module name that you look up in this table.
 To compile a module for inclusion at runtime, which is great if you are a unix vendor, use ``--with-dynmodules='mod1 mod2 mod3'``.
 These modules then end up as .so files in the compiled ``libdir``.
 
-By default, the :doc:`bind <../../backends/bind>`, :doc:`mysql <../../backends/generic-mysql>` and :doc:`random <../../backends/random>` are compiled into the binary. The :doc:`pipe <../../backends/pipe>` is, by default, compiled as a runtime loadable module.
+By default, the :doc:`bind <../../backends/bind>`, :doc:`mysql <../../backends/generic-mysql>` and :doc:`random <../../backends/random>` modules are compiled into the binary. The :doc:`pipe <../../backends/pipe>` is, by default, compiled as a runtime loadable module.
 
 Getting the sources
 -------------------
diff --git a/docs/settings.rst b/docs/settings.rst
index 4f3028eb0148..974d518da7d6 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -617,7 +617,7 @@ Entropy source file to use.
 If this is enabled, ALIAS records are expanded (synthesised to their
 A/AAAA).
 
-If this is disabled (the default), ALIAS records will not expanded and
+If this is disabled (the default), ALIAS records will not be expanded and
 the server will will return NODATA for A/AAAA queries for such names.
 
 .. note::
@@ -1149,7 +1149,7 @@ To notify all IP addresses apart from the 192.168.0.0/24 subnet use the followin
   :ref:`metadata-also-notify` domain metadata to avoid this potential bottleneck.
 
 .. note::
-  If your slaves support Internet Protocol version, which your master does not,
+  If your slaves support an Internet Protocol version, which your master does not,
   then set ``only-notify`` to include only supported protocol version.
   Otherwise there will be error trying to resolve address.
 
@@ -1369,7 +1369,7 @@ Turn on slave support. See :ref:`slave-operation`.
 -  Integer
 -  60
 
-On a master, this is the amounts of seconds between the master checking
+On a master, this is the amount of seconds between the master checking
 the SOA serials in its database to determine to send out NOTIFYs to the
 slaves. On slaves, this is the number of seconds between the slave
 checking for updates to zones.

From 78dd03ecd04bd2ff627ae6d95b316d8478ebd1cb Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 072/127] docs: Add '(or zone transfer)' in sentence on BIND
 backend

If zones would never be reloaded without a regular non-AXFR DNS request,
the BIND backend would not be usable in a hidden master setup for example.

Als remove superfluous period after link to setting.
---
 docs/backends/bind.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index 4ee4cb13a26f..277b293d658c 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -96,8 +96,8 @@ available for serving, as they are parsed. So a ``named.conf`` with
 zones will already be available. While a domain is being loaded, it is
 not yet available, to prevent incomplete answers.
 
-Reloading is currently done only when a request for a zone comes in, and
-then only after :ref:`setting-bind-check-interval`.
+Reloading is currently done only when a request (or zone transfer) for a
+zone comes in, and then only after :ref:`setting-bind-check-interval`
 seconds have passed after the last check. If a change occurred, access
 to the zone is disabled, the file is reloaded, access is restored, and
 the question is answered. For regular zones, reloading is fast enough to

From 3948ea81b9f877610b7cd6b5eebed03ee544b46b Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 073/127] docs: BIND backend - improve formatting of output
 status

Before this change it was hard to distinguish the three possible statuses
due to the styling of the inline-monospaced text without contrast in the
background for the current Sphinx theme.
---
 docs/backends/bind.rst | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index 277b293d658c..4a18f255f33b 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -122,9 +122,11 @@ will be loaded at first request.
 ``bind-domain-status <domain> [domain]``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Output status of domain or domains. Can be one of
-``seen in named.conf, not parsed``, ``parsed successfully at <time>`` or
-``error parsing at line ... at <time>``.
+Output status of domain or domains. Can be one of:
+
+* ``seen in named.conf, not parsed``,
+* ``parsed successfully at <time>`` or
+* ``error parsing at line ... at <time>``.
 
 ``bind-list-rejects``
 ~~~~~~~~~~~~~~~~~~~~~

From c7882d8c31a1d4549e6664d576ca84a62c9a3009 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 074/127] docs: Add paragraph on benefits of the BIND backend

---
 docs/backends/bind.rst | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index 4a18f255f33b..b8b8c73eb1d5 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -22,8 +22,13 @@ information about zones from it. It makes no attempt to honour other
 configuration flags, which you should configure (when available) using
 the PowerDNS native configuration.
 
+Unique to this PowerDNS backend is that it serves from plain zone files,
+which allows for hand-crafting zone files, only takes a tiny footprint
+in terms of server resource usage while being
+:ref:`performant efficiently <bind_performance>`.
+
 .. note::
-  Because this backend retrieves its configuration from a text file and
+  Because this backend retrieves its configuration from plain files and
   not a database, the HTTP API is unable to process changes for this
   backend. This effectively makes the API read-only for zones hosted by
   the BIND backend.
@@ -152,6 +157,8 @@ removed from memory.
 All zones with a changed timestamp are reloaded at the next incoming
 query for them.
 
+.. _bind_performance:
+
 Performance
 -----------
 

From 9346d84f3cb9478c84ef995ad98f939f9136f797 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 075/127] docs: Add a missing 'Default:' (consistency on page)

---
 docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 974d518da7d6..ec2a930f51d6 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1367,7 +1367,7 @@ Turn on slave support. See :ref:`slave-operation`.
 ------------------------
 
 -  Integer
--  60
+-  Default: 60
 
 On a master, this is the amount of seconds between the master checking
 the SOA serials in its database to determine to send out NOTIFYs to the

From e153a91ef7d8956b9e8901f33d881d7ea58af7d2 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:25:22 +0200
Subject: [PATCH 076/127] docs: Cross-reference DNSSEC-ALIAS limitation

---
 docs/dnssec/modes-of-operation.rst | 3 +++
 docs/guides/alias.rst              | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst
index a92abbaf956a..aa917e15e7a9 100644
--- a/docs/dnssec/modes-of-operation.rst
+++ b/docs/dnssec/modes-of-operation.rst
@@ -32,6 +32,9 @@ DNSSEC data using the original keys.
 Such a single replicated database requires no further attention beyond
 monitoring already required during non-DNSSEC operations.
 
+Please note that the ALIAS record type is
+:ref:`not supported <alias_and_dnssec>` in this mode.
+
 Records, Keys, signatures, hashes within PowerDNS in online signing mode
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/docs/guides/alias.rst b/docs/guides/alias.rst
index 419d32e0d4c7..2efb6b63bacd 100644
--- a/docs/guides/alias.rst
+++ b/docs/guides/alias.rst
@@ -53,6 +53,8 @@ records unless you AXFR regularly.
   Authoritative Server 4.0.x. Hence, ALIAS records are always expanded on
   a direct A or AAAA query.
 
+.. _alias_and_dnssec:
+
 ALIAS and DNSSEC
 ----------------
 

From efdd3d7cefc4d87952040bd2c73ab233f50dcecc Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:35:10 +0200
Subject: [PATCH 077/127] docs: Consistent naming/casing of the BIND (backend)

Skipped some occurrences where it refers to PR titles or commit messages.
---
 docs/appendices/backend-writers-guide.rst |  2 +-
 docs/backends/bind.rst                    | 24 +++++++++++------------
 docs/backends/ldap.rst                    | 10 +++++-----
 docs/dnssec/modes-of-operation.rst        |  6 +++---
 docs/index.rst                            |  2 +-
 docs/manpages/pdns_control.1.rst          | 10 +++++-----
 docs/manpages/zone2json.1.rst             |  6 +++---
 docs/manpages/zone2ldap.1.rst             |  4 ++--
 docs/manpages/zone2sql.1.rst              |  6 +++---
 docs/migration.rst                        |  8 ++++----
 docs/modes-of-operation.rst               |  2 +-
 docs/settings.rst                         |  2 +-
 12 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/docs/appendices/backend-writers-guide.rst b/docs/appendices/backend-writers-guide.rst
index d47a35dc1841..9a8d9b8f6eda 100644
--- a/docs/appendices/backend-writers-guide.rst
+++ b/docs/appendices/backend-writers-guide.rst
@@ -462,7 +462,7 @@ available. The exact definitions:
 
   Returns the numerical value of a parameter. Uses ``atoi()`` internally
 
-  Sample usage from the BindBackend: getting the 'check-interval' setting:
+  Sample usage from the BIND backend: getting the 'check-interval' setting:
 
   .. code-block:: cpp
 
diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index b8b8c73eb1d5..c2e517fc3e66 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -1,4 +1,4 @@
-Bind zone file backend
+BIND zone file backend
 ======================
 
 * Native: Yes
@@ -13,11 +13,11 @@ Bind zone file backend
 * Module name: bind
 * Launch: ``bind``
 
-The BindBackend started life as a demonstration of the versatility of
+The BIND backend started life as a demonstration of the versatility of
 PowerDNS but quickly gained in importance when there appeared to be
-demand for a Bind 'work-alike'.
+demand for a BIND 'work-alike'.
 
-The BindBackend parses a Bind-style ``named.conf`` and extracts
+The BIND backend parses a BIND-style ``named.conf`` and extracts
 information about zones from it. It makes no attempt to honour other
 configuration flags, which you should configure (when available) using
 the PowerDNS native configuration.
@@ -41,9 +41,9 @@ Configuration Parameters
 ``bind-config``
 ~~~~~~~~~~~~~~~
 
-Location of the Bind configuration file to parse.
+Location of the BIND configuration file to parse.
 
-PowerDNS does not support every directive supported by Bind.
+PowerDNS does not support every directive supported by BIND.
 It supports the following blocks and directives:
 
 * ``options``
@@ -94,7 +94,7 @@ when loading zone files.
 Operation
 ---------
 
-On launch, the BindBackend first parses the ``named.conf`` to determine
+On launch, the BIND backend first parses the ``named.conf`` to determine
 which zones need to be loaded. These will then be parsed and made
 available for serving, as they are parsed. So a ``named.conf`` with
 100.000 zones may take 20 seconds to load, but after 10 seconds, 50.000
@@ -118,7 +118,7 @@ pdns\_control commands
 ``bind-add-zone <domain> <filename>``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Add zone ``domain`` from ``filename`` to PowerDNS's bind backend. Zone
+Add zone ``domain`` from ``filename`` to PowerDNS's BIND backend. Zone
 will be loaded at first request.
 
 .. note::
@@ -146,7 +146,7 @@ Reloads a zone from disk NOW, reporting back results.
 ``rediscover``
 ~~~~~~~~~~~~~~
 
-Reread the bind configuration file (``named.conf``). If parsing fails,
+Reread the BIND configuration file (``named.conf``). If parsing fails,
 the old configuration remains in force and ``pdns_control`` reports the
 error. Any newly discovered domains are read, discarded domains are
 removed from memory.
@@ -162,7 +162,7 @@ query for them.
 Performance
 -----------
 
-The BindBackend does not benefit from the packet cache as it is fast
+The BIND backend does not benefit from the packet cache as it is fast
 enough on its own. Furthermore, on most systems, there will be no
 benefit in using multiple CPUs for the packetcache, so a noticeable
 speedup can be attained by specifying
@@ -175,7 +175,7 @@ Master
 ~~~~~~
 
 Works as expected. At startup, no notification storm is performed as
-this is generally not useful. Perhaps in the future the Bind Backend
+this is generally not useful. Perhaps in the future the BIND backend
 will attempt to store zone metadata in the zone, allowing it to
 determine if a zone has changed its serial since the last time
 notifications were sent out.
@@ -186,7 +186,7 @@ notifications however.
 Slave
 ~~~~~
 
-Also works as expected. The Bind backend expects to be able to write to
+Also works as expected. The BIND backend expects to be able to write to
 a directory where a slave domain lives. The incoming zone is stored as
 'zonename.RANDOM' and atomically renamed if it is retrieved
 successfully, and parsed only then.
diff --git a/docs/backends/ldap.rst b/docs/backends/ldap.rst
index 266be52bba7b..dfc43d7a5d56 100644
--- a/docs/backends/ldap.rst
+++ b/docs/backends/ldap.rst
@@ -310,7 +310,7 @@ Wildcards
 ^^^^^^^^^
 
 Wild-card domains are possible by using the asterisk in the
-``associatedDomain`` value like it is used in the bind zone files. The
+``associatedDomain`` value like it is used in the BIND zone files. The
 "dc" attribute can be set to any value in simple or strict mode - this
 doesn't matter.
 
@@ -471,15 +471,15 @@ instead all zones:
 See :doc:`its manpage <../manpages/zone2ldap.1>` for a complete list of
 options.
 
-Bind LDAP backend
+BIND LDAP backend
 ^^^^^^^^^^^^^^^^^
 
-When coming from the `Bind LDAP sdb
+When coming from the `BIND LDAP sdb
 backend <http://bind9-ldap.bayour.com/>`__, the records can be kept in
 the LDAP tree also for the PowerDNS LDAP backend. The schemas both
 backends utilize is almost the same except for one important thing:
 Domains for PowerDNS are stored in the attribute "associatedDomain"
-whereas Bind stores them split in "relativeDomainName" and "zoneName".
+whereas BIND stores them split in "relativeDomainName" and "zoneName".
 
 There is a `migration
 script <http://www.linuxnetworks.de/pdnsldap/bind2pdns-ldap>`__ which
@@ -519,7 +519,7 @@ Other name server
 ^^^^^^^^^^^^^^^^^
 
 The easiest way for migrating DNS records is to use the output of a zone
-transfer (AXFR). Save the output of the ``dig`` program provided by bind
+transfer (AXFR). Save the output of the ``dig`` program provided by BIND
 into a file and call ``zone2ldap`` with the file name as option to the
 ``--zone-file`` parameter. This will generate the appropriate ldif file,
 which can be imported into the LDAP tree. The bash script except below
diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst
index aa917e15e7a9..9e6c2e514563 100644
--- a/docs/dnssec/modes-of-operation.rst
+++ b/docs/dnssec/modes-of-operation.rst
@@ -168,7 +168,7 @@ The signing and hashing algorithms are described in :ref:`dnssec-online-signing`
 BIND-mode operation
 -------------------
 
-The :doc:`bindbackend <../backends/bind>` can manage keys and other
+The :doc:`BIND backend <../backends/bind>` can manage keys and other
 DNSSEC-related :doc:`domain metadata <../domainmetadata>` in an SQLite3
 database without launching a separate gsqlite3 backend.
 
@@ -189,14 +189,14 @@ Hybrid BIND-mode operation
 --------------------------
 
 PowerDNS can also operate based on 'BIND'-style zone & configuration
-files. This 'bindbackend' has full knowledge of DNSSEC but has no
+files. This 'BIND backend' has full knowledge of DNSSEC but has no
 native way of storing keying material.
 
 However, since PowerDNS supports operation with multiple simultaneous
 backends, this is not a problem.
 
 In hybrid mode, keying material and zone records are stored in different
-backends. This allows for 'bindbackend' operation in full DNSSEC mode.
+backends. This allows for 'BIND backend' operation in full DNSSEC mode.
 
 To benefit from this mode, include at least one database-based backend
 in the :ref:`setting-launch` statement. See the :doc:`backend specific documentation <../backends/index>`
diff --git a/docs/index.rst b/docs/index.rst
index 7ad7ee8dac53..f20a956684f5 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -8,7 +8,7 @@ zone files or be more dynamic in nature.
 PowerDNS has the concepts of 'backends'. A backend is a datastore that
 the server will consult that contains DNS records (and some metadata).
 The backends range from database backends (:doc:`MySQL <backends/generic-mysql>`, :doc:`PostgreSQL <backends/generic-postgresql>`, :doc:`Oracle <backends/oracle>`)
-and :doc:`Bind-zonefiles <backends/bind>` to :doc:`co-processes <backends/pipe>` and :doc:`JSON API's <backends/remote>`.
+and :doc:`BIND zone files <backends/bind>` to :doc:`co-processes <backends/pipe>` and :doc:`JSON API's <backends/remote>`.
 
 Multiple backends can be enabled in the configuration by using the
 :ref:`setting-launch` option. Each backend can be configured separately.
diff --git a/docs/manpages/pdns_control.1.rst b/docs/manpages/pdns_control.1.rst
index 0bac0c9492b7..737c663fabfd 100644
--- a/docs/manpages/pdns_control.1.rst
+++ b/docs/manpages/pdns_control.1.rst
@@ -30,25 +30,25 @@ Commands
 bind-add-zone *DOMAIN* *FILENAME*
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-When using the bindbackend, add a zone. This zone is added in-memory
+When using the BIND backend, add a zone. This zone is added in-memory
 and served immediately. Note that this does not add the zone to the
 bind-config file. *FILENAME* must be an absolute path.
 
 bind-domain-status [*DOMAIN*...]
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-When using the bindbackend, list status of all domains. Optionally,
+When using the BIND backend, list status of all domains. Optionally,
 append *DOMAIN*\ s to get the status of specific zones.
 
 bind-list-rejects
 ^^^^^^^^^^^^^^^^^
 
-When using the bindbackend, get a list of all rejected domains.
+When using the BIND backend, get a list of all rejected domains.
 
 bind-reload-now *DOMAIN* [*DOMAIN*...]
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-When using the bindbackend, immediately reload *DOMAIN* from disk.
+When using the BIND backend, immediately reload *DOMAIN* from disk.
 
 ccounts
 ^^^^^^^
@@ -124,7 +124,7 @@ rediscover
 ^^^^^^^^^^
 
 Instructs backends that new domains may have appeared in the
-database, or, in the case of the Bind backend, in named.conf.
+database, or, in the case of the BIND backend, in named.conf.
 
 reload
 ^^^^^^
diff --git a/docs/manpages/zone2json.1.rst b/docs/manpages/zone2json.1.rst
index 8748435a187b..b9c9d3ff1dae 100644
--- a/docs/manpages/zone2json.1.rst
+++ b/docs/manpages/zone2json.1.rst
@@ -9,10 +9,10 @@ Synopsis
 Description
 -----------
 
-:program:`zone2json` parses Bind named.conf files and zonefiles and outputs
+:program:`zone2json` parses BIND named.conf files and zonefiles and outputs
 JSON on standard out, which can then be fed to the PowerDNS API.
 
-:program:`zone2json` understands the Bind master file extension ``$GENERATE``
+:program:`zone2json` understands the BIND master file extension ``$GENERATE``
 and will also honour ``$ORIGIN`` and ``$TTL``.
 
 Options
@@ -21,7 +21,7 @@ Options
 INPUT Options
 -------------
 
---named-conf=<PATH>        Read *PATH* to get the bind configuration
+--named-conf=<PATH>        Read *PATH* to get the BIND configuration
 --zone=<PATH>              Parse only the zone file at *PATH* Conflicts with ``--named-conf`` parameter.
 --zone-name=<NAME>         When parsing a single zone without $ORIGIN statement, set *ZONE* as the zone name.
 
diff --git a/docs/manpages/zone2ldap.1.rst b/docs/manpages/zone2ldap.1.rst
index 369ab8da8ab1..d827dd0e087d 100644
--- a/docs/manpages/zone2ldap.1.rst
+++ b/docs/manpages/zone2ldap.1.rst
@@ -9,7 +9,7 @@ Synopsis
 Description
 -----------
 
-:program:`zone2ldap` is a program that converts bind zonefiles to ldif format
+:program:`zone2ldap` is a program that converts BIND zonefiles to ldif format
 which can inserted to an LDAP server.
 
 Options
@@ -19,7 +19,7 @@ Options
 --basedn=<DN>                   Base DN to store objects below
 --dnsttl                        Add dnsttl attribute to every entry
 --layout=<layout>               How to arrange entries in the directory ("simple" or "tree")
---named-conf=<PATH>             Path to a Bind named.conf to parse
+--named-conf=<PATH>             Path to a BIND named.conf to parse
 --resume                        Continue after errors
 --verbose                       Verbose comments on operation
 --zone-file=<PATH>              Zone file to parse
diff --git a/docs/manpages/zone2sql.1.rst b/docs/manpages/zone2sql.1.rst
index cdd8cf06bfa6..0cb197278485 100644
--- a/docs/manpages/zone2sql.1.rst
+++ b/docs/manpages/zone2sql.1.rst
@@ -9,10 +9,10 @@ Synopsis
 Description
 -----------
 
-:program:`zone2sql` parses Bind named.conf files and zonefiles and outputs SQL
+:program:`zone2sql` parses BIND named.conf files and zonefiles and outputs SQL
 on standard out, which can then be fed to your database.
 
-:program:`zone2sql` understands the Bind master file extension ``$GENERATE``
+:program:`zone2sql` understands the BIND master file extension ``$GENERATE``
 and will also honour ``$ORIGIN`` and ``$TTL``.
 
 For backends supporting slave operation there is also an option to keep
@@ -27,7 +27,7 @@ Options
 INPUT Options
 -------------
 
---named-conf=<PATH>         Read *PATH* to get the bind configuration
+--named-conf=<PATH>         Read *PATH* to get the BIND configuration
 --zone=<PATH>               Parse only the zone file at *PATH* Conflicts with **--named-conf** parameter.
 --zone-name=<NAME>          When parsing a single zone without $ORIGIN statement, set *ZONE* as
                             the zone name.
diff --git a/docs/migration.rst b/docs/migration.rst
index 0a81af1d51fe..6c6dec24eb4e 100644
--- a/docs/migration.rst
+++ b/docs/migration.rst
@@ -86,10 +86,10 @@ From zonefiles to PowerDNS
 Using the BIND backend
 ~~~~~~~~~~~~~~~~~~~~~~
 
-To use the bind backend, set ``launch=bind`` and
+To use the BIND backend, set ``launch=bind`` and
 ``bind-config=/path/to/named.conf`` in your ``pdns.conf``. Note that
 PowerDNS will not honor any options from named.conf, it will only use
-the ``zone`` statements. See the :doc:`Bind backend <backends/bind>`
+the ``zone`` statements. See the :doc:`BIND backend <backends/bind>`
 documentation for more information.
 
 To a Generic SQL backend
@@ -104,7 +104,7 @@ Using ``zone2sql``
 
 To migrate, the ``zone2sql`` tool is provided. This tool parses a BIND
 ``named.conf`` file and zone files and outputs SQL on standard out,
-which can then be fed to your database. It understands the Bind master
+which can then be fed to your database. It understands the BIND master
 file extension ``$GENERATE`` and will also honour ``$ORIGIN`` and
 ``$TTL``.
 
@@ -148,7 +148,7 @@ Syntax: ``pdnsutil b2b-migrate OLD NEW``
 
 This tool lets you migrate data from one backend to another, it moves
 all data, including zones, metadata and crypto keys (if present). Some
-example use cases are moving from Bind style zonefiles to SQL based, or
+example use cases are moving from BIND-style zonefiles to SQL based, or
 other way around, or moving from MyDNS to gMySQL.
 
 Prerequisites
diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index d8d79aef5516..9025d275c373 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -132,7 +132,7 @@ updated and if so, retransfering it.
 All backends which implement this feature must make sure that they can
 handle transactions so as to not leave the zone in a half updated state.
 MySQL configured with either BerkeleyDB or InnoDB meets this
-requirement, as do PostgreSQL and Oracle. The Bindbackend implements
+requirement, as do PostgreSQL and Oracle. The BIND backend implements
 transaction semantics by renaming files if and only if they have been
 retrieved completely and parsed correctly.
 
diff --git a/docs/settings.rst b/docs/settings.rst
index ec2a930f51d6..5547221754d2 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -701,7 +701,7 @@ configuration item names change: e.g. ``gmysql-host`` is available to
 configure the ``host`` setting of the first or main instance, and
 ``gmysql-server2-host`` for the second one.
 
-Running multiple instances of the bind backend is not allowed.
+Running multiple instances of the BIND backend is not allowed.
 
 .. _setting-load-modules:
 

From 168c57013b81fd0c42637dedf4843ac04547ea80 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:37:08 +0200
Subject: [PATCH 078/127] docs: Add warning on empty bind-dnssec-db for slave
 operation

I fell right into the pitfall of configuring a slave with the BIND
backend, serving presigned records, assuming it will serve the RRSIGs
just fine, but no, my domain went bogus. This was documented, but
not as clearly as I hoped for, this commit improves the documentation
regarding that.
---
 docs/backends/bind.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index c2e517fc3e66..1ba207058e73 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -73,6 +73,11 @@ slave DNSSEC-enabled domains (where the RRSIGS are in the AXFR), a
 :ref:`metadata-presigned` domain metadata is set
 during the zonetransfer.
 
+.. warning::
+   If this is left empty on slaves and a presigned zone is transferred,
+   it will (silently) serve it without DNSSEC. This in turn results in
+   serving the domain as bogus.
+
 .. _setting-bind-hybrid:
 
 ``bind-hybrid``

From 27f39e15ace2149ec7cbcf670a9432c54464da1f Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 19:44:36 +0200
Subject: [PATCH 079/127] docs: specify type of 8bit-dns setting

It had a superfluous description where other settings have the type there.
---
 docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 5547221754d2..4c3c99ef4007 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -19,7 +19,7 @@ means ``yes``.
 ``8bit-dns``
 ------------
 
--  Allow 8 bit dns queries
+-  Boolean
 -  Default: no
 
 .. versionadded:: 4.0.0

From e875ae0566648634a67eff75c12b281413954365 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 20:25:50 +0200
Subject: [PATCH 080/127] docs: Add missing entry in table for the 'Lua'
 backend

---
 docs/backends/index.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/backends/index.rst b/docs/backends/index.rst
index b4149d056748..b71c933cd1ea 100644
--- a/docs/backends/index.rst
+++ b/docs/backends/index.rst
@@ -22,6 +22,8 @@ The following table describes the supported backends and some of their capabilit
 +------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
 | :doc:`LDAP <ldap>`                             | Yes    | No     | No    | No           | No          | No                              | ``ldap``     |
 +------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
+| :doc:`Lua <lua>`                               | Yes    | Yes    | No    | No           | Yes         | Yes                             | ``lua``      |
++------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
 | :doc:`Lua2 <lua2>`                             | Yes    | Yes    | No    | No           | Yes         | Yes                             | ``lua2``     |
 +------------------------------------------------+--------+--------+-------+--------------+-------------+---------------------------------+--------------+
 | :doc:`MyDNS <mydns>`                           | Yes    | No     | No    | No           | No          | No                              | ``mydns``    |

From 0853226460375a07d7a0993601fc1d352bf08124 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 20:26:27 +0200
Subject: [PATCH 081/127] docs: Remove superfluous comma in 'any-to-tcp'
 setting

---
 docs/settings.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 4c3c99ef4007..ee6ae1ab977b 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -119,7 +119,8 @@ the list in :ref:`setting-only-notify`.
 -  Boolean
 -  Default: yes
 
-.. versionchanged:: 4.0.1, was 'no' before.
+.. versionchanged:: 4.0.1
+  was 'no' before.
 
 Answer questions for the ANY on UDP with a truncated packet that refers
 the remote server to TCP. Useful for mitigating reflection attacks.

From 76c250a683eb7a0a2c5db7e8a95b9ade5ad47eca Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 20:30:28 +0200
Subject: [PATCH 082/127] docs: Align position of version annotation in
 settings

On two out of many other occurrences the versionadded/deprecated directive
was rendered above the parameters, but the vast majority had it below. This
change aligns the two outliers.
---
 docs/settings.rst | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index ee6ae1ab977b..94ef1cef513e 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -734,11 +734,11 @@ any.
 ``log-timestamp``
 -----------------
 
-.. versionadded:: 4.1.0
-
 - Bool
 - Default: yes
 
+.. versionadded:: 4.1.0
+
 When printing log lines to stdout, prefix them with timestamps.
 Disable this if the process supervisor timestamps these lines already.
 
@@ -1166,12 +1166,12 @@ To notify all IP addresses apart from the 192.168.0.0/24 subnet use the followin
 ``out-of-zone-additional-processing``
 -------------------------------------
 
-.. deprecated:: 4.2.0
-  This setting has been removed.
-
 -  Boolean
 -  Default: yes
 
+.. deprecated:: 4.2.0
+  This setting has been removed.
+
 Do out of zone additional processing. This means that if a malicious
 user adds a '.com' zone to your server, it is not used for other domains
 and will not contaminate answers. Do not enable this setting if you run

From 9e461099be75e47276f4b4318afac9c0d0769bc4 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 20:37:10 +0200
Subject: [PATCH 083/127] docs: fix some links (invalid ref-role usage)

---
 docs/dnsupdate.rst | 2 +-
 docs/settings.rst  | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/dnsupdate.rst b/docs/dnsupdate.rst
index 8c6842eaef2f..41fed1d020bf 100644
--- a/docs/dnsupdate.rst
+++ b/docs/dnsupdate.rst
@@ -98,7 +98,7 @@ ALLOW-DNSUPDATE-FROM
 ~~~~~~~~~~~~~~~~~~~~
 
 This setting has the same function as described in the configuration
-options (See ref:`above <dnsupdate-configuration-options>`). Only one item is
+options (See :ref:`above <dnsupdate-configuration-options>`). Only one item is
 allowed per row, but multiple rows can be added. An example:
 
 ::
diff --git a/docs/settings.rst b/docs/settings.rst
index 94ef1cef513e..b59f6ca347ac 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -900,7 +900,7 @@ Turn on master support. See :ref:`master-operation`.
 
 .. versionchanged:: 4.1.0
   The packet and query caches are distinct. Previously, this setting was used for
-  both the packet and query caches. See ref:`setting-max-packet-cache-entries` for
+  both the packet and query caches. See :ref:`setting-max-packet-cache-entries` for
   the packet-cache setting.
 
 Maximum number of entries in the query cache. 1 million (the default)
@@ -1024,7 +1024,7 @@ compile-time.
 -  Integer
 -  Default: 60
 
-Seconds to store queries with no answer in the Query Cache. See ref:`query-cache`.
+Seconds to store queries with no answer in the Query Cache. See :ref:`query-cache`.
 
 .. _setting-no-config:
 

From f67fb28ce756d30bce84d867b2ea22e597c4ff0c Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 20:51:55 +0200
Subject: [PATCH 084/127] docs: fix formatting of 'rng' setting options

Was rendered as a field definition, because both:
* A blank line was omitted before starting the list items.
* Leading whitespace for each item (much like the commit that removes the
  superfluous blockquotes).
---
 docs/settings.rst | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index b59f6ca347ac..2e9a3945b167 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1083,14 +1083,15 @@ it is disabled by default.
 - String
 - Default: auto
 
-Specify which random number generator to use. Permissible choises are
- - auto - choose automatically
- - sodium - Use libsodium ``randombytes_uniform``
- - openssl - Use libcrypto ``RAND_bytes``
- - getrandom - Use libc getrandom, falls back to urandom if it does not really work
- - arc4random - Use BSD ``arc4random_uniform``
- - urandom - Use ``/dev/urandom``
- - kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
+Specify which random number generator to use. Permissible choises are:
+
+- auto - choose automatically
+- sodium - Use libsodium ``randombytes_uniform``
+- openssl - Use libcrypto ``RAND_bytes``
+- getrandom - Use libc getrandom, falls back to urandom if it does not really work
+- arc4random - Use BSD ``arc4random_uniform``
+- urandom - Use ``/dev/urandom``
+- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
 
 .. note::
   Not all choises are available on all systems.

From 3eee5ed048174332d1c5863c15a1eccd32ccc41f Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 20:52:12 +0200
Subject: [PATCH 085/127] docs: add use case for 'no-config' setting

---
 docs/settings.rst | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 2e9a3945b167..88572a15f140 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1034,7 +1034,8 @@ Seconds to store queries with no answer in the Query Cache. See :ref:`query-cach
 -  Boolean
 -  Default: no
 
-Do not attempt to read the configuration file.
+Do not attempt to read the configuration file. Useful for configuration
+by parameters from the command line only.
 
 .. _setting-no-shuffle:
 

From 43f619345280c45858fb93b985fc7d2d8e8a3e22 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Sun, 31 Mar 2019 21:15:49 +0200
Subject: [PATCH 086/127] docs: Alphabetically order settings

---
 docs/settings.rst | 376 +++++++++++++++++++++++-----------------------
 1 file changed, 188 insertions(+), 188 deletions(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 88572a15f140..71842adb9bac 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -58,6 +58,21 @@ Allow DNS updates from these IP ranges. Set to empty string to honour ``ALLOW-DN
 Allow AXFR NOTIFY from these IP ranges. Setting this to an empty string
 will drop all incoming notifies.
 
+.. _setting-allow-recursion:
+
+``allow-recursion``
+-------------------
+
+-  IP ranges, separated by commas
+-  Default: 0.0.0.0/0
+
+.. deprecated:: 4.1.0
+  Recursion has been removed, see :doc:`guides/recursion`
+
+By specifying ``allow-recursion``, recursion can be restricted to
+netmasks specified. The default is to allow recursion from everywhere.
+Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
+
 .. _setting-allow-unsigned-notify:
 
 ``allow-unsigned-notify``
@@ -84,21 +99,6 @@ signed by valid TSIG signature for the zone.
 Turning this off requires all supermaster notifications to be signed by
 valid TSIG signature. It will accept any existing key on slave.
 
-.. _setting-allow-recursion:
-
-``allow-recursion``
--------------------
-
--  IP ranges, separated by commas
--  Default: 0.0.0.0/0
-
-.. deprecated:: 4.1.0
-  Recursion has been removed, see :doc:`guides/recursion`
-
-By specifying ``allow-recursion``, recursion can be restricted to
-netmasks specified. The default is to allow recursion from everywhere.
-Example: ``allow-recursion=198.51.100.0/24, 10.0.0.0/8, 192.0.2.4``.
-
 .. _setting-also-notify:
 
 ``also-notify``
@@ -182,6 +182,31 @@ Also AXFR a zone from a master with a lower serial.
 
 Seconds to store packets in the :ref:`packet-cache`.
 
+.. _setting-carbon-instance:
+
+``carbon-instance``
+-------------------
+
+-  String
+-  Default: auth
+
+.. versionadded:: 4.2.0
+
+Set the instance or third string of the metric key. Be careful not to include
+any dots in this setting, unless you know what you are doing.
+See :ref:`metricscarbon`
+
+.. _setting-carbon-interval:
+
+``carbon-interval``
+-------------------
+
+-  Integer
+-  Default: 30
+
+If sending carbon updates, this is the interval between them in seconds.
+See :ref:`metricscarbon`.
+
 .. _setting-carbon-namespace:
 
 ``carbon-namespace``
@@ -208,20 +233,6 @@ If sending carbon updates, if set, this will override our hostname. Be
 careful not to include any dots in this setting, unless you know what
 you are doing. See :ref:`metricscarbon`
 
-.. _setting-carbon-instance:
-
-``carbon-instance``
--------------------
-
--  String
--  Default: auth
-
-.. versionadded:: 4.2.0
-
-Set the instance or third string of the metric key. Be careful not to include
-any dots in this setting, unless you know what you are doing.
-See :ref:`metricscarbon`
-
 .. _setting-carbon-server:
 
 ``carbon-server``
@@ -236,17 +247,6 @@ carbon-server=10.10.10.10,10.10.10.20.
 You may specify an alternate port by appending :port, ex:
 127.0.0.1:2004. See :ref:`metricscarbon`.
 
-.. _setting-carbon-interval:
-
-``carbon-interval``
--------------------
-
--  Integer
--  Default: 30
-
-If sending carbon updates, this is the interval between them in seconds.
-See :ref:`metricscarbon`.
-
 .. _setting-chroot:
 
 ``chroot``
@@ -361,16 +361,6 @@ to enable DNSSEC. Must be one of:
 The default keysize for the KSK generated with :doc:`pdnsutil secure-zone <dnssec/pdnsutil>`.
 Only relevant for algorithms with non-fixed keysizes (like RSA).
 
-.. _setting-default-soa-name:
-
-``default-soa-name``
---------------------
-
--  String
--  Default: a.misconfigured.powerdns.server
-
-Name to insert in the SOA record if none set in the backend.
-
 .. _setting-default-soa-edit:
 
 ``default-soa-edit``
@@ -403,6 +393,16 @@ Overrides :ref:`setting-default-soa-edit`
 
 Mail address to insert in the SOA record if none set in the backend.
 
+.. _setting-default-soa-name:
+
+``default-soa-name``
+--------------------
+
+-  String
+-  Default: a.misconfigured.powerdns.server
+
+Name to insert in the SOA record if none set in the backend.
+
 .. _setting-default-ttl:
 
 ``default-ttl``
@@ -729,60 +729,6 @@ big problems if you have multiple IP addresses. Unix does not provide a
 way of figuring out what IP address a packet was sent to when binding to
 any.
 
-.. _setting-log-timestamp:
-
-``log-timestamp``
------------------
-
-- Bool
-- Default: yes
-
-.. versionadded:: 4.1.0
-
-When printing log lines to stdout, prefix them with timestamps.
-Disable this if the process supervisor timestamps these lines already.
-
-.. note::
-  The systemd unit file supplied with the source code already disables timestamp printing
-
-.. _setting-lua-records-exec-limit:
-
-``lua-records-exec-limit``
------------------------------
-
--  Integer
--  Default: 1000
-
-Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
-Setting this to any value less than or equal to 0 will set no limit.
-
-.. _setting-non-local-bind:
-
-``non-local-bind``
-------------------
-
--  Boolean
--  Default: no
-
-Bind to addresses even if one or more of the
-:ref:`setting-local-address`'s do not exist on this server.
-Setting this option will enable the needed socket options to allow
-binding to non-local addresses. This feature is intended to facilitate
-ip-failover setups, but it may also mask configuration issues and for
-this reason it is disabled by default.
-
-.. _setting-lua-axfr-script:
-
-``lua-axfr-script``
--------------------
-
--  String
--  Default: empty
-
-.. versionadded:: 4.1.0
-
-Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
-
 .. _setting-local-address-nonexist-fail:
 
 ``local-address-nonexist-fail``
@@ -838,6 +784,34 @@ The port on which we listen. Only one port possible.
 If set to 'no', informative-only DNS details will not even be sent to
 syslog, improving performance.
 
+.. _setting-log-dns-queries:
+
+``log-dns-queries``
+-------------------
+
+-  Boolean
+-  Default: no
+
+Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
+of logging! Only enable for debugging! Set :ref:`setting-loglevel`
+to at least 5 to see the logs.
+
+.. _setting-log-timestamp:
+
+``log-timestamp``
+-----------------
+
+- Bool
+- Default: yes
+
+.. versionadded:: 4.1.0
+
+When printing log lines to stdout, prefix them with timestamps.
+Disable this if the process supervisor timestamps these lines already.
+
+.. note::
+  The systemd unit file supplied with the source code already disables timestamp printing
+
 .. _setting-logging-facility:
 
 ``logging-facility``
@@ -857,17 +831,17 @@ Do not pass names like 'local0'!
 Amount of logging. Higher is more. Do not set below 3. Corresponds to "syslog" level values,
 e.g. error = 3, warning = 4, notice = 5, info = 6
 
-.. _setting-log-dns-queries:
+.. _setting-lua-axfr-script:
 
-``log-dns-queries``
+``lua-axfr-script``
 -------------------
 
--  Boolean
--  Default: no
+-  String
+-  Default: empty
 
-Tell PowerDNS to log all incoming DNS queries. This will lead to a lot
-of logging! Only enable for debugging! Set :ref:`setting-loglevel`
-to at least 5 to see the logs.
+.. versionadded:: 4.1.0
+
+Script to be used to edit incoming AXFRs, see :ref:`modes-of-operation-axfrfilter`
 
 .. _setting-lua-prequery-script:
 
@@ -880,6 +854,17 @@ Lua script to run before answering a query. This is a feature used
 internally for regression testing. The API of this functionality is not
 guaranteed to be stable, and is in fact likely to change.
 
+.. _setting-lua-records-exec-limit:
+
+``lua-records-exec-limit``
+-----------------------------
+
+-  Integer
+-  Default: 1000
+
+Limit LUA records scripts to ``lua-records-exec-limit`` instructions.
+Setting this to any value less than or equal to 0 will set no limit.
+
 .. _setting-master:
 
 ``master``
@@ -1047,76 +1032,20 @@ by parameters from the command line only.
 
 Do not attempt to shuffle query results, used for regression testing.
 
-.. _setting-overload-queue-length:
-
-``overload-queue-length``
--------------------------
-
--  Integer
--  Default: 0 (disabled)
-
-If this many packets are waiting for database attention, answer any new
-questions strictly from the packet cache.
-
-.. _setting-reuseport:
+.. _setting-non-local-bind:
 
-``reuseport``
--------------
+``non-local-bind``
+------------------
 
 -  Boolean
--  Default: No
-
-On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
-each receiver-thread to open a new socket on the same port which allows
-for much higher performance on multi-core boxes. Setting this option
-will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
-back to a single socket when it is not available. A side-effect is that
-you can start multiple servers on the same IP/port combination which may
-or may not be a good idea. You could use this to enable transparent
-restarts, but it may also mask configuration issues and for this reason
-it is disabled by default.
-
-.. _setting-rng:
-
-``rng``
--------
-
-- String
-- Default: auto
-
-Specify which random number generator to use. Permissible choises are:
-
-- auto - choose automatically
-- sodium - Use libsodium ``randombytes_uniform``
-- openssl - Use libcrypto ``RAND_bytes``
-- getrandom - Use libc getrandom, falls back to urandom if it does not really work
-- arc4random - Use BSD ``arc4random_uniform``
-- urandom - Use ``/dev/urandom``
-- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
-
-.. note::
-  Not all choises are available on all systems.
-
-.. _setting-security-poll-suffix:
-
-``security-poll-suffix``
-------------------------
-
--  String
--  Default: secpoll.powerdns.com.
-
-Domain name from which to query security update notifications. Setting
-this to an empty string disables secpoll.
-
-.. _setting-server-id:
-
-``server-id``
--------------
-
--  String
--  Default: The hostname of the server
+-  Default: no
 
-This is the server ID that will be returned on an EDNS NSID query.
+Bind to addresses even if one or more of the
+:ref:`setting-local-address`'s do not exist on this server.
+Setting this option will enable the needed socket options to allow
+binding to non-local addresses. This feature is intended to facilitate
+ip-failover setups, but it may also mask configuration issues and for
+this reason it is disabled by default.
 
 .. _setting-only-notify:
 
@@ -1198,6 +1127,17 @@ If this is disabled (the default), ALIAS records are sent verbatim
 during outgoing AXFR. Note that if your slaves do not support ALIAS,
 they will return NODATA for A/AAAA queries for such names.
 
+.. _setting-overload-queue-length:
+
+``overload-queue-length``
+-------------------------
+
+-  Integer
+-  Default: 0 (disabled)
+
+If this many packets are waiting for database attention, answer any new
+questions strictly from the packet cache.
+
 .. _setting-prevent-self-notification:
 
 ``prevent-self-notification``
@@ -1322,6 +1262,56 @@ resolvers.
 
 Number of AXFR slave threads to start.
 
+.. _setting-reuseport:
+
+``reuseport``
+-------------
+
+-  Boolean
+-  Default: No
+
+On Linux 3.9 and some BSD kernels the ``SO_REUSEPORT`` option allows
+each receiver-thread to open a new socket on the same port which allows
+for much higher performance on multi-core boxes. Setting this option
+will enable use of ``SO_REUSEPORT`` when available and seamlessly fall
+back to a single socket when it is not available. A side-effect is that
+you can start multiple servers on the same IP/port combination which may
+or may not be a good idea. You could use this to enable transparent
+restarts, but it may also mask configuration issues and for this reason
+it is disabled by default.
+
+.. _setting-rng:
+
+``rng``
+-------
+
+- String
+- Default: auto
+
+Specify which random number generator to use. Permissible choises are:
+
+- auto - choose automatically
+- sodium - Use libsodium ``randombytes_uniform``
+- openssl - Use libcrypto ``RAND_bytes``
+- getrandom - Use libc getrandom, falls back to urandom if it does not really work
+- arc4random - Use BSD ``arc4random_uniform``
+- urandom - Use ``/dev/urandom``
+- kiss - Use simple settable deterministic RNG. **FOR TESTING PURPOSES ONLY!**
+
+.. note::
+  Not all choises are available on all systems.
+
+.. _setting-security-poll-suffix:
+
+``security-poll-suffix``
+------------------------
+
+-  String
+-  Default: secpoll.powerdns.com.
+
+Domain name from which to query security update notifications. Setting
+this to an empty string disables secpoll.
+
 .. _setting-send-signed-notify:
 
 ``send-signed-notify``
@@ -1336,6 +1326,16 @@ first one retrieved from the backend, which may not be the correct one for the
 respective slave. Hence, in setups with multiple slaves with different TSIG keys
 it may be required to send NOTIFYs unsigned.
 
+.. _setting-server-id:
+
+``server-id``
+-------------
+
+-  String
+-  Default: The hostname of the server
+
+This is the server ID that will be returned on an EDNS NSID query.
+
 .. _setting-setgid:
 
 ``setgid``
@@ -1354,6 +1354,17 @@ If set, change group id to this gid for more security. See :doc:`security`.
 
 If set, change user id to this uid for more security. See :doc:`security`.
 
+.. _setting-signing-threads:
+
+``signing-threads``
+-------------------
+
+-  Integer
+-  Default: 3
+
+Tell PowerDNS how many threads to use for signing. It might help improve
+signing speed by changing this number.
+
 .. _setting-slave:
 
 ``slave``
@@ -1389,17 +1400,6 @@ This setting will make PowerDNS renotify the slaves after an AXFR is
 *received* from a master. This is useful when using when running a
 signing-slave.
 
-.. _setting-signing-threads:
-
-``signing-threads``
--------------------
-
--  Integer
--  Default: 3
-
-Tell PowerDNS how many threads to use for signing. It might help improve
-signing speed by changing this number.
-
 .. _setting-soa-expire-default:
 
 ``soa-expire-default``

From 0eac87c06cb1fbffac4e7453291cc078a9de38d6 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Mon, 1 Apr 2019 16:05:58 +0200
Subject: [PATCH 087/127] docs: fix Sphinx-build warning in ixfsdist.yml.5.rst

Warnings observed since merge of f614922949036d22ab4a7a55e1629d2b60e7a094:
* docs/manpages/ixfrdist.yml.5.rst:121: WARNING: Unexpected indentation.
* docs/manpages/ixfrdist.yml.5.rst:122: WARNING: Literal block ends without a blank line; unexpected unindent.
---
 docs/manpages/ixfrdist.yml.5.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/manpages/ixfrdist.yml.5.rst b/docs/manpages/ixfrdist.yml.5.rst
index 121a696ef2cd..5feca55ce42a 100644
--- a/docs/manpages/ixfrdist.yml.5.rst
+++ b/docs/manpages/ixfrdist.yml.5.rst
@@ -118,7 +118,9 @@ Options
   When logging, each log-line contains the UUID of the request, this allows finding errors caused by certain requests.
   With 'none', nothing is logged except for errors.
   With 'normal' (the default), one line per request is logged in the style of the common log format::
+
     [NOTICE] [webserver] 46326eef-b3ba-4455-8e76-15ec73879aa3 127.0.0.1:57566 "GET /metrics HTTP/1.1" 200 1846
+
   with 'detailed', the full requests and responses (including headers) are logged along with the regular log-line from 'normal'.
 
 See also

From 0b9ef9e070f5598f95e3b6680a51d722e001973c Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Mon, 1 Apr 2019 16:11:03 +0200
Subject: [PATCH 088/127] docs: fix link to setting loglevel in settings

Introduced with 64c08e25825ae5ef2a702277884003902ced9607
---
 docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/settings.rst b/docs/settings.rst
index 71842adb9bac..91963b5c31fd 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1660,7 +1660,7 @@ When set to "detailed", all information about the request and response are logge
 The value between the hooks is a UUID that is generated for each request. This can be used to find all lines related to a single request.
 
 .. note::
-  The webserver logs these line on the NOTICE level. The :ref:`settings-loglevel` seting must be 5 or higher for these lines to end up in the log.
+  The webserver logs these line on the NOTICE level. The :ref:`setting-loglevel` seting must be 5 or higher for these lines to end up in the log.
 
 .. _setting-webserver-password:
 

From 985a932cc19dbe74626bb6fed31617d82c084b5c Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Mon, 1 Apr 2019 21:54:07 +0200
Subject: [PATCH 089/127] docs: Note that supermaster support is off by default
 since 4.2

With commit b80139777ebd2e0dc14cfd88d30eed80cfc04054 / PR #6021, it appears
that the behaviour of PowerDNS has changed to not act as a supermaster any
longer by default. Having to add a new setting that did not exist before,
to retain the old behaviour should be mentioned, I believe.
---
 docs/changelog/4.2.rst      | 10 ++++++++++
 docs/modes-of-operation.rst |  4 ++++
 docs/settings.rst           |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/docs/changelog/4.2.rst b/docs/changelog/4.2.rst
index 859a0c111cf6..84dba47bee9a 100644
--- a/docs/changelog/4.2.rst
+++ b/docs/changelog/4.2.rst
@@ -1159,3 +1159,13 @@ Changelogs for 4.2.x
     :tickets: 7357
 
     API: Add response-by-qtype and response-by-rcode on /statistics endpoint
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 6021
+
+    Several improvements to processing of notifies.
+
+    * Turn off supermaster support by default (adds new setting).
+    * PowerDNS was wasting a lot of queries while processing notifies.
+    * Use comboaddress for IPs (was strings)
diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index 9025d275c373..26cfed8422b9 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -187,6 +187,10 @@ can not serve IXFR updates.
 Supermaster: automatic provisioning of slaves
 ---------------------------------------------
 
+.. versionchanged:: 4.2.0
+  Supermaster support needs to be explicitly enabled with the
+  :ref:`setting-supermaster` setting.
+
 PowerDNS can recognize so called 'supermasters'. A supermaster is a host
 which is master for domains and for which we are to be a slave. When a
 master (re)loads a domain, it sends out a notification to its slaves.
diff --git a/docs/settings.rst b/docs/settings.rst
index 91963b5c31fd..70b862b11a3c 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1464,6 +1464,8 @@ and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
 -  Default: no
 
 .. versionadded:: 4.2.0
+  In versions before 4.2.x, this setting did not exist and supermaster support
+  was enabled by default.
 
 Turn on supermaster support. See :ref:`supermaster-operation`.
 

From 34246de2046b14dd2d84b132f66ecb2e1df69393 Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Mon, 1 Apr 2019 22:22:59 +0200
Subject: [PATCH 090/127] docs: Add 'bind-check-interval' setting default

---
 docs/backends/bind.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index 1ba207058e73..73da47a0e874 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -60,7 +60,9 @@ It supports the following blocks and directives:
 ``bind-check-interval``
 ~~~~~~~~~~~~~~~~~~~~~~~
 
-How often to check for zone changes. See :ref:`bind-operation` section.
+Interval in seconds to check for zone file changes. Default is 0 (disabled).
+
+See :ref:`bind-operation` section for more information.
 
 .. _setting-bind-dnssec-db:
 

From 5957060b735db798542eb710baa634fa3aff2e9b Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Mon, 1 Apr 2019 22:23:51 +0200
Subject: [PATCH 091/127] docs: notes on 'bind-check-interval' <->
 'slave-cycle-interval'

---
 docs/backends/bind.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/backends/bind.rst b/docs/backends/bind.rst
index 73da47a0e874..5434f3ec58fd 100644
--- a/docs/backends/bind.rst
+++ b/docs/backends/bind.rst
@@ -119,6 +119,12 @@ If :ref:`setting-bind-check-interval` is specified as
 zero, no checks will be performed until the ``pdns_control reload`` is
 given.
 
+Please note that also the :ref:`setting-slave-cycle-interval` setting
+controls how often a master would notify a slave about changes.
+Especially in 'hidden master' configurations, where servers usually
+don't receive regular queries, you may want to lower that setting to a
+value as low as :ref:`setting-bind-check-interval`.
+
 pdns\_control commands
 ----------------------
 

From f02f619d59fba8e2275c96a3e3cb4a108d028bff Mon Sep 17 00:00:00 2001
From: Gert van Dijk <gertvdijk@gmail.com>
Date: Tue, 2 Apr 2019 11:09:19 +0200
Subject: [PATCH 092/127] docs: update pdnsutil 'set-nsec3' and NSEC3 narrow
 mode

* The 4-parameter quoted string argument in "pdnsutil set-nsec3" appears to
  have a default value of "1 0 1 ab" according to the sources:
  https://github.com/PowerDNS/pdns/blob/e62422ce0e86cfe959073ef061f07873ceff6be8/pdns/pdnsutil.cc#L2459
  introduced with b8adb30dff5fc18b55e27580c07799d8fae1bafb (in 3.3+)
* The example command included smart quotes, which don't really work when
  copy-pasted to a shell - changed to monospaced formatting.
* Include note about online signing requirement for "White Lies" / narrow
  mode support and that zone transfers are denied in this mode.
* Mention RFC about "White Lies".
* Mention defaults on 'DNSSEC Modes of Operation'.
* Mention possible limits of ITERATIONS via 'max-nsec3-iterations'.
---
 docs/dnssec/modes-of-operation.rst | 15 +++++++++++----
 docs/dnssec/operational.rst        | 10 ++++++++--
 docs/manpages/pdnsutil.1.rst       | 22 +++++++++++++---------
 docs/settings.rst                  |  3 ++-
 4 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst
index 9e6c2e514563..c03759263eba 100644
--- a/docs/dnssec/modes-of-operation.rst
+++ b/docs/dnssec/modes-of-operation.rst
@@ -55,13 +55,16 @@ As described above, there are several ways in which DNSSEC can deny the
 existence of a record, and this setting, which is also stored away from zone
 records, lives with the DNSSEC keying material.
 
+.. _dnssec-nsec-modes:
+
 (Hashed) Denial of Existence
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 PowerDNS supports unhashed secure denial-of-existence using NSEC
 records. These are generated with the help of the (database) backend,
 which needs to be able to supply the 'previous' and 'next' records in
-canonical ordering.
+canonical ordering. NSEC is the default mode for secured zones in
+PowerDNS.
 
 The Generic SQL Backends have fields that allow them to supply these
 relative record names.
@@ -72,11 +75,15 @@ the help of some additional calculations.
 
 NSEC3 in 'broad' or 'inclusive' mode works with the aid of the backend,
 where the backend should be able to supply the previous and next domain
-names in hashed order.
+names in hashed order. This is the default mode for NSEC3 in PowerDNS.
 
 NSEC3 in 'narrow' mode uses additional hashing calculations to provide
-hashed secure denial-of-existence 'on the fly', without further
-involving the database.
+hashed secure denial-of-existence 'on the fly' per
+`RFC 7129 <https://tools.ietf.org/html/rfc7129>`__, without further
+involving the database. This mode will make PowerDNS to send out "white
+lies" and prevents zone enumeration, but these responses require online
+signing capabilities by all nameservers and therefore denies incoming
+AXFRs for zones in this mode.
 
 .. _dnssec-signatures:
 
diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst
index ce3db3e05ecd..c5e4b328ca20 100644
--- a/docs/dnssec/operational.rst
+++ b/docs/dnssec/operational.rst
@@ -28,6 +28,8 @@ Going insecure
   parent zone will make the zone BOGUS. Make sure the parent zone removes
   the DS record *before* going insecure.
 
+.. _dnssec-operational-nsec-modes-params:
+
 Setting the NSEC modes and parameters
 -------------------------------------
 
@@ -36,7 +38,7 @@ NSEC3 instead, issue:
 
 .. code-block:: shell
 
-    pdnsutil set-nsec3 ZONE [PARAMETERS]
+    pdnsutil set-nsec3 ZONE [PARAMETERS] ['narrow']
 
 e.g.
 
@@ -51,9 +53,13 @@ The quoted part is the content of the NSEC3PARAM records, as defined in
 -  Flags, set to ``1`` for :rfc:`NSEC3 Opt-out <5155#section-6>`, this best
    set as ``0``
 -  Number of iterations of the hash function, read :rfc:`RFC 5155, Section
-   10.3 <5155#section-10.3>` for recommendations
+   10.3 <5155#section-10.3>` for recommendations. Limited by the
+   :ref:`setting-max-nsec3-iterations` setting.
 -  Salt to apply during hashing, in hexadecimal, or ``-`` to use no salt
 
+Optionally, NSEC3 can be set to 'narrow' mode. For more information refer
+to :ref:`dnssec-nsec-modes`.
+
 To convert a zone from NSEC3 to NSEC operations, run:
 
 .. code-block:: shell
diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 3b02ccfbc75d..28912612b037 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -80,7 +80,7 @@ import-zone-key *ZONE* *FILE* {**KSK**,\ **ZSK**}
     the added key.
 remove-zone-key *ZONE* *KEY-ID*
     Remove a key with id *KEY-ID* from a zone called *ZONE*.
-set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**]
+set-nsec3 *ZONE* ['*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*'] [**narrow**]
     Sets NSEC3 parameters for this zone. The quoted parameters are 4
     values that are used for the the NSEC3PARAM record and decide how
     NSEC3 records are created. The NSEC3 parameters must be quoted on
@@ -88,14 +88,18 @@ set-nsec3 *ZONE* '*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*' [**narrow**]
     *FLAGS* to 1 enables NSEC3 opt-out operation. Only do this if you
     know you need it. For *ITERATIONS*, please consult RFC 5155, section
     10.3. And be aware that a high number might overload validating
-    resolvers. The *SALT* is a hexadecimal string encoding the bits for
-    the salt, or - to use no salt. Setting **narrow** will make PowerDNS
-    send out "white lies" about the next secure record. Instead of
-    looking it up in the database, it will send out the hash + 1 as the
-    next secure record. A sample commandline is: "pdnsutil set-nsec3
-    powerdnssec.org '1 1 1 ab' narrow". **WARNING**: If running in
-    RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
-    require a DS update in the parent zone.
+    resolvers and that a limit can be set with ``max-nsec3-iterations``
+    in ``pdns.conf``. The *SALT* is a hexadecimal string encoding the bits
+    for the salt, or - to use no salt. Setting **narrow** will make PowerDNS
+    send out "white lies" (RFC 7129) about the next secure record to
+    prevent zone enumeration. Instead of looking it up in the database,
+    it will send out the hash + 1 as the next secure record. Narrow mode
+    requires online signing capabilities by the nameserver and therefore
+    zone transfers are denied. If only the zone is provided as argument,
+    the 4-parameter quoted string defaults to ``'1 0 1 ab'``. A sample
+    commandline is: ``pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' narrow``.
+    **WARNING**: If running in RSASHA1 mode (algorithm 5 or 7), switching
+    from NSEC to NSEC3 will require a DS update in the parent zone.
 unset-nsec3 *ZONE*
     Converts *ZONE* to NSEC operations. **WARNING**: If running in
     RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
diff --git a/docs/settings.rst b/docs/settings.rst
index 70b862b11a3c..b8a9a21276a0 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -910,7 +910,8 @@ protection measure to avoid database explosion due to long names.
 -  Integer
 -  Default: 500
 
-Limit the number of NSEC3 hash iterations
+Limit the number of NSEC3 hash iterations for zone configurations.
+For more information see :ref:`dnssec-operational-nsec-modes-params`.
 
 .. _setting-max-packet-cache-entries:
 

From 4e031caf712eb69c68914f95a0252bbcb2ba61ec Mon Sep 17 00:00:00 2001
From: Matt Nordhoff <mnordhoff@mattnordhoff.com>
Date: Tue, 9 Apr 2019 07:47:55 +0000
Subject: [PATCH 093/127] docs: Fix a few reference markup errors

---
 docs/dnsupdate.rst                      | 4 ++--
 docs/settings.rst                       | 4 ++--
 pdns/dnsdistdist/docs/rules-actions.rst | 2 +-
 pdns/recursordist/docs/settings.rst     | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/dnsupdate.rst b/docs/dnsupdate.rst
index 94ed0b0fc06f..1aebf30c0372 100644
--- a/docs/dnsupdate.rst
+++ b/docs/dnsupdate.rst
@@ -98,7 +98,7 @@ ALLOW-DNSUPDATE-FROM
 ~~~~~~~~~~~~~~~~~~~~
 
 This setting has the same function as described in the configuration
-options (See ref:`above <dnsupdate-configuration-options>`). Only one item is
+options (See :ref:`above <dnsupdate-configuration-options>`). Only one item is
 allowed per row, but multiple rows can be added. An example:
 
 ::
@@ -152,7 +152,7 @@ the IP(-range) of the updater still needs to be allowed via ``ALLOW-DNSUPDATE-FR
 FORWARD-DNSUPDATE
 ~~~~~~~~~~~~~~~~~
 
-See `Configuration options <dnsupdate-configuration-options>` for what it does,
+See :ref:`Configuration options <dnsupdate-configuration-options>` for what it does,
 but per domain.
 
 ::
diff --git a/docs/settings.rst b/docs/settings.rst
index eab1244d2700..a635bf000932 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -898,7 +898,7 @@ Turn on master support. See :ref:`master-operation`.
 
 .. versionchanged:: 4.1.0
   The packet and query caches are distinct. Previously, this setting was used for
-  both the packet and query caches. See ref:`setting-max-packet-cache-entries` for
+  both the packet and query caches. See :ref:`setting-max-packet-cache-entries` for
   the packet-cache setting.
 
 Maximum number of entries in the query cache. 1 million (the default)
@@ -1022,7 +1022,7 @@ compile-time.
 -  Integer
 -  Default: 60
 
-Seconds to store queries with no answer in the Query Cache. See ref:`query-cache`.
+Seconds to store queries with no answer in the Query Cache. See :ref:`query-cache`.
 
 .. _setting-no-config:
 
diff --git a/pdns/dnsdistdist/docs/rules-actions.rst b/pdns/dnsdistdist/docs/rules-actions.rst
index 1ed837dea24f..9dbb3f6a4c93 100644
--- a/pdns/dnsdistdist/docs/rules-actions.rst
+++ b/pdns/dnsdistdist/docs/rules-actions.rst
@@ -717,7 +717,7 @@ These ``DNSRule``\ s be one of the following items:
 .. function:: RecordsTypeCountRule(section, qtype, minCount, maxCount)
 
   Matches if there is at least ``minCount`` and at most ``maxCount`` records of type ``type`` in the section ``section``.
-  ``section`` can be specified as an integer or as a ref:`DNSSection`.
+  ``section`` can be specified as an integer or as a :ref:`DNSSection`.
   ``qtype`` may be specified as an integer or as one of the built-in QTypes, for instance ``dnsdist.A`` or ``dnsdist.TXT``.
 
   :param int section: The section to match on
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 78286bb97be3..95bf43b3f7f5 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1707,7 +1707,7 @@ If a PID file should be written to `socket-dir`_
 The server will trust XPF records found in queries sent from those netmasks (both IPv4 and IPv6),
 and will adjust queries' source and destination accordingly. This is especially useful when the recursor
 is placed behind a proxy like `dnsdist <https://dnsdist.org>`_.
-Note that the ref:`setting-allow-from` setting is still applied to the original source address, and thus access restriction
+Note that the :ref:`setting-allow-from` setting is still applied to the original source address, and thus access restriction
 should be done on the proxy.
 
 .. _setting-xpf-rr-code:

From a110aee266438b9b5d0836426d90b291cb135576 Mon Sep 17 00:00:00 2001
From: phonedph1 <phoned@gmail.com>
Date: Tue, 9 Apr 2019 15:07:11 +0000
Subject: [PATCH 094/127] Add examples, public-filtered part

---
 .../docs/http-api/endpoint-jsonstat.rst       | 189 +++++++++++++++++-
 1 file changed, 187 insertions(+), 2 deletions(-)

diff --git a/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst b/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst
index 088afc168c19..768368c45cd7 100644
--- a/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst
+++ b/pdns/recursordist/docs/http-api/endpoint-jsonstat.rst
@@ -7,8 +7,8 @@ jsonstat endpoint
   The ``Accept`` request header is ignored.
   This endpoint accepts a ``command`` and ``name`` query for different statistics:
 
-  * ``get-query-ring``: Retrieve statistics from the query subsection. ``name`` can be ``servfail-queries`` or ``queries``.
-  * ``get-remote-ring``: Retrieve statistics from the remotes subsection. ``name`` can be ``remotes``, ``bogus-remotes``, ``large-answer-remotes``, or ``timeouts``.
+  * ``get-query-ring``: Retrieve statistics from the query subsection. ``name`` can be ``servfail-queries`` or ``queries``. Supports optional argument ``public-filtered`` which if set to any value will group queries by the public suffix list.
+  * ``get-remote-ring``: Retrieve statistics from the remotes subsection. ``name`` can be ``remotes``, ``servfail-remotes``, ``bogus-remotes`` (added in 4.2.0), ``large-answer-remotes``, or ``timeouts`` (added in 4.2.0).
 
   **Example request**:
 
@@ -17,6 +17,25 @@ jsonstat endpoint
       GET /jsonstat?command=get-query-ring&name=servfail-queries HTTP/1.1
       Host: example.com
       Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 94
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[2, "wpad.americas.hpecorp.net", "A"], [1, "wpad.americas.hpecorp.net", "AAAA"]]}
 
   **Example request**:
 
@@ -25,6 +44,52 @@ jsonstat endpoint
       GET /jsonstat?command=get-query-ring&name=queries HTTP/1.1
       Host: example.com
       Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 69
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[1, "a.powerdns.com", "A"], [1, "b.powerdns.com", "A"]]}
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-query-ring&name=queries&public-filtered=true HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 39
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[2, "powerdns.com", "A"]]}
 
   **Example request**:
 
@@ -33,6 +98,43 @@ jsonstat endpoint
       GET /jsonstat?command=get-remote-ring&name=remotes HTTP/1.1
       Host: example.com
       Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 62
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[11, "10.0.2.15"], [7, "::1"], [4, "127.0.0.1"]]}
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 43
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[2, "::1"], [1, "127.0.0.1"]]}
 
   **Example request**:
 
@@ -41,6 +143,52 @@ jsonstat endpoint
       GET /jsonstat?command=get-remote-ring&name=bogus-remotes HTTP/1.1
       Host: example.com
       Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 32
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.2.0-alpha1
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[20, "127.0.0.1"]]}
+
+  **Example request**:
+
+   .. sourcecode:: http
+
+      GET /jsonstat?command=get-remote-ring&name=servfail-remotes HTTP/1.1
+      Host: example.com
+      Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 31
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[4, "127.0.0.1"]]}
 
   **Example request**:
 
@@ -49,6 +197,25 @@ jsonstat endpoint
       GET /jsonstat?command=get-remote-ring&name=large-answer-remotes HTTP/1.1
       Host: example.com
       Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
+
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 43
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.1.11
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[2, "127.0.0.1"], [1, "::1"]]}
 
   **Example request**:
 
@@ -57,4 +224,22 @@ jsonstat endpoint
       GET /jsonstat?command=get-remote-ring&name=timeouts HTTP/1.1
       Host: example.com
       Accept: application/json, text/javascript
+      X-API-Key: examplekey
+
+  **Example response**:
+
+   .. sourcecode:: http
 
+      HTTP/1.1 200 OK
+      Access-Control-Allow-Origin: *
+      Connection: close
+      Content-Length: 189
+      Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'
+      Content-Type: application/json
+      Server: PowerDNS/4.2.0-alpha1
+      X-Content-Type-Options: nosniff
+      X-Frame-Options: deny
+      X-Permitted-Cross-Domain-Policies: none
+      X-Xss-Protection: 1; mode=block
+
+      {"entries": [[3, "15.219.145.20"], [3, "15.211.192.20"], [2, "15.219.160.20"], [2, "15.203.224.20"], [2, "15.219.145.21"], [2, "15.219.160.21"], [2, "15.211.192.21"], [2, "15.203.224.21"]]}

From d3dfd71e2d8cb56113a36d55df57864d16e5f6c2 Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 15 Apr 2019 10:05:15 +0200
Subject: [PATCH 095/127] rename supermaster to superslave, and mention in
 upgrade notes

---
 docs/modes-of-operation.rst                             | 6 +++---
 docs/settings.rst                                       | 4 ++--
 docs/upgrading.rst                                      | 5 +++++
 pdns/common_startup.cc                                  | 2 +-
 pdns/packethandler.cc                                   | 2 +-
 regression-tests.nobackend/supermaster-signed/command   | 2 +-
 regression-tests.nobackend/supermaster-unsigned/command | 2 +-
 7 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index bf76cf28e970..4323d1a6ef6d 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -201,10 +201,10 @@ itself as a slave for that zone.
 Before a supermaster notification succeeds, the following conditions
 must be met:
 
- - :ref:`setting-supermaster` support must be enabled
+ - :ref:`setting-superslave` support must be enabled
  - The supermaster must carry a SOA record for the notified domain
- - The supermaster IP must be present in the 'supermaster' table
- - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
+ - The supermaster IP must be present in the 'supermasters' table
+ - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermasters table
  - If your master sends signed NOTIFY it will mark that TSIG key as the TSIG key used for retrieval as well
  - If you turn off :ref:`setting-allow-unsigned-supermaster`, then your supermaster(s) are required to sign their notifications.
 
diff --git a/docs/settings.rst b/docs/settings.rst
index eab1244d2700..2f52848527db 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1449,9 +1449,9 @@ This path will also contain the pidfile for this instance of PowerDNS
 called ``pdns.pid`` by default. See :ref:`setting-config-name`
 and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
 
-.. _setting-supermaster:
+.. _setting-superslave:
 
-``supermaster``
+``superslave``
 ---------------
 
 -  Boolean
diff --git a/docs/upgrading.rst b/docs/upgrading.rst
index 82ca98075471..b0b7ba64ff2e 100644
--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -8,6 +8,11 @@ Please upgrade to the PowerDNS Authoritative Server 4.0.0 from 3.4.2+.
 See the `3.X <https://doc.powerdns.com/3/authoritative/upgrading/>`__
 upgrade notes if your version is older than 3.4.2.
 
+4.1.X to 4.2.0
+--------------
+
+- Superslave operation is no longer enabled by default, use :ref:`setting-superslave` to enable. This setting was called ``supermaster`` in some 4.2.0 prereleases.
+
 4.1.0 to 4.1.1
 --------------
 
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index e7f6f5ab9525..bd57fc542352 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -137,7 +137,7 @@ void declareArguments()
   
   ::arg().setSwitch("slave","Act as a slave")="no";
   ::arg().setSwitch("master","Act as a master")="no";
-  ::arg().setSwitch("supermaster", "Act as a supermaster")="no";
+  ::arg().setSwitch("superslave", "Act as a superslave")="no";
   ::arg().setSwitch("disable-axfr-rectify","Disable the rectify step during an outgoing AXFR. Only required for regression testing.")="no";
   ::arg().setSwitch("guardian","Run within a guardian process")="no";
   ::arg().setSwitch("prevent-self-notification","Don't send notifications to what we think is ourself")="yes";
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index e7189ece004c..fbd5b6da20e0 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -887,7 +887,7 @@ int PacketHandler::processNotify(DNSPacket *p)
   //
   DomainInfo di;
   if(!B.getDomainInfo(p->qdomain, di, false) || !di.backend) {
-    if(::arg().mustDo("supermaster")) {
+    if(::arg().mustDo("superslave")) {
       g_log<<Logger::Warning<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative, trying supermaster"<<endl;
       return trySuperMaster(p, p->getTSIGKeyname());
     }
diff --git a/regression-tests.nobackend/supermaster-signed/command b/regression-tests.nobackend/supermaster-signed/command
index 6eb46127f085..ffb0da45c548 100755
--- a/regression-tests.nobackend/supermaster-signed/command
+++ b/regression-tests.nobackend/supermaster-signed/command
@@ -94,7 +94,7 @@ start_slave()
 
         $RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
                 --config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6='' \
-                --slave --retrieval-threads=4 --slave=yes --supermaster=yes --query-local-address=127.0.0.2 \
+                --slave --retrieval-threads=4 --slave=yes --superslave=yes --query-local-address=127.0.0.2 \
                 --slave-cycle-interval=300 --allow-unsigned-notify=no --allow-unsigned-supermaster=no &
 }
 
diff --git a/regression-tests.nobackend/supermaster-unsigned/command b/regression-tests.nobackend/supermaster-unsigned/command
index 86dde039276f..6311fd2d0195 100755
--- a/regression-tests.nobackend/supermaster-unsigned/command
+++ b/regression-tests.nobackend/supermaster-unsigned/command
@@ -85,7 +85,7 @@ start_slave()
 
         $RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
                 --config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6= \
-                --slave --retrieval-threads=4 --slave=yes --supermaster=yes --query-local-address=127.0.0.2 \
+                --slave --retrieval-threads=4 --slave=yes --superslave=yes --query-local-address=127.0.0.2 \
                 --slave-cycle-interval=300 --dname-processing &
 }
 

From 1d7047524ff590531980f9836afdb7de3f8b652c Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 18 Apr 2019 10:05:03 +0200
Subject: [PATCH 096/127] rec: Move replaced negcache entries to the back of
 the expunge queue

Otherwise they might get expunged very quickly while they just have
been inserted.
---
 pdns/cachecleaner.hh                  | 12 ++++++
 pdns/recursordist/negcache.cc         |  2 +-
 pdns/recursordist/test-negcache_cc.cc | 53 +++++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/pdns/cachecleaner.hh b/pdns/cachecleaner.hh
index 1d80b1740cbf..884029858e1a 100644
--- a/pdns/cachecleaner.hh
+++ b/pdns/cachecleaner.hh
@@ -201,3 +201,15 @@ template <typename T> uint64_t purgeExactLockedCollection(T& mc, const DNSName&
 
   return delcount;
 }
+
+template<typename Index>
+std::pair<typename Index::iterator,bool>
+lruReplacingInsert(Index& i,const typename Index::value_type& x)
+{
+  std::pair<typename Index::iterator,bool> res = i.insert(x);
+  if (!res.second) {
+    moveCacheItemToBack(i, res.first);
+    res.second = i.replace(res.first, x);
+  }
+  return res;
+}
diff --git a/pdns/recursordist/negcache.cc b/pdns/recursordist/negcache.cc
index 0f5325c33a4f..f7f5646f45d3 100644
--- a/pdns/recursordist/negcache.cc
+++ b/pdns/recursordist/negcache.cc
@@ -101,7 +101,7 @@ bool NegCache::get(const DNSName& qname, const QType& qtype, const struct timeva
  * \param ne The NegCacheEntry to add to the cache
  */
 void NegCache::add(const NegCacheEntry& ne) {
-  replacing_insert(d_negcache, ne);
+  lruReplacingInsert(d_negcache, ne);
 }
 
 /*!
diff --git a/pdns/recursordist/test-negcache_cc.cc b/pdns/recursordist/test-negcache_cc.cc
index f5ddec76b9a8..b67874c2ee1f 100644
--- a/pdns/recursordist/test-negcache_cc.cc
+++ b/pdns/recursordist/test-negcache_cc.cc
@@ -264,6 +264,59 @@ BOOST_AUTO_TEST_CASE(test_prune) {
   BOOST_CHECK_EQUAL(cache.size(), 100);
 }
 
+BOOST_AUTO_TEST_CASE(test_prune_valid_entries) {
+  DNSName power1("powerdns.com.");
+  DNSName power2("powerdns-1.com.");
+  DNSName auth("com.");
+
+  struct timeval now;
+  Utility::gettimeofday(&now, 0);
+
+  NegCache cache;
+  NegCache::NegCacheEntry ne;
+
+  /* insert power1 then power2 */
+  ne = genNegCacheEntry(power1, auth, now);
+  cache.add(ne);
+  ne = genNegCacheEntry(power2, auth, now);
+  cache.add(ne);
+
+  BOOST_CHECK_EQUAL(cache.size(), 2);
+
+  /* power2 has been inserted more recently, so it should be
+     removed last */
+  cache.prune(1);
+  BOOST_CHECK_EQUAL(cache.size(), 1);
+
+  const NegCache::NegCacheEntry* got = nullptr;
+  bool ret = cache.get(power2, QType(1), now, &got);
+  BOOST_REQUIRE(ret);
+  BOOST_CHECK_EQUAL(got->d_name, power2);
+  BOOST_CHECK_EQUAL(got->d_auth, auth);
+
+  /* insert power1 back */
+  ne = genNegCacheEntry(power1, auth, now);
+  cache.add(ne);
+  BOOST_CHECK_EQUAL(cache.size(), 2);
+
+  /* replace the entry for power2 */
+  ne = genNegCacheEntry(power2, auth, now);
+  cache.add(ne);
+
+  BOOST_CHECK_EQUAL(cache.size(), 2);
+
+  /* power2 has been updated more recently, so it should be
+     removed last */
+  cache.prune(1);
+
+  BOOST_CHECK_EQUAL(cache.size(), 1);
+  got = nullptr;
+  ret = cache.get(power2, QType(1), now, &got);
+  BOOST_REQUIRE(ret);
+  BOOST_CHECK_EQUAL(got->d_name, power2);
+  BOOST_CHECK_EQUAL(got->d_auth, auth);
+}
+
 BOOST_AUTO_TEST_CASE(test_wipe_single) {
   string qname(".powerdns.com");
   DNSName auth("powerdns.com");

From ca8f16212f01fe99f4bf78812d7686e87be11e41 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 18 Apr 2019 10:05:51 +0200
Subject: [PATCH 097/127] auth: Move replaced meta/key entries to the back of
 the expunge queue

Otherwise they might get expunged very quickly while they just have
been inserted.
---
 pdns/dbdnsseckeeper.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index e4aa0b528212..4af74100310a 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -224,7 +224,7 @@ void DNSSECKeeper::getFromMeta(const DNSName& zname, const std::string& key, std
     nce.d_value = value;
     {
       WriteLock l(&s_metacachelock);
-      replacing_insert(s_metacache, nce);
+      lruReplacingInsert(s_metacache, nce);
     }
   }
 }
@@ -514,7 +514,7 @@ DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, bool useCache)
     kce.d_ttd = now + ttl;
     {
       WriteLock l(&s_keycachelock);
-      replacing_insert(s_keycache, kce);
+      lruReplacingInsert(s_keycache, kce);
     }
   }
 

From 0a4537718b3657dc29afbfac05279ef997dbbc3d Mon Sep 17 00:00:00 2001
From: Frank Louwers <frank@louwers.be>
Date: Thu, 18 Apr 2019 16:04:50 +0200
Subject: [PATCH 098/127] Point out that the sql schema is for 4.2/master in
 the guide.

---
 docs/guides/basic-database.rst | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/docs/guides/basic-database.rst b/docs/guides/basic-database.rst
index 0a832e37c739..cffe9dbbbd74 100644
--- a/docs/guides/basic-database.rst
+++ b/docs/guides/basic-database.rst
@@ -46,10 +46,24 @@ Example: configuring MySQL
 --------------------------
 
 Connect to MySQL as a user with sufficient privileges and issue the
-following commands:
+following commands below if you are running the 4.2 or master version of PowerDNS:
+
+Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql>`_.
+
 
 .. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
 
+We recommend you add the following MySQL statements as well. These will add
+foreign key constraints to the tables in order to automate deletion of records, key
+material, and other information upon deletion of a domain from the
+domains table. These will only work on the InnoDB storage engine, but if you
+followed our guide so far, that's exactly the engine we are using.
+
+The following SQL does the job:
+
+.. literalinclude:: ../../modules/gmysqlbackend/enable-foreign-keys.mysql.sql
+
+
 Now we have a database and an empty table. PowerDNS should now be able
 to launch in monitor mode and display no errors:
 

From 5a714e6cf6fbed01a56fd8f627d0e697ab353d1a Mon Sep 17 00:00:00 2001
From: Frank Louwers <frank@louwers.be>
Date: Thu, 18 Apr 2019 16:30:37 +0200
Subject: [PATCH 099/127] Make guide more clear

---
 docs/guides/basic-database.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/guides/basic-database.rst b/docs/guides/basic-database.rst
index 2c663a3f3451..8ad3cafe1269 100644
--- a/docs/guides/basic-database.rst
+++ b/docs/guides/basic-database.rst
@@ -223,7 +223,11 @@ test your nameserver as clients expect the nameserver to live on port
 Unable to launch, no backends configured for querying
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-PowerDNS did not find the ``launch=gmysql`` instruction in pdns.conf.
+You currently don't have a backend configured in the configuration file.
+Add a :ref:`setting-launch` statement for the backend you want to use.
+
+If you are following this guide and using a MySQL database as a backend,
+please add the ``launch=gmysql`` instruction to pdns.conf.
 
 Multiple IP addresses on your server, PowerDNS sending out answers on the wrong one, Massive amounts of 'recvfrom gave error, ignoring: Connection refused'
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From ade238636acb25cb41ac3380d9a1cd029140076c Mon Sep 17 00:00:00 2001
From: Frank Louwers <frank@louwers.be>
Date: Thu, 18 Apr 2019 16:42:13 +0200
Subject: [PATCH 100/127] Add documentation for pdnsutil delete-rrset and
 replace-rrset

---
 docs/manpages/pdnsutil.1.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 3b02ccfbc75d..bec74b99d2d8 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -162,6 +162,8 @@ check-zone *ZONE*
 clear-zone *ZONE*
     Clear the records in zone *ZONE*, but leave actual domain and
     settings unchanged
+delete-rrset *ZONE* *NAME* *TYPE*
+    Delete named RRSET from zone.
 delete-zone *ZONE*:
     Delete the zone named *ZONE*.
 edit-zone *ZONE*
@@ -192,6 +194,8 @@ rectify-all-zones
     Calculates the 'ordername' and 'auth' fields for all zones so they
     comply with DNSSEC settings. Can be used to fix up migrated data.
     Can always safely be run, it does no harm.
+replace-rrset *ZONE* *NAME* *TYPE* [*TTL*] *CONTENT* [*CONTENT*..]
+    Replace existing *NAME* in zone *ZONE* with a new set.
 secure-zone *ZONE*
     Configures a zone called *ZONE* with reasonable DNSSEC settings. You
     should manually run 'pdnsutil rectify-zone' afterwards.

From 685e22a6a171e8df17ea934c50b7857f7429ebe5 Mon Sep 17 00:00:00 2001
From: Frank Louwers <frank@louwers.be>
Date: Thu, 18 Apr 2019 17:12:19 +0200
Subject: [PATCH 101/127] Fix typo

---
 modules/gmysqlbackend/enable-foreign-keys.mysql.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/gmysqlbackend/enable-foreign-keys.mysql.sql b/modules/gmysqlbackend/enable-foreign-keys.mysql.sql
index 391936c0062f..8f746f8dc870 100644
--- a/modules/gmysqlbackend/enable-foreign-keys.mysql.sql
+++ b/modules/gmysqlbackend/enable-foreign-keys.mysql.sql
@@ -3,7 +3,7 @@ Using this SQL causes Mysql to create foreign keys on your database. This will
 make sure that no records, comments or keys exists for domains that you already
 removed. This is not enabled by default, because we're not sure what the
 consequences are from a performance point of view. If you do have feedback,
-please let us know how this effects your setup.
+please let us know how this affects your setup.
 
 Please note that it's not possible to apply this, before you cleaned up your
 database, as the foreign keys do not exist.

From 5d75d3d939d9bf3329696a4e98148008c4944158 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 18 Apr 2019 17:31:37 +0200
Subject: [PATCH 102/127] Make the dont-throttle control channel funcs static

---
 pdns/rec_channel_rec.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 79830b600abe..4688b0eff437 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1353,18 +1353,18 @@ static string* nopFunction()
   return new string("pong\n");
 }
 
-string getDontThrottleNames() {
+static string getDontThrottleNames() {
   auto dtn = g_dontThrottleNames.getLocal();
   return dtn->toString() + "\n";
 }
 
-string getDontThrottleNetmasks() {
+static string getDontThrottleNetmasks() {
   auto dtn = g_dontThrottleNetmasks.getLocal();
   return dtn->toString() + "\n";
 }
 
 template<typename T>
-string addDontThrottleNames(T begin, T end) {
+static string addDontThrottleNames(T begin, T end) {
   if (begin == end) {
     return "No names specified, keeping existing list\n";
   }
@@ -1400,7 +1400,7 @@ string addDontThrottleNames(T begin, T end) {
 }
 
 template<typename T>
-string addDontThrottleNetmasks(T begin, T end) {
+static string addDontThrottleNetmasks(T begin, T end) {
   if (begin == end) {
     return "No netmasks specified, keeping existing list\n";
   }
@@ -1439,7 +1439,7 @@ string addDontThrottleNetmasks(T begin, T end) {
 }
 
 template<typename T>
-string clearDontThrottleNames(T begin, T end) {
+static string clearDontThrottleNames(T begin, T end) {
   if(begin == end)
     return "No names specified, doing nothing.\n";
 
@@ -1485,7 +1485,7 @@ string clearDontThrottleNames(T begin, T end) {
 }
 
 template<typename T>
-string clearDontThrottleNetmasks(T begin, T end) {
+static string clearDontThrottleNetmasks(T begin, T end) {
   if(begin == end)
     return "No netmasks specified, doing nothing.\n";
 

From 5c8c72bf1e4cec59c31445cdc6d97e7669c74669 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 18 Apr 2019 17:47:27 +0200
Subject: [PATCH 103/127] Also don't throttle on SERVFAIL/REFUSED or TC over
 TCP

---
 pdns/syncres.cc | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 2c156c562f47..13482fb06876 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2751,6 +2751,13 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
   d_totUsec += lwr.d_usec;
   accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
 
+  bool dontThrottle = false;
+  {
+    auto dontThrottleNames = g_dontThrottleNames.getLocal();
+    auto dontThrottleNetmasks = g_dontThrottleNetmasks.getLocal();
+    dontThrottle = dontThrottleNames->check(nsName) || dontThrottleNetmasks->match(remoteIP);
+  }
+
   if(resolveret != 1) {
     /* Error while resolving */
     if(resolveret == 0) {
@@ -2780,10 +2787,7 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
       LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<strerror(errno)<< endl);
     }
 
-    auto dontThrottleNames = g_dontThrottleNames.getLocal();
-    auto dontThrottleNetmasks = g_dontThrottleNetmasks.getLocal();
-
-    if(resolveret != -2 && !chained && !(dontThrottleNames->check(nsName) || dontThrottleNetmasks->match(remoteIP))) {
+    if(resolveret != -2 && !chained && !dontThrottle) {
       // don't account for resource limits, they are our own fault
       // And don't throttle when the IP address is on the dontThrottleNetmasks list or the name is part of dontThrottleNames
       t_sstorage.nsSpeeds[nsName.empty()? DNSName(remoteIP.toStringWithPort()) : nsName].submit(remoteIP, 1000000, &d_now); // 1 sec
@@ -2810,7 +2814,7 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
   /* we got an answer */
   if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) {
     LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl);
-    if (!chained) {
+    if (!chained && !dontThrottle) {
       t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
     }
     return false;
@@ -2824,7 +2828,7 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
   if(lwr.d_tcbit) {
     *truncated = true;
 
-    if (doTCP) {
+    if (doTCP && !dontThrottle) {
       LOG(prefix<<qname<<": truncated bit set, over TCP?"<<endl);
       /* let's treat that as a ServFail answer from this server */
       t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);

From 74bf380cca855fcd102edb06cadecd7751f84a68 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Thu, 18 Apr 2019 17:48:34 +0200
Subject: [PATCH 104/127] Update pdns/recursordist/docs/settings.rst

Co-Authored-By: pieterlexis <pieterlexis@users.noreply.github.com>
---
 pdns/recursordist/docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index c3ed19489570..03bffa5b5aaa 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -266,7 +266,7 @@ Which domains we only accept delegations from (a Verisign special).
 -  Comma separated list of domain-names
 -  Default: (empty)
 
-When an authotitative server does not answer a query or sends a reply the recursor does lot like, it is throttled.
+When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled.
 Any servers' name suffix-matching the supplied names will never be throttled.
 
 .. warning::

From 5e13f0b61b9a894908ca4f2cc3262ddadaee1e64 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Thu, 18 Apr 2019 17:48:41 +0200
Subject: [PATCH 105/127] Update pdns/recursordist/docs/settings.rst

Co-Authored-By: pieterlexis <pieterlexis@users.noreply.github.com>
---
 pdns/recursordist/docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 03bffa5b5aaa..cbd1c717a6b9 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -281,7 +281,7 @@ Any servers' name suffix-matching the supplied names will never be throttled.
 -  Comma separated list of netmasks
 -  Default: (empty)
 
-When an authotitative server does not answer a query or sends a reply the recursor does lot like, it is throttled.
+When an authoritative server does not answer a query or sends a reply the recursor does not like, it is throttled.
 Any servers matching the supplied netmasks will never be throttled.
 
 This can come in handy on lossy networks when forwarding, where the same server is configured multiple times (e.g. with ``forward-zones-recurse=example.com=192.0.2.1;192.0.2.1``).

From b907c81334e3da2a679133024ccb84e7da73e653 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Thu, 18 Apr 2019 17:48:48 +0200
Subject: [PATCH 106/127] Update pdns/recursordist/docs/settings.rst

Co-Authored-By: pieterlexis <pieterlexis@users.noreply.github.com>
---
 pdns/recursordist/docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index cbd1c717a6b9..a0e48683d629 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -270,7 +270,7 @@ When an authoritative server does not answer a query or sends a reply the recurs
 Any servers' name suffix-matching the supplied names will never be throttled.
 
 .. warning::
-  Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-names`` could make this load on the upstream server even higher, resulting in further service degredation.
+  Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-names`` could make this load on the upstream server even higher, resulting in further service degradation.
 
 .. _setting-dont-throttle-netmasks:
 

From 74b2d7e002f604ccf15e558fd090812a1419bbae Mon Sep 17 00:00:00 2001
From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Thu, 18 Apr 2019 17:48:57 +0200
Subject: [PATCH 107/127] Update pdns/recursordist/docs/settings.rst

Co-Authored-By: pieterlexis <pieterlexis@users.noreply.github.com>
---
 pdns/recursordist/docs/settings.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index a0e48683d629..bfe06cf9d88d 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -289,7 +289,7 @@ By default, the PowerDNS Recursor would throttle the "first" server on a timeout
 In this case, ``dont-throttle-netmasks`` could be set to ``192.0.2.1``.
 
 .. warning::
-  Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-netmasks`` could make this load on the upstream server even higher, resulting in further service degredation.
+  Most servers on the internet do not respond for a good reason (overloaded or unreachable), ``dont-throttle-netmasks`` could make this load on the upstream server even higher, resulting in further service degradation.
 
 .. _setting-disable-packetcache:
 

From ad8222b350c961c2e2622ab54db9545e2de97b0c Mon Sep 17 00:00:00 2001
From: cvdwel <github@nospam.kritz.nl>
Date: Fri, 19 Apr 2019 09:36:04 +0200
Subject: [PATCH 108/127] Add export-zone-ds to pdnsutil man page

---
 docs/manpages/pdnsutil.1.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index 3b02ccfbc75d..753b3ad8f7e7 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -62,6 +62,8 @@ disable-dnssec *ZONE*
 export-zone-dnskey *ZONE* *KEY-ID*
     Export to standard output DNSKEY and DS of key with key id *KEY-ID*
     within zone called *ZONE*.
+export-zone-ds *ZONE*
+    Export to standard output all KSK DS records for *ZONE*.
 export-zone-key *ZONE* *KEY-ID*
     Export to standard output full (private) key with key id *KEY-ID*
     within zone called *ZONE*. The format used is compatible with BIND

From 25d6bb19dbc83586d7a44a039e09f1f3225fe494 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 23 Apr 2019 17:16:06 +0200
Subject: [PATCH 109/127] dnsdist: Prepare secpoll and ChangeLog updates for
 1.4.0-alpha2

---
 docs/secpoll.zone                   |  3 ++-
 pdns/dnsdistdist/docs/changelog.rst | 35 +++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 21c25746b962..802ac7ca874f 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019041201 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019042401 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 ; Auth
@@ -301,3 +301,4 @@ recursor-4.0.0_beta1-1pdns.jessie.raspbian.security-status 60 IN TXT "3 Upgrade
 ; dnsdist
 dnsdist-1.3.3.security-status                              60 IN TXT "1 OK"
 dnsdist-1.4.0-alpha1.security-status                       60 IN TXT "1 OK"
+dnsdist-1.4.0-alpha2.security-status                       60 IN TXT "1 OK"
diff --git a/pdns/dnsdistdist/docs/changelog.rst b/pdns/dnsdistdist/docs/changelog.rst
index 3fea22211767..1008284c25a0 100644
--- a/pdns/dnsdistdist/docs/changelog.rst
+++ b/pdns/dnsdistdist/docs/changelog.rst
@@ -1,10 +1,45 @@
 Changelog
 =========
 
+.. changelog::
+  :version: 1.4.0-alpha2
+  :released: 24th of April 2019
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7410
+
+    Ignore Path MTU discovery on UDP server socket
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7708
+
+    Alternative solution to the unaligned accesses.
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 7718
+
+    Exit when setting ciphers fails (GnuTLS)
+
+  .. change::
+    :tags: New Features
+    :pullreq: 7726
+    :tickets: 6911, 7526
+
+    Add DNS over HTTPS support based on libh2o
+
 .. changelog::
   :version: 1.4.0-alpha1
   :released: 12th of April 2019
 
+ .. change::
+    :tags: New Features
+    :pullreq: 7209
+
+    Make recursor & dnsdist communicate (ECS) 'variable' status
+
  .. change::
     :tags: Improvements
     :pullreq: 7167

From eb7a2b0bb57a99eabaad99f1814505b766060e6e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 11 Apr 2019 15:24:37 +0200
Subject: [PATCH 110/127] rec: Add a DNSSEC validation unit test for
 non-expanded wildcards

---
 pdns/recursordist/test-syncres_cc.cc | 50 ++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index f31f115e7216..af8be9a9498d 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -6608,6 +6608,56 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) {
   BOOST_CHECK_EQUAL(queriesCount, 9);
 }
 
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_non_expanded_wildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("*.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == target) {
+          const auto auth = DNSName("powerdns.com.");
+          /* we don't want a cut there */
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* add a NSEC denying the DS */
+          std::set<uint16_t> types = { QType::NSEC };
+          addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
+          addRRSIG(keys, res->d_records, auth, 300);
+          return 1;
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+        return 1;
+      }
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+}
+
 BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr, true);

From 3f675ceb96804190951f2bfda1e67b9dfdaab10e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 25 Apr 2019 10:15:02 +0200
Subject: [PATCH 111/127] rec: Add a 'query for a wildcard-like expanded from a
 wildcard' test

---
 pdns/recursordist/test-syncres_cc.cc | 73 ++++++++++++++++++++++++++--
 1 file changed, 70 insertions(+), 3 deletions(-)

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index af8be9a9498d..52b601a209ad 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -6608,9 +6608,9 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) {
   BOOST_CHECK_EQUAL(queriesCount, 9);
 }
 
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_non_expanded_wildcard) {
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself) {
   std::unique_ptr<SyncRes> sr;
-  initSR(sr, true, true);
+  initSR(sr, true);
 
   setDNSSECValidation(sr, DNSSECMode::ValidateAll);
 
@@ -6647,6 +6647,10 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_non_expanded_wildcard) {
         setLWResult(res, 0, true, false, true);
         addRecordToLW(res, domain, QType::A, "192.0.2.42");
         addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+        /* we don't _really_ need to add the proof that the exact name does not exist because it does,
+           it's the wildcard itself, but let's do it so other validators don't choke on it */
+        addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+        addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
         return 1;
       }
     });
@@ -6655,7 +6659,70 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_non_expanded_wildcard) {
   int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
   BOOST_CHECK_EQUAL(res, RCode::NoError);
   BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  /* A + RRSIG, NSEC + RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_like_expanded_from_wildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("*.sub.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == target) {
+          const auto auth = DNSName("powerdns.com.");
+          /* we don't want a cut there */
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, auth, 300);
+          addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+          return 1;
+        }
+        else if (domain == DNSName("sub.powerdns.com.")) {
+          const auto auth = DNSName("powerdns.com.");
+          /* we don't want a cut there */
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* add a NSEC denying the DS */
+          addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+          return 1;
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+        addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+        addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+        return 1;
+      }
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  /* A + RRSIG, NSEC + RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
 }
 
 BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {

From 78cdf5200924d327911345e1053e6e7de26dc34b Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 11 Apr 2019 15:25:10 +0200
Subject: [PATCH 112/127] rec: Fix DNSSEC validation of wildcards expanded onto
 themselves

---
 pdns/syncres.cc  | 30 +++++++++++++++++++++---------
 pdns/syncres.hh  |  4 ++--
 pdns/validate.cc | 36 +++++++++++++++++++++++++++++++++---
 pdns/validate.hh |  2 ++
 4 files changed, 58 insertions(+), 14 deletions(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 1b71d3c190b1..72b67e56d20c 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2162,7 +2162,7 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN
   }
 }
 
-RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
+RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
 {
   bool wasForwardRecurse = wasForwarded && rdQuery;
   tcache_t tcache;
@@ -2190,7 +2190,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
     /* if we have a positive answer synthetized from a wildcard,
        we need to store the corresponding NSEC/NSEC3 records proving
        that the exact name did not exist in the negative cache */
-    if(needWildcardProof) {
+    if(gatherWildcardProof) {
       if (nsecTypes.count(rec.d_type)) {
         authorityRecs.push_back(std::make_shared<DNSRecord>(rec));
       }
@@ -2208,9 +2208,20 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
            count can be lower than the name's label count if it was
            synthetized from the wildcard. Note that the difference might
            be > 1. */
-        if (rec.d_name == qname && rrsig->d_labels < labelCount) {
-          LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
-          needWildcardProof = true;
+        if (rec.d_name == qname && isWildcardExpanded(labelCount, rrsig)) {
+          gatherWildcardProof = true;
+          if (!isWildcardExpandedOntoItself(rec.d_name, labelCount, rrsig)) {
+            /* if we have a wildcard expanded onto itself, we don't need to prove
+               that the exact name doesn't exist because it actually does.
+               We still want to gather the corresponding NSEC/NSEC3 records
+               to pass them to our client in case it wants to validate by itself.
+            */
+            LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
+            needWildcardProof = true;
+          }
+          else {
+            LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl);
+          }
           wildcardLabelsCount = rrsig->d_labels;
         }
 
@@ -2483,7 +2494,7 @@ dState SyncRes::getDenialValidationState(const NegCache::NegCacheEntry& ne, cons
   return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE);
 }
 
-bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount)
+bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount)
 {
   bool done = false;
 
@@ -2554,7 +2565,7 @@ bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co
     /* if we have a positive answer synthetized from a wildcard, we need to
        return the corresponding NSEC/NSEC3 records from the AUTHORITY section
        proving that the exact name did not exist */
-    else if(needWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
+    else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
       ret.push_back(rec); // enjoy your DNSSEC
     }
     // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively
@@ -2857,8 +2868,9 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
   }
 
   bool needWildcardProof = false;
+  bool gatherWildcardProof = false;
   unsigned int wildcardLabelsCount;
-  *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount, sendRDQuery);
+  *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, sendRDQuery);
   if (*rcode != RCode::NoError) {
     return true;
   }
@@ -2870,7 +2882,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
   DNSName newauth;
   DNSName newtarget;
 
-  bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount);
+  bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount);
 
   if(done){
     LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl);
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index a28ca22c57a3..9295811d041e 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -789,8 +789,8 @@ private:
   vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly);
 
   void sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, bool rdQuery);
-  RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery);
-  bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount);
+  RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery);
+  bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherwildcardProof, const unsigned int wildcardLabelsCount);
 
   bool doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret);
 
diff --git a/pdns/validate.cc b/pdns/validate.cc
index c9d17c86e204..ab7fa3d9e25d 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -112,6 +112,15 @@ bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>&
    Labels field of the covering RRSIG RR, then the RRset and its
    covering RRSIG RR were created as a result of wildcard expansion."
 */
+bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign)
+{
+  if (sign && sign->d_labels < labelCount) {
+    return true;
+  }
+
+  return false;
+}
+
 static bool isWildcardExpanded(const DNSName& owner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
 {
   if (signatures.empty()) {
@@ -120,13 +129,29 @@ static bool isWildcardExpanded(const DNSName& owner, const std::vector<std::shar
 
   const auto& sign = signatures.at(0);
   unsigned int labelsCount = owner.countLabels();
-  if (sign && sign->d_labels < labelsCount) {
+  return isWildcardExpanded(labelsCount, sign);
+}
+
+bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign)
+{
+  if (owner.isWildcard() && (labelCount - 1) == sign->d_labels) {
+    /* this is a wildcard alright, but it has not been expanded */
     return true;
   }
-
   return false;
 }
 
+static bool isWildcardExpandedOntoItself(const DNSName& owner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
+{
+  if (signatures.empty()) {
+    return false;
+  }
+
+  const auto& sign = signatures.at(0);
+  unsigned int labelsCount = owner.countLabels();
+  return isWildcardExpandedOntoItself(owner, labelsCount, sign);
+}
+
 /* if this is a wildcard NSEC, the owner name has been modified
    to match the name. Make sure we use the original '*' form. */
 static DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
@@ -381,7 +406,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
           /* we know that the name exists (but this qtype doesn't) so except
              if the answer was generated by a wildcard expansion, no wildcard
              could have matched (rfc4035 section 5.4 bullet 1) */
-          if (!isWildcardExpanded(owner, v.second.signatures)) {
+          if (!isWildcardExpanded(owner, v.second.signatures) || isWildcardExpandedOntoItself(owner, v.second.signatures)) {
             needWildcardProof = false;
           }
 
@@ -395,6 +420,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
 
         /* check if the whole NAME is denied existing */
         if(isCoveredByNSEC(qname, owner, nsec->d_next)) {
+          LOG(qname<<" is covered ");
           /* if the name is an ENT and we received a NODATA answer,
              we are fine with a NSEC proving that the name does not exist. */
           if (wantsNoDataProof && nsecProvesENT(qname, owner, nsec->d_next)) {
@@ -403,15 +429,19 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
           }
 
           if (!needWildcardProof) {
+            LOG("and we did not need a wildcard proof"<<endl);
             return NXDOMAIN;
           }
 
+          LOG("but we do need a wildcard proof so ");
           if (wantsNoDataProof) {
+            LOG("looking for NODATA proof"<<endl);
             if (provesNoDataWildCard(qname, qtype, validrrsets)) {
               return NXQTYPE;
             }
           }
           else {
+            LOG("looking for NO wildcard proof"<<endl);
             if (provesNoWildCard(qname, qtype, validrrsets)) {
               return NXDOMAIN;
             }
diff --git a/pdns/validate.hh b/pdns/validate.hh
index d58b49206307..b30fca1c6e79 100644
--- a/pdns/validate.hh
+++ b/pdns/validate.hh
@@ -77,3 +77,5 @@ bool isSupportedDS(const DSRecordContent& ds);
 DNSName getSigner(const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
 bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords);
 bool isRRSIGNotExpired(const time_t now, const shared_ptr<RRSIGRecordContent> sig);
+bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
+bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);

From ac228d8da839c44bfad40a6faa73f1293ff5859d Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Date: Thu, 25 Apr 2019 15:37:50 +0200
Subject: [PATCH 113/127] Debian packages: remove duplicated dnsdomain2.schema

---
 .../debian-buster/config/dnsdomain2.schema    | 195 ------------------
 .../debian-buster/pdns-backend-ldap.install   |   2 +-
 .../debian-jessie/config/dnsdomain2.schema    | 195 ------------------
 .../debian-jessie/pdns-backend-ldap.install   |   2 +-
 .../debian-stretch/config/dnsdomain2.schema   | 195 ------------------
 .../debian-stretch/pdns-backend-ldap.install  |   2 +-
 .../ubuntu-trusty/config/dnsdomain2.schema    | 195 ------------------
 .../ubuntu-trusty/pdns-backend-ldap.install   |   2 +-
 8 files changed, 4 insertions(+), 784 deletions(-)
 delete mode 100644 builder-support/debian/authoritative/debian-buster/config/dnsdomain2.schema
 delete mode 100644 builder-support/debian/authoritative/debian-jessie/config/dnsdomain2.schema
 delete mode 100644 builder-support/debian/authoritative/debian-stretch/config/dnsdomain2.schema
 delete mode 100644 builder-support/debian/authoritative/ubuntu-trusty/config/dnsdomain2.schema

diff --git a/builder-support/debian/authoritative/debian-buster/config/dnsdomain2.schema b/builder-support/debian/authoritative/debian-buster/config/dnsdomain2.schema
deleted file mode 100644
index a89aeafb3746..000000000000
--- a/builder-support/debian/authoritative/debian-buster/config/dnsdomain2.schema
+++ /dev/null
@@ -1,195 +0,0 @@
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
-	DESC 'An integer denoting time to live'
-	EQUALITY integerMatch
-	ORDERING integerOrderingMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
-	DESC 'The class of a resource record'
-	EQUALITY caseIgnoreIA5Match
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
-	DESC 'a well known service description, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
-	DESC 'domain name pointer, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
-	DESC 'host information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
-	DESC 'mailbox or mail list information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
-	DESC 'text string, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
-	DESC 'for Responsible Person, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
-	DESC 'for AFS Data Base location, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
-	DESC 'Signature, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
-	DESC 'Key, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
-	DESC 'Geographical Position, RFC 1712'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
-	DESC 'IPv6 address, RFC 1886'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
-	DESC 'Location, RFC 1876'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
-	DESC 'non-existant, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
-	DESC 'service location, RFC 2782'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
-	DESC 'Naming Authority Pointer, RFC 2915'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
-	DESC 'Key Exchange Delegation, RFC 2230'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
-	DESC 'certificate, RFC 2538'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
-	DESC 'A6 Record Type, RFC 2874'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
-	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
-	DESC 'Lists of Address Prefixes, RFC 3123'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
-	DESC 'Delegation Signer, RFC 3658'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
-	DESC 'SSH Key Fingerprint, RFC 4255'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
-	DESC 'SSH Key Fingerprint, RFC 4025'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
-	DESC 'RRSIG, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
-	DESC 'NSEC, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
-	DESC 'DNSKEY, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
-	DESC 'DHCID, RFC 4701'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
-	DESC 'Sender Policy Framework, RFC 4408'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
-	SUP 'dNSDomain' STRUCTURAL
-	MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
-		HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
-		AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
-		AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
-		NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
-		DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
-		IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
-		DNSKEYRecord $ DHCIDRecord $ SPFRecord
-	) )
diff --git a/builder-support/debian/authoritative/debian-buster/pdns-backend-ldap.install b/builder-support/debian/authoritative/debian-buster/pdns-backend-ldap.install
index 6375d07009e6..b16c18224522 100644
--- a/builder-support/debian/authoritative/debian-buster/pdns-backend-ldap.install
+++ b/builder-support/debian/authoritative/debian-buster/pdns-backend-ldap.install
@@ -1,3 +1,3 @@
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
 usr/bin/zone2ldap usr/bin/
 usr/lib/*/pdns/libldapbackend.so*
diff --git a/builder-support/debian/authoritative/debian-jessie/config/dnsdomain2.schema b/builder-support/debian/authoritative/debian-jessie/config/dnsdomain2.schema
deleted file mode 100644
index a89aeafb3746..000000000000
--- a/builder-support/debian/authoritative/debian-jessie/config/dnsdomain2.schema
+++ /dev/null
@@ -1,195 +0,0 @@
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
-	DESC 'An integer denoting time to live'
-	EQUALITY integerMatch
-	ORDERING integerOrderingMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
-	DESC 'The class of a resource record'
-	EQUALITY caseIgnoreIA5Match
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
-	DESC 'a well known service description, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
-	DESC 'domain name pointer, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
-	DESC 'host information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
-	DESC 'mailbox or mail list information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
-	DESC 'text string, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
-	DESC 'for Responsible Person, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
-	DESC 'for AFS Data Base location, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
-	DESC 'Signature, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
-	DESC 'Key, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
-	DESC 'Geographical Position, RFC 1712'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
-	DESC 'IPv6 address, RFC 1886'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
-	DESC 'Location, RFC 1876'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
-	DESC 'non-existant, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
-	DESC 'service location, RFC 2782'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
-	DESC 'Naming Authority Pointer, RFC 2915'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
-	DESC 'Key Exchange Delegation, RFC 2230'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
-	DESC 'certificate, RFC 2538'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
-	DESC 'A6 Record Type, RFC 2874'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
-	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
-	DESC 'Lists of Address Prefixes, RFC 3123'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
-	DESC 'Delegation Signer, RFC 3658'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
-	DESC 'SSH Key Fingerprint, RFC 4255'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
-	DESC 'SSH Key Fingerprint, RFC 4025'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
-	DESC 'RRSIG, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
-	DESC 'NSEC, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
-	DESC 'DNSKEY, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
-	DESC 'DHCID, RFC 4701'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
-	DESC 'Sender Policy Framework, RFC 4408'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
-	SUP 'dNSDomain' STRUCTURAL
-	MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
-		HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
-		AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
-		AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
-		NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
-		DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
-		IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
-		DNSKEYRecord $ DHCIDRecord $ SPFRecord
-	) )
diff --git a/builder-support/debian/authoritative/debian-jessie/pdns-backend-ldap.install b/builder-support/debian/authoritative/debian-jessie/pdns-backend-ldap.install
index 6375d07009e6..b16c18224522 100644
--- a/builder-support/debian/authoritative/debian-jessie/pdns-backend-ldap.install
+++ b/builder-support/debian/authoritative/debian-jessie/pdns-backend-ldap.install
@@ -1,3 +1,3 @@
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
 usr/bin/zone2ldap usr/bin/
 usr/lib/*/pdns/libldapbackend.so*
diff --git a/builder-support/debian/authoritative/debian-stretch/config/dnsdomain2.schema b/builder-support/debian/authoritative/debian-stretch/config/dnsdomain2.schema
deleted file mode 100644
index a89aeafb3746..000000000000
--- a/builder-support/debian/authoritative/debian-stretch/config/dnsdomain2.schema
+++ /dev/null
@@ -1,195 +0,0 @@
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
-	DESC 'An integer denoting time to live'
-	EQUALITY integerMatch
-	ORDERING integerOrderingMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
-	DESC 'The class of a resource record'
-	EQUALITY caseIgnoreIA5Match
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
-	DESC 'a well known service description, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
-	DESC 'domain name pointer, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
-	DESC 'host information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
-	DESC 'mailbox or mail list information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
-	DESC 'text string, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
-	DESC 'for Responsible Person, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
-	DESC 'for AFS Data Base location, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
-	DESC 'Signature, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
-	DESC 'Key, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
-	DESC 'Geographical Position, RFC 1712'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
-	DESC 'IPv6 address, RFC 1886'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
-	DESC 'Location, RFC 1876'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
-	DESC 'non-existant, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
-	DESC 'service location, RFC 2782'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
-	DESC 'Naming Authority Pointer, RFC 2915'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
-	DESC 'Key Exchange Delegation, RFC 2230'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
-	DESC 'certificate, RFC 2538'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
-	DESC 'A6 Record Type, RFC 2874'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
-	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
-	DESC 'Lists of Address Prefixes, RFC 3123'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
-	DESC 'Delegation Signer, RFC 3658'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
-	DESC 'SSH Key Fingerprint, RFC 4255'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
-	DESC 'SSH Key Fingerprint, RFC 4025'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
-	DESC 'RRSIG, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
-	DESC 'NSEC, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
-	DESC 'DNSKEY, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
-	DESC 'DHCID, RFC 4701'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
-	DESC 'Sender Policy Framework, RFC 4408'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
-	SUP 'dNSDomain' STRUCTURAL
-	MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
-		HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
-		AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
-		AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
-		NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
-		DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
-		IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
-		DNSKEYRecord $ DHCIDRecord $ SPFRecord
-	) )
diff --git a/builder-support/debian/authoritative/debian-stretch/pdns-backend-ldap.install b/builder-support/debian/authoritative/debian-stretch/pdns-backend-ldap.install
index 6375d07009e6..b16c18224522 100644
--- a/builder-support/debian/authoritative/debian-stretch/pdns-backend-ldap.install
+++ b/builder-support/debian/authoritative/debian-stretch/pdns-backend-ldap.install
@@ -1,3 +1,3 @@
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
 usr/bin/zone2ldap usr/bin/
 usr/lib/*/pdns/libldapbackend.so*
diff --git a/builder-support/debian/authoritative/ubuntu-trusty/config/dnsdomain2.schema b/builder-support/debian/authoritative/ubuntu-trusty/config/dnsdomain2.schema
deleted file mode 100644
index a89aeafb3746..000000000000
--- a/builder-support/debian/authoritative/ubuntu-trusty/config/dnsdomain2.schema
+++ /dev/null
@@ -1,195 +0,0 @@
-# A schema for storing DNS zones in LDAP
-#
-# ORDERING is not necessary, and some servers don't support
-# integerOrderingMatch. Omit or change if you like
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
-	DESC 'An integer denoting time to live'
-	EQUALITY integerMatch
-	ORDERING integerOrderingMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
-	DESC 'The class of a resource record'
-	EQUALITY caseIgnoreIA5Match
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.11 NAME 'wKSRecord'
-	DESC 'a well known service description, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
-	DESC 'domain name pointer, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
-	DESC 'host information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
-	DESC 'mailbox or mail list information, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
-	DESC 'text string, RFC 1035'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.17 NAME 'rPRecord'
-	DESC 'for Responsible Person, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
-	DESC 'for AFS Data Base location, RFC 1183'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
-	DESC 'Signature, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
-	DESC 'Key, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.27 NAME 'gPosRecord'
-	DESC 'Geographical Position, RFC 1712'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
-	DESC 'IPv6 address, RFC 1886'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
-	DESC 'Location, RFC 1876'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
-	DESC 'non-existant, RFC 2535'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
-	DESC 'service location, RFC 2782'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
-	DESC 'Naming Authority Pointer, RFC 2915'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
-	DESC 'Key Exchange Delegation, RFC 2230'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
-	DESC 'certificate, RFC 2538'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
-	DESC 'A6 Record Type, RFC 2874'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
-	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.42 NAME 'aPLRecord'
-	DESC 'Lists of Address Prefixes, RFC 3123'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
-	DESC 'Delegation Signer, RFC 3658'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
-	DESC 'SSH Key Fingerprint, RFC 4255'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.45 NAME 'iPSecKeyRecord'
-	DESC 'SSH Key Fingerprint, RFC 4025'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
-	DESC 'RRSIG, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
-	DESC 'NSEC, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.48 NAME 'dNSKeyRecord'
-	DESC 'DNSKEY, RFC 3755'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.49 NAME 'dHCIDRecord'
-	DESC 'DHCID, RFC 4701'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-attributetype ( 1.3.6.1.4.1.2428.20.1.99 NAME 'sPFRecord'
-	DESC 'Sender Policy Framework, RFC 4408'
-	EQUALITY caseIgnoreIA5Match
-	SUBSTR caseIgnoreIA5SubstringsMatch
-	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-objectclass ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2'
-	SUP 'dNSDomain' STRUCTURAL
-	MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $
-		HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $
-		AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $
-		AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
-		NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
-		DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $
-		IPSECKEYRecord $ RRSIGRecord $ NSECRecord $
-		DNSKEYRecord $ DHCIDRecord $ SPFRecord
-	) )
diff --git a/builder-support/debian/authoritative/ubuntu-trusty/pdns-backend-ldap.install b/builder-support/debian/authoritative/ubuntu-trusty/pdns-backend-ldap.install
index 6375d07009e6..b16c18224522 100644
--- a/builder-support/debian/authoritative/ubuntu-trusty/pdns-backend-ldap.install
+++ b/builder-support/debian/authoritative/ubuntu-trusty/pdns-backend-ldap.install
@@ -1,3 +1,3 @@
-debian/config/dnsdomain2.schema etc/ldap/schema/
+modules/ldapbackend/dnsdomain2.schema etc/ldap/schema/
 usr/bin/zone2ldap usr/bin/
 usr/lib/*/pdns/libldapbackend.so*

From f13236afee21437b947ae991061ae2ab1f8b9f56 Mon Sep 17 00:00:00 2001
From: JP Mens <jp@mens.de>
Date: Thu, 25 Apr 2019 20:43:40 +0200
Subject: [PATCH 114/127] pdns_control reopens geoip databases on reload

closes https://github.com/PowerDNS/pdns/issues/7752
---
 docs/backends/geoip.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/backends/geoip.rst b/docs/backends/geoip.rst
index dfadcebc7714..b86d45643a34 100644
--- a/docs/backends/geoip.rst
+++ b/docs/backends/geoip.rst
@@ -94,7 +94,7 @@ caching options described
 ``geoip-zones-file``
 ~~~~~~~~~~~~~~~~~~~~
 
-Specifies the full path of the zone configuration file to use.
+Specifies the full path of the zone configuration file to use. The file is re-opened with a ``pdns_control reload''.
 
 .. _setting-geoip-dnssec-keydir:
 

From 4e144f1d386150a7917bbca4a5d9939b8aa4f925 Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Thu, 25 Apr 2019 18:15:51 +0200
Subject: [PATCH 115/127] macos pycurl: require curl-openssl from brew

---
 regression-tests.dnsdist/runtests | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/regression-tests.dnsdist/runtests b/regression-tests.dnsdist/runtests
index e83d947c85d8..251e76a6a79d 100755
--- a/regression-tests.dnsdist/runtests
+++ b/regression-tests.dnsdist/runtests
@@ -16,7 +16,21 @@ if [ ! -d .venv ]; then
 fi
 . .venv/bin/activate
 python -V
+
+if [ `uname -s` == Darwin ]
+then
+  if [ ! -e /usr/local/opt/curl-openssl ]
+  then
+    echo Please run: brew install curl-openssl, and try again
+    exit 1
+  else
+    export PYCURL_CURL_CONFIG=/usr/local/opt/curl-openssl/bin/curl-config
+    export LDFLAGS=-L/usr/local/opt/openssl/lib
+    export CPPFLAGS=-I/usr/local/opt/openssl/include
+  fi
+fi
 pip install -r requirements.txt
+
 protoc -I=../pdns/ --python_out=. ../pdns/dnsmessage.proto
 protoc -I=../pdns/ --python_out=. ../pdns/dnstap.proto
 

From 82b439d72ade205918dbd9f5ebe3924441d0688b Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Thu, 25 Apr 2019 22:49:15 +0200
Subject: [PATCH 116/127] add DoT and DoH requirements to dnsdist testing
 README

---
 regression-tests.dnsdist/README | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/regression-tests.dnsdist/README b/regression-tests.dnsdist/README
index 09780c58146d..bfa46bc6058b 100644
--- a/regression-tests.dnsdist/README
+++ b/regression-tests.dnsdist/README
@@ -9,10 +9,9 @@ DNSDISTBIN=../pdns/dnsdistdist/dnsdist ./runtests
 The tests are self-contained and require no further nameservers to be
 installed.
 
-However, do make sure to build a dnsdist with libsodium and dnscrypt support
-as otherwise some tests will fail.
+However, do make sure to build a dnsdist with libsodium, dnscrypt, DoT and DoH
+support as otherwise some tests will fail.
 
 To run a specific test, use something like:
 
 ./runtests test_Advanced.py:TestAdvancedSpoof.testSpoofActionMultiA
-

From 6f3abc6be08cdb184916b3cd043327395d168e7a Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 26 Apr 2019 09:42:02 +0200
Subject: [PATCH 117/127] dnsdist: Update the release date for 1.4.0-alpha2

---
 docs/secpoll.zone                   | 2 +-
 pdns/dnsdistdist/docs/changelog.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index 802ac7ca874f..f72b334decce 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019042401 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019042601 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 ; Auth
diff --git a/pdns/dnsdistdist/docs/changelog.rst b/pdns/dnsdistdist/docs/changelog.rst
index 1008284c25a0..884a5ad2217c 100644
--- a/pdns/dnsdistdist/docs/changelog.rst
+++ b/pdns/dnsdistdist/docs/changelog.rst
@@ -3,7 +3,7 @@ Changelog
 
 .. changelog::
   :version: 1.4.0-alpha2
-  :released: 24th of April 2019
+  :released: 26th of April 2019
 
   .. change::
     :tags: Improvements

From e783871943f842fdcf573c17ee7ea87bcfe597a9 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 26 Apr 2019 12:08:58 +0200
Subject: [PATCH 118/127] auth: add comments to explain the DS referall logic

---
 pdns/packethandler.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 40ae41871d56..8bc108a06a12 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1455,6 +1455,9 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
       bool doReferral = true;
       if(d_dk.doesDNSSEC()) {
         for(auto& loopRR: rrset) {
+          // In a dnssec capable backend auth=true means, there is no delagation at
+          // or above this qname in this zone (for DS queries). Without a delegation,
+          // at or above this level, it is pointless to search for refferals.
           if(loopRR.auth) {
             doReferral = false;
             break;
@@ -1462,6 +1465,8 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
         }
       } else {
         for(auto& loopRR: rrset) {
+          // In a non dnssec capable backend auth is always true, so our only option
+          // is, always look for referals. Unless there is a direct match for DS.
           if(loopRR.dr.d_type == QType::DS) {
             doReferral = false;
             break;

From 450fc44578db84bd51cfb52b0d6b2d727b706cce Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 26 Apr 2019 14:36:15 +0200
Subject: [PATCH 119/127] dnsdist: Include dnsnameset.rst in the reference
 index

---
 pdns/dnsdistdist/docs/reference/constants.rst | 2 +-
 pdns/dnsdistdist/docs/reference/index.rst     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/pdns/dnsdistdist/docs/reference/constants.rst b/pdns/dnsdistdist/docs/reference/constants.rst
index 03793cfa2cb6..4df9586a49b4 100644
--- a/pdns/dnsdistdist/docs/reference/constants.rst
+++ b/pdns/dnsdistdist/docs/reference/constants.rst
@@ -21,7 +21,7 @@ Reference: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#
 .. _DNSClass:
 
 DNSClass
-------
+--------
 
 These constants represent the `CLASS <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-2>`__ of a DNS record.
 
diff --git a/pdns/dnsdistdist/docs/reference/index.rst b/pdns/dnsdistdist/docs/reference/index.rst
index 1df3ce56b13b..7f7f3ece4265 100644
--- a/pdns/dnsdistdist/docs/reference/index.rst
+++ b/pdns/dnsdistdist/docs/reference/index.rst
@@ -11,6 +11,7 @@ These chapters contain extensive information on all functions and object availab
   comboaddress
   netmaskgroup
   dnsname
+  dnsnameset
   dq
   ebpf
   dnscrypt

From ee271fc486ba93bd8bee65197b54f7eeaa73fe14 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 13 Mar 2019 11:35:42 +0100
Subject: [PATCH 120/127] rec: Add a distribution-pipe-buffer-size setting

---
 pdns/misc.cc                        | 33 +++++++++++++++++++++++++++++
 pdns/misc.hh                        |  5 ++++-
 pdns/pdns_recursor.cc               | 16 ++++++++++++++
 pdns/recursordist/docs/settings.rst | 15 +++++++++++++
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/pdns/misc.cc b/pdns/misc.cc
index 9b6eea36d56b..1f90bbcbd14c 100644
--- a/pdns/misc.cc
+++ b/pdns/misc.cc
@@ -1485,3 +1485,36 @@ std::vector<ComboAddress> getResolvers(const std::string& resolvConfPath)
 
   return results;
 }
+
+size_t getPipeBufferSize(int fd)
+{
+#ifdef F_GETPIPE_SZ
+  int res = fcntl(fd, F_GETPIPE_SZ);
+  if (res == -1) {
+    return 0;
+  }
+  return res;
+#else
+  errno = ENOSYS;
+  return 0;
+#endif /* F_GETPIPE_SZ */
+}
+
+bool setPipeBufferSize(int fd, size_t size)
+{
+#ifdef F_SETPIPE_SZ
+  if (size > std::numeric_limits<int>::max()) {
+    errno = EINVAL;
+    return false;
+  }
+  int newSize = static_cast<int>(size);
+  int res = fcntl(fd, F_SETPIPE_SZ, newSize);
+  if (res == -1) {
+    return false;
+  }
+  return true;
+#else
+  errno = ENOSYS;
+  return false;
+#endif /* F_SETPIPE_SZ */
+}
diff --git a/pdns/misc.hh b/pdns/misc.hh
index 9adfe35dc410..ee255e9b9093 100644
--- a/pdns/misc.hh
+++ b/pdns/misc.hh
@@ -537,8 +537,11 @@ bool isNonBlocking(int sock);
 bool setReceiveSocketErrors(int sock, int af);
 int closesocket(int fd);
 bool setCloseOnExec(int sock);
-uint64_t udpErrorStats(const std::string& str);
 
+size_t getPipeBufferSize(int fd);
+bool setPipeBufferSize(int fd, size_t size);
+
+uint64_t udpErrorStats(const std::string& str);
 uint64_t getRealMemoryUsage(const std::string&);
 uint64_t getSpecialMemoryUsage(const std::string&);
 uint64_t getOpenFileDescriptors(const std::string&);
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index d0b8b121c28f..1e171080c002 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -2781,6 +2781,11 @@ static void houseKeeping(void *)
 
 static void makeThreadPipes()
 {
+  auto pipeBufferSize = ::arg().asNum("distribution-pipe-buffer-size");
+  if (pipeBufferSize > 0) {
+    g_log<<Logger::Info<<"Resizing the buffer of the distribution pipe to "<<pipeBufferSize<<endl;
+  }
+
   /* thread 0 is the handler / SNMP, we start at 1 */
   for(unsigned int n = 1; n <= (g_numWorkerThreads + g_numDistributorThreads); ++n) {
     auto& threadInfos = s_threadInfos.at(n);
@@ -2804,6 +2809,16 @@ static void makeThreadPipes()
     threadInfos.pipes.readQueriesToThread = fd[0];
     threadInfos.pipes.writeQueriesToThread = fd[1];
 
+    if (pipeBufferSize > 0) {
+      if (!setPipeBufferSize(threadInfos.pipes.writeQueriesToThread, pipeBufferSize)) {
+        g_log<<Logger::Warning<<"Error resizing the buffer of the distribution pipe for thread "<<n<<" to "<<pipeBufferSize<<": "<<strerror(errno)<<endl;
+        auto existingSize = getPipeBufferSize(threadInfos.pipes.writeQueriesToThread);
+        if (existingSize > 0) {
+          g_log<<Logger::Warning<<"The current size of the distribution pipe's buffer for thread "<<n<<" is "<<existingSize<<endl;
+        }
+      }
+    }
+
     if (!setNonBlocking(threadInfos.pipes.writeQueriesToThread)) {
       unixDie("Making pipe for inter-thread communications non-blocking");
     }
@@ -4402,6 +4417,7 @@ int main(int argc, char **argv)
     ::arg().set("max-recursion-depth", "Maximum number of internal recursion calls per query, 0 for unlimited")="40";
     ::arg().set("max-udp-queries-per-round", "Maximum number of UDP queries processed per recvmsg() round, before returning back to normal processing")="10000";
     ::arg().set("protobuf-use-kernel-timestamp", "Compute the latency of queries in protobuf messages by using the timestamp set by the kernel when the query was received (when available)")="";
+    ::arg().set("distribution-pipe-buffer-size", "Size in bytes of the internal buffer of the pipe used by the distributor to pass incoming queries to a worker thread")="0";
 
     ::arg().set("include-dir","Include *.conf files from this directory")="";
     ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 5bb081fa83a4..5405bb3a0928 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -331,6 +331,21 @@ average load. This helps making sure that all the workers have roughly the same
 share of queries, even if the incoming traffic is very skewed, with a larger
 number of requests asking for the same qname.
 
+.. _setting-distribution-pipe-buffer-size:
+
+``distribution-pipe-buffer-size``
+---------------------------------
+.. versionadded:: 4.2.0
+
+-  Integer
+-  Default: 0
+
+Size in bytes of the internal buffer of the pipe used by the distributor to pass incoming queries to a worker thread.
+Requires support for `F_SETPIPE_SZ` which is present in Linux since 2.6.35. The actual size might be rounded up to
+a multiple of a page size. 0 means that the OS default size is used.
+A large buffer might allow the recursor to deal with very short-lived load spikes during which a worker thread gets
+overloaded, but it will be at the cost of an increased latency.
+
 .. _setting-distributor-threads:
 
 ``distributor-threads``

From 27d675113c8f8c047e8504bc25dc4291e00c80f5 Mon Sep 17 00:00:00 2001
From: JP Mens <jp@mens.de>
Date: Mon, 29 Apr 2019 19:04:04 +0200
Subject: [PATCH 121/127] s/ZSK/CSK

---
 docs/dnssec/pdnsutil.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/dnssec/pdnsutil.rst b/docs/dnssec/pdnsutil.rst
index b2836a1570be..9c35f65eaacd 100644
--- a/docs/dnssec/pdnsutil.rst
+++ b/docs/dnssec/pdnsutil.rst
@@ -16,7 +16,7 @@ DNSSEC Defaults
 
 Since version 4.0, when securing a zone using ``pdnsutil secure-zone``,
 a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is
-used as ZSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as
+used as CSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as
 the KSK and two ZSKs. As all keys are online in the database, it made no
 sense to have this split-key setup.
 

From 8667566989128b515328f3d9cbd5410cbdbe6cb6 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 30 Apr 2019 10:57:10 +0200
Subject: [PATCH 122/127] Split test-syncres_cc.cc into multiple files to make
 them more digestible.  The split is done without looking at groups of tests.
 We might want to change that.

---
 pdns/recursordist/Makefile.am         |    10 +
 pdns/recursordist/test-syncres_cc.cc  | 11358 +-----------------------
 pdns/recursordist/test-syncres_cc.hh  |    81 +
 pdns/recursordist/test-syncres_cc1.cc |  1708 ++++
 pdns/recursordist/test-syncres_cc2.cc |  1032 +++
 pdns/recursordist/test-syncres_cc3.cc |  1303 +++
 pdns/recursordist/test-syncres_cc4.cc |  1281 +++
 pdns/recursordist/test-syncres_cc5.cc |  1520 ++++
 pdns/recursordist/test-syncres_cc6.cc |   993 +++
 pdns/recursordist/test-syncres_cc7.cc |  1390 +++
 pdns/recursordist/test-syncres_cc8.cc |  1035 +++
 pdns/recursordist/test-syncres_cc9.cc |  1115 +++
 12 files changed, 11519 insertions(+), 11307 deletions(-)
 create mode 100644 pdns/recursordist/test-syncres_cc.hh
 create mode 100644 pdns/recursordist/test-syncres_cc1.cc
 create mode 100644 pdns/recursordist/test-syncres_cc2.cc
 create mode 100644 pdns/recursordist/test-syncres_cc3.cc
 create mode 100644 pdns/recursordist/test-syncres_cc4.cc
 create mode 100644 pdns/recursordist/test-syncres_cc5.cc
 create mode 100644 pdns/recursordist/test-syncres_cc6.cc
 create mode 100644 pdns/recursordist/test-syncres_cc7.cc
 create mode 100644 pdns/recursordist/test-syncres_cc8.cc
 create mode 100644 pdns/recursordist/test-syncres_cc9.cc

diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index 2d7052b1b1c1..9d1faba044ac 100644
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -272,7 +272,17 @@ testrunner_SOURCES = \
 	test-recpacketcache_cc.cc \
 	test-recursorcache_cc.cc \
 	test-signers.cc \
+	test-syncres_cc.hh \
 	test-syncres_cc.cc \
+	test-syncres_cc1.cc \
+	test-syncres_cc2.cc \
+	test-syncres_cc3.cc \
+	test-syncres_cc4.cc \
+	test-syncres_cc5.cc \
+	test-syncres_cc6.cc \
+	test-syncres_cc7.cc \
+	test-syncres_cc8.cc \
+	test-syncres_cc9.cc \
 	test-tsig.cc \
 	test-xpf_cc.cc \
 	testrunner.cc \
diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 9634dcfe916b..ffaa2ce20035 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -1,19 +1,10 @@
 #define BOOST_TEST_DYN_LINK
-#define BOOST_TEST_NO_MAIN
 #include <boost/test/unit_test.hpp>
 
-#include "arguments.hh"
 #include "base32.hh"
-#include "dnssecinfra.hh"
-#include "dnsseckeeper.hh"
 #include "lua-recursor4.hh"
-#include "namespaces.hh"
-#include "rec-lua-conf.hh"
 #include "root-dnssec.hh"
-#include "syncres.hh"
-#include "test-common.hh"
-#include "utility.hh"
-#include "validate-recursor.hh"
+#include "test-syncres_cc.hh"
 
 RecursorStats g_stats;
 GlobalStateHolder<LuaConfigItems> g_luaconfs;
@@ -101,7 +92,7 @@ LuaConfigItems::LuaConfigItems()
 
 /* Some helpers functions */
 
-static void init(bool debug=false)
+void initSR(bool debug)
 {
   g_log.setName("test");
   g_log.disableSyslog(true);
@@ -174,9 +165,10 @@ static void init(bool debug=false)
   ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Unit Tests";
   ::arg().set("rng")="auto";
   ::arg().set("entropy-source")="/dev/urandom";
+  ::arg().setSwitch("qname-minimisation", "Use Query Name Minimisation") = "no";
 }
 
-static void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=false, time_t fakeNow=0)
+void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec, bool debug, time_t fakeNow)
 {
   struct timeval now;
   if (fakeNow > 0) {
@@ -187,7 +179,7 @@ static void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=f
     Utility::gettimeofday(&now, 0);
   }
 
-  init(debug);
+  initSR(debug);
 
   sr = std::unique_ptr<SyncRes>(new SyncRes(now));
   sr->setDoEDNS0(true);
@@ -201,13 +193,18 @@ static void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=f
   SyncRes::clearNegCache();
 }
 
-static void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode)
+void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode)
 {
   sr->setDNSSECValidationRequested(true);
   g_dnssecmode = mode;
 }
 
-static void setLWResult(LWResult* res, int rcode, bool aa=false, bool tc=false, bool edns=false, bool validpacket=true)
+void setDoQNameMinimisation(void)
+{
+  ::arg().setSwitch("qname-minimisation", "") = "yes";
+}
+
+void setLWResult(LWResult* res, int rcode, bool aa, bool tc, bool edns, bool validpacket)
 {
   res->d_rcode = rcode;
   res->d_aabit = aa;
@@ -216,17 +213,17 @@ static void setLWResult(LWResult* res, int rcode, bool aa=false, bool tc=false,
   res->d_validpacket = validpacket;
 }
 
-static void addRecordToLW(LWResult* res, const DNSName& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER, uint32_t ttl=60)
+void addRecordToLW(LWResult* res, const DNSName& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place, uint32_t ttl)
 {
   addRecordToList(res->d_records, name, type, content, place, ttl);
 }
 
-static void addRecordToLW(LWResult* res, const std::string& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER, uint32_t ttl=60)
+void addRecordToLW(LWResult* res, const std::string& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place, uint32_t ttl)
 {
   addRecordToLW(res, DNSName(name), type, content, place, ttl);
 }
 
-static bool isRootServer(const ComboAddress& ip)
+bool isRootServer(const ComboAddress& ip)
 {
   if (ip.isIPv4()) {
     for (size_t idx = 0; idx < rootIps4Count; idx++) {
@@ -246,7 +243,7 @@ static bool isRootServer(const ComboAddress& ip)
   return false;
 }
 
-static void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, const DNSName& signQName, uint16_t signQType, uint32_t signTTL, uint32_t sigValidity, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign, boost::optional<uint8_t> algo=boost::none, boost::optional<uint32_t> inception=boost::none, boost::optional<time_t> now=boost::none)
+void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, const DNSName& signQName, uint16_t signQType, uint32_t signTTL, uint32_t sigValidity, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign, boost::optional<uint8_t> algo, boost::optional<uint32_t> inception, boost::optional<time_t> now)
 {
   if (!now) {
     now = time(nullptr);
@@ -271,7 +268,7 @@ static void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, con
 
 typedef std::unordered_map<DNSName, std::pair<DNSSECPrivateKey, DSRecordContent> > testkeysset_t;
 
-static bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records, const DNSName& signer, uint32_t sigValidity, bool broken=false, boost::optional<uint8_t> algo=boost::none, boost::optional<DNSName> wildcard=boost::none, boost::optional<time_t> now=boost::none)
+bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records, const DNSName& signer, uint32_t sigValidity, bool broken, boost::optional<uint8_t> algo, boost::optional<DNSName> wildcard, boost::optional<time_t> now)
 {
   if (records.empty()) {
     return false;
@@ -311,7 +308,7 @@ static bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records,
   return true;
 }
 
-static void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t ttl, std::vector<DNSRecord>& records)
+void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t ttl, std::vector<DNSRecord>& records)
 {
   const auto it = keys.find(signer);
   if (it == keys.cend()) {
@@ -328,7 +325,7 @@ static void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t
   records.push_back(rec);
 }
 
-static bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& records, const testkeysset_t& keys, DNSResourceRecord::Place place=DNSResourceRecord::AUTHORITY)
+bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& records, const testkeysset_t& keys, DNSResourceRecord::Place place)
 {
   const auto it = keys.find(domain);
   if (it == keys.cend()) {
@@ -346,7 +343,7 @@ static bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& r
   return true;
 }
 
-static void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records)
+void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records)
 {
   NSECRecordContent nrc;
   nrc.d_next = next;
@@ -364,7 +361,7 @@ static void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const
   records.push_back(rec);
 }
 
-static void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& hashedNext, const std::string& salt, unsigned int iterations, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records)
+void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& hashedNext, const std::string& salt, unsigned int iterations, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records)
 {
   NSEC3RecordContent nrc;
   nrc.d_algorithm = 1;
@@ -386,7 +383,7 @@ static void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& has
   records.push_back(rec);
 }
 
-static void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zone, const std::string& next, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations=10)
+void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zone, const std::string& next, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations)
 {
   static const std::string salt = "deadbeef";
   std::string hashed = hashQNameWithSalt(salt, iterations, domain);
@@ -394,7 +391,7 @@ static void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zon
   addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, next, salt, iterations, types, ttl, records);
 }
 
-static void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations=10)
+void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations)
 {
   static const std::string salt = "deadbeef";
   std::string hashed = hashQNameWithSalt(salt, iterations, domain);
@@ -405,7 +402,7 @@ static void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone,
   addNSEC3RecordToLW(DNSName(toBase32Hex(hashed)) + zone, hashedNext, salt, iterations, types, ttl, records);
 }
 
-static void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys)
+void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys)
 {
   auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(algo));
   dcke->create((algo <= 10) ? 2048 : dcke->getBits());
@@ -416,13 +413,13 @@ static void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t
   keys[name] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk,ds);
 }
 
-static void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName,dsmap_t>& dsAnchors)
+void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName,dsmap_t>& dsAnchors)
 {
   generateKeyMaterial(name, algo, digest, keys);
   dsAnchors[name].insert(keys[name].second);
 }
 
-static int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut=true)
+int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut)
 {
   if (type == QType::DS) {
     auth.chopOff();
@@ -464,11287 +461,34 @@ static int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSNa
   return 0;
 }
 
-/* Real tests */
-
-BOOST_AUTO_TEST_SUITE(syncres_cc)
-
-BOOST_AUTO_TEST_CASE(test_root_primed) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("a.root-servers.net.");
-
-  /* we are primed, we should be able to resolve A a.root-servers.net. without any query */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::AAAA);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_root_primed_ns) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-  const DNSName target(".");
-
-  /* we are primed, but we should not be able to NS . without any query
-   because the . NS entry is not stored as authoritative */
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, g_rootdnsname, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 13);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_root_not_primed) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == g_rootdnsname && type == QType::NS) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, g_rootdnsname, QType::NS, "a.root-servers.net.", DNSResourceRecord::ANSWER, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* we are not primed yet, so SyncRes will have to call primeHints()
-     then call getRootNS(), for which at least one of the root servers needs to answer */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("."), QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_root_not_primed_and_no_response) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-  std::set<ComboAddress> downServers;
-
-  /* we are not primed yet, so SyncRes will have to call primeHints()
-     then call getRootNS(), for which at least one of the root servers needs to answer.
-     None will, so it should ServFail.
-  */
-  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      downServers.insert(ip);
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("."), QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK(downServers.size() > 0);
-  /* we explicitly refuse to mark the root servers down */
-  for (const auto& server : downServers) {
-    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 0);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_edns_formerr_fallback) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  ComboAddress noEDNSServer;
-  size_t queriesWithEDNS = 0;
-  size_t queriesWithoutEDNS = 0;
-
-  sr->setAsyncCallback([&queriesWithEDNS, &queriesWithoutEDNS, &noEDNSServer](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      if (EDNS0Level != 0) {
-        queriesWithEDNS++;
-        noEDNSServer = ip;
-
-        setLWResult(res, RCode::FormErr);
-        return 1;
-      }
-
-      queriesWithoutEDNS++;
-
-      if (domain == DNSName("powerdns.com") && type == QType::A && !doTCP) {
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.1");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  primeHints();
-
-  /* fake that the root NS doesn't handle EDNS, check that we fallback */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesWithEDNS, 1);
-  BOOST_CHECK_EQUAL(queriesWithoutEDNS, 1);
-  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 1);
-  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(noEDNSServer), SyncRes::EDNSStatus::NOEDNS);
-}
-
-BOOST_AUTO_TEST_CASE(test_edns_formerr_but_edns_enabled) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  /* in this test, the auth answers with FormErr to an EDNS-enabled
-     query, but the response does contain EDNS so we should not mark
-     it as EDNS ignorant or intolerant.
-  */
-  size_t queriesWithEDNS = 0;
-  size_t queriesWithoutEDNS = 0;
-  std::set<ComboAddress> usedServers;
-
-  sr->setAsyncCallback([&queriesWithEDNS, &queriesWithoutEDNS, &usedServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (EDNS0Level > 0) {
-        queriesWithEDNS++;
-      }
-      else {
-        queriesWithoutEDNS++;
-      }
-      usedServers.insert(ip);
-
-      if (type == QType::DNAME) {
-        setLWResult(res, RCode::FormErr);
-        if (EDNS0Level > 0) {
-          res->d_haveEDNS = true;
-        }
-        return 1;
-      }
-
-      return 0;
-    });
-
-  primeHints();
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::DNAME), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesWithEDNS, 26);
-  BOOST_CHECK_EQUAL(queriesWithoutEDNS, 0);
-  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 26);
-  BOOST_CHECK_EQUAL(usedServers.size(), 26);
-  for (const auto& server : usedServers) {
-    BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(server), SyncRes::EDNSStatus::EDNSOK);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_meta_types) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  static const std::set<uint16_t> invalidTypes = { 128, QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB, 65535 };
-
-  for (const auto qtype : invalidTypes) {
-    size_t queriesCount = 0;
-
-    sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      return 0;
-    });
-
-    primeHints();
-
-    vector<DNSRecord> ret;
-    int res = sr->beginResolve(DNSName("powerdns.com."), QType(qtype), QClass::IN, ret);
-    BOOST_CHECK_EQUAL(res, -1);
-    BOOST_CHECK_EQUAL(ret.size(), 0);
-    BOOST_CHECK_EQUAL(queriesCount, 0);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_tc_fallback_to_tcp) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  sr->setAsyncCallback([](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      if (!doTCP) {
-        setLWResult(res, 0, false, true, false);
-        return 1;
-      }
-      if (domain == DNSName("powerdns.com") && type == QType::A && doTCP) {
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.1");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  primeHints();
-
-  /* fake that the NS truncates every request over UDP, we should fallback to TCP */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-}
-
-BOOST_AUTO_TEST_CASE(test_tc_over_tcp) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  size_t tcpQueriesCount = 0;
-
-  sr->setAsyncCallback([&tcpQueriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      if (!doTCP) {
-        setLWResult(res, 0, true, true, false);
-        return 1;
-      }
-
-      /* first TCP query is answered with a TC response */
-      tcpQueriesCount++;
-      if (tcpQueriesCount == 1) {
-        setLWResult(res, 0, true, true, false);
-      }
-      else {
-        setLWResult(res, 0, true, false, false);
-      }
-
-      addRecordToLW(res, domain, QType::A, "192.0.2.1");
-      return 1;
-    });
-
-  primeHints();
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(tcpQueriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_all_nss_down) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-  std::set<ComboAddress> downServers;
-
-  primeHints();
-
-  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
-        return 1;
-      }
-      else {
-        downServers.insert(ip);
-        return 0;
-      }
-    });
-
-  DNSName target("powerdns.com.");
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(downServers.size(), 4);
-
-  time_t now = sr->getNow().tv_sec;
-  for (const auto& server : downServers) {
-    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 1);
-    BOOST_CHECK(SyncRes::isThrottled(now, server, target, QType::A));
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_all_nss_network_error) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-  std::set<ComboAddress> downServers;
-
-  primeHints();
-
-  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
-        return 1;
-      }
-      else {
-        downServers.insert(ip);
-        return 0;
-      }
-    });
-
-  /* exact same test than the previous one, except instead of a time out we fake a network error */
-  DNSName target("powerdns.com.");
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(downServers.size(), 4);
-
-  time_t now = sr->getNow().tv_sec;
-  for (const auto& server : downServers) {
-    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 1);
-    BOOST_CHECK(SyncRes::isThrottled(now, server, target, QType::A));
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_only_one_ns_up_resolving_itself_with_glue) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  DNSName target("www.powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        if (domain == target) {
-          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
-          addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
-        }
-        else if (domain == DNSName("pdns-public-ns2.powerdns.net.")) {
-          addRecordToLW(res, "powerdns.net.", QType::NS, "pdns-public-ns2.powerdns.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "powerdns.net.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
-          addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
-        }
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.3:53")) {
-        setLWResult(res, 0, true, false, true);
-        if (domain == DNSName("pdns-public-ns2.powerdns.net.")) {
-          if (type == QType::A) {
-            addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::A, "192.0.2.3");
-          }
-          else if (type == QType::AAAA) {
-            addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::AAAA, "2001:DB8::3");
-          }
-        }
-        else if (domain == target) {
-          if (type == QType::A) {
-            addRecordToLW(res, domain, QType::A, "192.0.2.1");
-          }
-          else if (type == QType::AAAA) {
-            addRecordToLW(res, domain, QType::AAAA, "2001:DB8::1");
-          }
-        }
-        return 1;
-      }
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_os_limit_errors) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-  std::set<ComboAddress> downServers;
-
-  primeHints();
-
-  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
-        return 1;
-      }
-      else {
-        if (downServers.size() < 3) {
-          /* only the last one will answer */
-          downServers.insert(ip);
-          return -2;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, "powerdns.com.", QType::A, "192.0.2.42");
-          return 1;
-        }
-      }
-    });
-
-  DNSName target("powerdns.com.");
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(downServers.size(), 3);
-
-  /* Error is reported as "OS limit error" (-2) so the servers should _NOT_ be marked down */
-  time_t now = sr->getNow().tv_sec;
-  for (const auto& server : downServers) {
-    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 0);
-    BOOST_CHECK(!SyncRes::isThrottled(now, server, target, QType::A));
+int basicRecordsForQnameMinimisation(LWResult* res, const DNSName& domain, int type) {
+  if (domain == DNSName(".") && type == QType::A) {
+    setLWResult(res, 0, true);
+    addRecordToLW(res, DNSName("."), QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2019042400 1800 900 604800 86400", DNSResourceRecord::AUTHORITY);
+    return 1;
   }
-}
-
-BOOST_AUTO_TEST_CASE(test_glued_referral) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      /* this will cause issue with qname minimization if we ever implement it */
-      if (domain != target) {
-        return 0;
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, target, QType::A, "192.0.2.4");
-        return 1;
-      }
-      else {
-        return 0;
-      }
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_glueless_referral) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-
-        if (domain.isPartOf(DNSName("com."))) {
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        } else if (domain.isPartOf(DNSName("org."))) {
-          addRecordToLW(res, "org.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        }
-        else {
-          setLWResult(res, RCode::NXDomain, false, false, true);
-          return 1;
-        }
-
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
-        if (domain == target) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-          return 1;
-        }
-        else if (domain == DNSName("pdns-public-ns1.powerdns.org.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::A, "192.0.2.2");
-          addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::AAAA, "2001:DB8::2");
-          return 1;
-        }
-        else if (domain == DNSName("pdns-public-ns2.powerdns.org.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, "pdns-public-ns2.powerdns.org.", QType::A, "192.0.2.3");
-          addRecordToLW(res, "pdns-public-ns2.powerdns.org.", QType::AAAA, "2001:DB8::3");
-          return 1;
-        }
-
-        setLWResult(res, RCode::NXDomain, false, false, true);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, target, QType::A, "192.0.2.4");
-        return 1;
-      }
-      else {
-        return 0;
-      }
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_edns_subnet_by_domain) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  SyncRes::addEDNSDomain(target);
-
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("192.0.2.128/32");
-  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-
-        /* this one did not use the ECS info */
-        srcmask = boost::none;
-
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-
-        /* this one did, but only up to a precision of /16, not the full /24 */
-        srcmask = Netmask("192.0.0.0/16");
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_ecsqueries = 0;
-  SyncRes::s_ecsresponses = 0;
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK_EQUAL(SyncRes::s_ecsqueries, 2);
-  BOOST_CHECK_EQUAL(SyncRes::s_ecsresponses, 1);
-  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize4) {
-    BOOST_CHECK_EQUAL(entry.second, entry.first == 15 ? 1 : 0);
+  if (domain == DNSName("com") && type == QType::A) {
+    setLWResult(res, 0, true);
+    addRecordToLW(res, DNSName("com"), QType::NS, "ns1.com", DNSResourceRecord::AUTHORITY);
+    addRecordToLW(res, DNSName("ns1.com"), QType::A, "1.2.3.4", DNSResourceRecord::ADDITIONAL);
+    return 1;
   }
-  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize6) {
-    BOOST_CHECK_EQUAL(entry.second, 0);
+  if (domain == DNSName("ns1.com") && type == QType::A) {
+    setLWResult(res, 0, true);
+    addRecordToLW(res, DNSName("ns1.com"), QType::A, "1.2.3.4");
+    return 1;
   }
-}
-
-BOOST_AUTO_TEST_CASE(test_edns_subnet_by_addr) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
-
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("2001:DB8::FF/128");
-  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        BOOST_REQUIRE(!srcmask);
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        BOOST_REQUIRE(srcmask);
-        BOOST_CHECK_EQUAL(srcmask->toString(), "2001:db8::/56");
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_ecsqueries = 0;
-  SyncRes::s_ecsresponses = 0;
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK_EQUAL(SyncRes::s_ecsqueries, 1);
-  BOOST_CHECK_EQUAL(SyncRes::s_ecsresponses, 1);
-  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize4) {
-    BOOST_CHECK_EQUAL(entry.second, 0);
+  if (domain == DNSName("powerdns.com") && type == QType::A) {
+    setLWResult(res, 0, true);
+    addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com", DNSResourceRecord::AUTHORITY);
+    addRecordToLW(res, DNSName("ns1.powerdns.com"), QType::A, "4.5.6.7", DNSResourceRecord::ADDITIONAL);
+    return 1;
   }
-  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize6) {
-    BOOST_CHECK_EQUAL(entry.second, entry.first == 55 ? 1 : 0);
+  if (domain == DNSName("powerdns.com") && type == QType::NS) {
+    setLWResult(res, 0, true);
+    addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com");
+    addRecordToLW(res, DNSName("ns1.powerdns.com"), QType::A, "4.5.6.7", DNSResourceRecord::ADDITIONAL);
+    return 1;
   }
+  return 0;
 }
-
-BOOST_AUTO_TEST_CASE(test_ecs_use_requestor) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
-  // No incoming ECS data
-  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::none);
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        BOOST_REQUIRE(!srcmask);
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        BOOST_REQUIRE(srcmask);
-        BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_use_scope_zero) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
-  SyncRes::clearEDNSLocalSubnets();
-  SyncRes::addEDNSLocalSubnet("192.0.2.254/32");
-  // No incoming ECS data, Requestor IP not in ecs-add-for
-  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::none);
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        BOOST_REQUIRE(!srcmask);
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        BOOST_REQUIRE(srcmask);
-        BOOST_CHECK_EQUAL(srcmask->toString(), "127.0.0.1/32");
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_honor_incoming_mask) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
-  SyncRes::clearEDNSLocalSubnets();
-  SyncRes::addEDNSLocalSubnet("192.0.2.254/32");
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("192.0.0.0/16");
-  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        BOOST_REQUIRE(!srcmask);
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        BOOST_REQUIRE(srcmask);
-        BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.0.0/16");
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_honor_incoming_mask_zero) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
-  SyncRes::clearEDNSLocalSubnets();
-  SyncRes::addEDNSLocalSubnet("192.0.2.254/32");
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("0.0.0.0/0");
-  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        BOOST_REQUIRE(!srcmask);
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        BOOST_REQUIRE(srcmask);
-        BOOST_CHECK_EQUAL(srcmask->toString(), "127.0.0.1/32");
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-}
-
-BOOST_AUTO_TEST_CASE(test_following_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("cname.powerdns.com.");
-  const DNSName cnameTarget("cname-target.powerdns.com");
-
-  sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
-          return 1;
-        }
-        else if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        }
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget);
-}
-
-BOOST_AUTO_TEST_CASE(test_cname_nxdomain) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("cname.powerdns.com.");
-  const DNSName cnameTarget("cname-target.powerdns.com");
-
-  sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        if (domain == target) {
-          setLWResult(res, RCode::NXDomain, true, false, false);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
-          addRecordToLW(res, "powerdns.com.", QType::SOA, "a.powerdns.com. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-        } else if (domain == cnameTarget) {
-          setLWResult(res, RCode::NXDomain, true, false, false);
-          addRecordToLW(res, "powerdns.com.", QType::SOA, "a.powerdns.com. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          return 1;
-        }
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK(ret[1].d_type == QType::SOA);
-
-  /* a second time, to check the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK(ret[1].d_type == QType::SOA);
-}
-
-BOOST_AUTO_TEST_CASE(test_included_poisonous_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  /* In this test we directly get the NS server for cname.powerdns.com.,
-     and we don't know whether it's also authoritative for
-     cname-target.powerdns.com or powerdns.com, so we shouldn't accept
-     the additional A record for cname-target.powerdns.com. */
-  const DNSName target("cname.powerdns.com.");
-  const DNSName cnameTarget("cname-target.powerdns.com");
-
-  sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL);
-          return 1;
-        } else if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.3");
-          return 1;
-        }
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_REQUIRE(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget(), cnameTarget);
-  BOOST_REQUIRE(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget);
-  BOOST_CHECK(getRR<ARecordContent>(ret[1])->getCA() == ComboAddress("192.0.2.3"));
-}
-
-BOOST_AUTO_TEST_CASE(test_cname_loop) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t count = 0;
-  const DNSName target("cname.powerdns.com.");
-
-  sr->setAsyncCallback([target,&count](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      count++;
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::CNAME, domain.toString());
-          return 1;
-        }
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_GT(ret.size(), 0);
-  BOOST_CHECK_EQUAL(count, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_cname_depth) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t depth = 0;
-  const DNSName target("cname.powerdns.com.");
-
-  sr->setAsyncCallback([target,&depth](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::CNAME, std::to_string(depth) + "-cname.powerdns.com");
-        depth++;
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), depth);
-  /* we have an arbitrary limit at 10 when following a CNAME chain */
-  BOOST_CHECK_EQUAL(depth, 10 + 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_time_limit) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queries = 0;
-  const DNSName target("cname.powerdns.com.");
-
-  sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queries++;
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        /* Pretend that this query took 2000 ms */
-        res->d_usec = 2000;
-
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* Set the maximum time to 1 ms */
-  SyncRes::s_maxtotusec = 1000;
-
-  try {
-    vector<DNSRecord> ret;
-    sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-    BOOST_CHECK(false);
-  }
-  catch(const ImmediateServFailException& e) {
-  }
-  BOOST_CHECK_EQUAL(queries, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_referral_depth) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queries = 0;
-  const DNSName target("www.powerdns.com.");
-
-  sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queries++;
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-
-        if (domain == DNSName("www.powerdns.com.")) {
-          addRecordToLW(res, domain, QType::NS, "ns.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        }
-        else if (domain == DNSName("ns.powerdns.com.")) {
-          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-        }
-        else if (domain == DNSName("ns1.powerdns.org.")) {
-          addRecordToLW(res, domain, QType::NS, "ns2.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-        }
-        else if (domain == DNSName("ns2.powerdns.org.")) {
-          addRecordToLW(res, domain, QType::NS, "ns3.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-        }
-        else if (domain == DNSName("ns3.powerdns.org.")) {
-          addRecordToLW(res, domain, QType::NS, "ns4.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-        }
-        else if (domain == DNSName("ns4.powerdns.org.")) {
-          addRecordToLW(res, domain, QType::NS, "ns5.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, domain, QType::A, "192.0.2.1", DNSResourceRecord::AUTHORITY, 172800);
-        }
-
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* Set the maximum depth low */
-  SyncRes::s_maxdepth = 10;
-
-  try {
-    vector<DNSRecord> ret;
-    sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-    BOOST_CHECK(false);
-  }
-  catch(const ImmediateServFailException& e) {
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_cname_qperq) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queries = 0;
-  const DNSName target("cname.powerdns.com.");
-
-  sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queries++;
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::CNAME, std::to_string(queries) + "-cname.powerdns.com");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* Set the maximum number of questions very low */
-  SyncRes::s_maxqperq = 5;
-
-  try {
-    vector<DNSRecord> ret;
-    sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-    BOOST_CHECK(false);
-  }
-  catch(const ImmediateServFailException& e) {
-    BOOST_CHECK_EQUAL(queries, SyncRes::s_maxqperq);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_throttled_server) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("throttled.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  size_t queriesToNS = 0;
-
-  sr->setAsyncCallback([target,ns,&queriesToNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ns) {
-
-        queriesToNS++;
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* mark ns as down */
-  time_t now = sr->getNow().tv_sec;
-  SyncRes::doThrottle(now, ns, SyncRes::s_serverdownthrottletime, 10000);
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  /* we should not have sent any queries to ns */
-  BOOST_CHECK_EQUAL(queriesToNS, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_throttled_server_count) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const ComboAddress ns("192.0.2.1:53");
-
-  const size_t blocks = 10;
-  /* mark ns as down for 'blocks' queries */
-  time_t now = sr->getNow().tv_sec;
-  SyncRes::doThrottle(now, ns, SyncRes::s_serverdownthrottletime, blocks);
-
-  for (size_t idx = 0; idx < blocks; idx++) {
-    BOOST_CHECK(SyncRes::isThrottled(now, ns));
-  }
-
-  /* we have been throttled 'blocks' times, we should not be throttled anymore */
-  BOOST_CHECK(!SyncRes::isThrottled(now, ns));
-}
-
-BOOST_AUTO_TEST_CASE(test_throttled_server_time) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const ComboAddress ns("192.0.2.1:53");
-
-  const size_t seconds = 1;
-  /* mark ns as down for 'seconds' seconds */
-  time_t now = sr->getNow().tv_sec;
-  SyncRes::doThrottle(now, ns, seconds, 10000);
-
-  BOOST_CHECK(SyncRes::isThrottled(now, ns));
-
-  /* we should not be throttled anymore */
-  BOOST_CHECK(!SyncRes::isThrottled(now + 2, ns));
-}
-
-BOOST_AUTO_TEST_CASE(test_dont_query_server) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("throttled.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  size_t queriesToNS = 0;
-
-  sr->setAsyncCallback([target,ns,&queriesToNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ns) {
-
-        queriesToNS++;
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* prevent querying this NS */
-  SyncRes::addDontQuery(Netmask(ns));
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  /* we should not have sent any queries to ns */
-  BOOST_CHECK_EQUAL(queriesToNS, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_root_nx_trust) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target1("powerdns.com.");
-  const DNSName target2("notpowerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (isRootServer(ip)) {
-
-        if (domain == target1) {
-          setLWResult(res, RCode::NXDomain, true, false, true);
-          addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        }
-
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_maxnegttl = 3600;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  /* one for target1 and one for the entire TLD */
-  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2);
-
-  ret.clear();
-  res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_LE(ret[0].d_ttl, SyncRes::s_maxnegttl);
-  /* one for target1 and one for the entire TLD */
-  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2);
-
-  /* we should have sent only one query */
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_root_nx_trust_specific) {
-  std::unique_ptr<SyncRes> sr;
-  init();
-  initSR(sr, true, false);
-
-  primeHints();
-
-  const DNSName target1("powerdns.com.");
-  const DNSName target2("notpowerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  size_t queriesCount = 0;
-
-  /* This time the root denies target1 with a "com." SOA instead of a "." one.
-     We should add target1 to the negcache, but not "com.". */
-
-  sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (isRootServer(ip)) {
-
-        if (domain == target1) {
-          setLWResult(res, RCode::NXDomain, true, false, true);
-          addRecordToLW(res, "com.", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        }
-
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-
-  /* even with root-nx-trust on and a NX answer from the root,
-     we should not have cached the entire TLD this time. */
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-
-  ret.clear();
-  res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target2);
-  BOOST_REQUIRE(ret[0].d_type == QType::A);
-  BOOST_CHECK(getRR<ARecordContent>(ret[0])->getCA() == ComboAddress("192.0.2.2"));
-
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-}
-
-BOOST_AUTO_TEST_CASE(test_root_nx_dont_trust) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target1("powerdns.com.");
-  const DNSName target2("notpowerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (isRootServer(ip)) {
-
-        if (domain == target1) {
-          setLWResult(res, RCode::NXDomain, true, false, true);
-          addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        }
-
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_rootNXTrust = false;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  /* one for target1 */
-  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1);
-
-  ret.clear();
-  res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  /* one for target1 */
-  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1);
-
-  /* we should have sent three queries */
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-}
-
-BOOST_AUTO_TEST_CASE(test_skip_negcache_for_variable_response) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("www.powerdns.com.");
-  const DNSName cnameTarget("cname.powerdns.com.");
-
-  SyncRes::addEDNSDomain(DNSName("powerdns.com."));
-
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("192.0.2.128/32");
-  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-
-  sr->setAsyncCallback([target,cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-
-        srcmask = boost::none;
-
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == target) {
-          /* Type 2 NXDOMAIN (rfc2308 section-2.1) */
-          setLWResult(res, RCode::NXDomain, true, false, true);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
-          addRecordToLW(res, "powerdns.com", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-        }
-        else if (domain == cnameTarget) {
-          /* we shouldn't get there since the Type NXDOMAIN should have been enough,
-             but we might if we still chase the CNAME. */
-          setLWResult(res, RCode::NXDomain, true, false, true);
-          addRecordToLW(res, "powerdns.com", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-        }
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  /* no negative cache entry because the response was variable */
-  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_cache_limit_allowed) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("www.powerdns.com.");
-
-  SyncRes::addEDNSDomain(DNSName("powerdns.com."));
-
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("192.0.2.128/32");
-  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-  SyncRes::s_ecsipv4cachelimit = 24;
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, target, QType::A, "192.0.2.1");
-
-      return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-
-  /* should have been cached */
-  const ComboAddress who("192.0.2.128");
-  vector<DNSRecord> cached;
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_cache_limit_no_ttl_limit_allowed) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("www.powerdns.com.");
-
-  SyncRes::addEDNSDomain(DNSName("powerdns.com."));
-
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("192.0.2.128/32");
-  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-  SyncRes::s_ecsipv4cachelimit = 16;
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, target, QType::A, "192.0.2.1");
-
-      return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-
-  /* should have been cached because /24 is more specific than /16 but TTL limit is nof effective */
-  const ComboAddress who("192.0.2.128");
-  vector<DNSRecord> cached;
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_cache_ttllimit_allowed) {
-    std::unique_ptr<SyncRes> sr;
-    initSR(sr);
-
-    primeHints();
-
-    const DNSName target("www.powerdns.com.");
-
-    SyncRes::addEDNSDomain(DNSName("powerdns.com."));
-
-    EDNSSubnetOpts incomingECS;
-    incomingECS.source = Netmask("192.0.2.128/32");
-    sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-    SyncRes::s_ecscachelimitttl = 30;
-
-    sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, target, QType::A, "192.0.2.1");
-
-      return 1;
-    });
-
-    const time_t now = sr->getNow().tv_sec;
-    vector<DNSRecord> ret;
-    int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-    BOOST_CHECK_EQUAL(res, RCode::NoError);
-    BOOST_CHECK_EQUAL(ret.size(), 1);
-
-    /* should have been cached */
-    const ComboAddress who("192.0.2.128");
-    vector<DNSRecord> cached;
-    BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-    BOOST_REQUIRE_EQUAL(cached.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_cache_ttllimit_and_scope_allowed) {
-    std::unique_ptr<SyncRes> sr;
-    initSR(sr);
-
-    primeHints();
-
-    const DNSName target("www.powerdns.com.");
-
-    SyncRes::addEDNSDomain(DNSName("powerdns.com."));
-
-    EDNSSubnetOpts incomingECS;
-    incomingECS.source = Netmask("192.0.2.128/32");
-    sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-    SyncRes::s_ecscachelimitttl = 100;
-    SyncRes::s_ecsipv4cachelimit = 24;
-
-    sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, target, QType::A, "192.0.2.1");
-
-      return 1;
-    });
-
-    const time_t now = sr->getNow().tv_sec;
-    vector<DNSRecord> ret;
-    int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-    BOOST_CHECK_EQUAL(res, RCode::NoError);
-    BOOST_CHECK_EQUAL(ret.size(), 1);
-
-    /* should have been cached */
-    const ComboAddress who("192.0.2.128");
-    vector<DNSRecord> cached;
-    BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-    BOOST_REQUIRE_EQUAL(cached.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_ecs_cache_ttllimit_notallowed) {
-    std::unique_ptr<SyncRes> sr;
-    initSR(sr);
-
-    primeHints();
-
-    const DNSName target("www.powerdns.com.");
-
-    SyncRes::addEDNSDomain(DNSName("powerdns.com."));
-
-    EDNSSubnetOpts incomingECS;
-    incomingECS.source = Netmask("192.0.2.128/32");
-    sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-    SyncRes::s_ecscachelimitttl = 100;
-    SyncRes::s_ecsipv4cachelimit = 16;
-
-    sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, target, QType::A, "192.0.2.1");
-
-      return 1;
-    });
-
-    const time_t now = sr->getNow().tv_sec;
-    vector<DNSRecord> ret;
-    int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-    BOOST_CHECK_EQUAL(res, RCode::NoError);
-    BOOST_CHECK_EQUAL(ret.size(), 1);
-
-    /* should have NOT been cached because TTL of 60 is too small and /24 is more specific than /16 */
-    const ComboAddress who("192.0.2.128");
-    vector<DNSRecord> cached;
-    BOOST_REQUIRE_LT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-    BOOST_REQUIRE_EQUAL(cached.size(), 0);
-}
-
-
-BOOST_AUTO_TEST_CASE(test_ns_speed) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  std::map<ComboAddress, uint64_t> nsCounts;
-
-  sr->setAsyncCallback([target,&nsCounts](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns3.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "pdns-public-ns3.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "pdns-public-ns3.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else {
-        nsCounts[ip]++;
-
-        if (ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("192.0.2.2:53")) {
-          BOOST_CHECK_LT(nsCounts.size(), 3);
-
-          /* let's time out on pdns-public-ns2.powerdns.com. */
-          return 0;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          BOOST_CHECK_EQUAL(nsCounts.size(), 3);
-
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::A, "192.0.2.254");
-          return 1;
-        }
-
-        return 0;
-      }
-
-      return 0;
-    });
-
-  struct timeval now = sr->getNow();
-
-  /* make pdns-public-ns2.powerdns.com. the fastest NS, with its IPv6 address faster than the IPV4 one,
-     then pdns-public-ns1.powerdns.com. on IPv4 */
-  SyncRes::submitNSSpeed(DNSName("pdns-public-ns1.powerdns.com."), ComboAddress("192.0.2.1:53"), 100, &now);
-  SyncRes::submitNSSpeed(DNSName("pdns-public-ns1.powerdns.com."), ComboAddress("[2001:DB8::1]:53"), 10000, &now);
-  SyncRes::submitNSSpeed(DNSName("pdns-public-ns2.powerdns.com."), ComboAddress("192.0.2.2:53"), 10, &now);
-  SyncRes::submitNSSpeed(DNSName("pdns-public-ns2.powerdns.com."), ComboAddress("[2001:DB8::2]:53"), 1, &now);
-  SyncRes::submitNSSpeed(DNSName("pdns-public-ns3.powerdns.com."), ComboAddress("192.0.2.3:53"), 10000, &now);
-  SyncRes::submitNSSpeed(DNSName("pdns-public-ns3.powerdns.com."), ComboAddress("[2001:DB8::3]:53"), 10000, &now);
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(nsCounts.size(), 3);
-  BOOST_CHECK_EQUAL(nsCounts[ComboAddress("192.0.2.1:53")], 1);
-  BOOST_CHECK_EQUAL(nsCounts[ComboAddress("192.0.2.2:53")], 1);
-  BOOST_CHECK_EQUAL(nsCounts[ComboAddress("[2001:DB8::2]:53")], 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_flawed_nsset) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.254");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* we populate the cache with a flawed NSset, i.e. there is a NS entry but no corresponding glue */
-  time_t now = sr->getNow().tv_sec;
-  std::vector<DNSRecord> records;
-  std::vector<shared_ptr<RRSIGRecordContent> > sigs;
-  addRecordToList(records, target, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, now + 3600);
-
-  t_RC->replace(now, target, QType(QType::NS), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>());
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_completely_flawed_nsset) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([&queriesCount,target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (isRootServer(ip) && domain == target) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns3.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        return 1;
-      } else if (domain == DNSName("pdns-public-ns2.powerdns.com.") || domain == DNSName("pdns-public-ns3.powerdns.com.")){
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  /* one query to get NSs, then A and AAAA for each NS */
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_cache_hit) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      return 0;
-    });
-
-  /* we populate the cache with eveything we need */
-  time_t now = sr->getNow().tv_sec;
-  std::vector<DNSRecord> records;
-  std::vector<shared_ptr<RRSIGRecordContent> > sigs;
-
-  addRecordToList(records, target, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, now + 3600);
-  t_RC->replace(now, target , QType(QType::A), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>());
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_no_rd) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  size_t queriesCount = 0;
-
-  sr->setCacheOnly();
-
-  sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_cache_min_max_ttl) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("cachettl.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-
-  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 7200);
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-  SyncRes::s_minimumTTL = 60;
-  SyncRes::s_maxcachettl = 3600;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(ret[0].d_ttl, SyncRes::s_minimumTTL);
-
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
-  BOOST_CHECK_EQUAL((cached[0].d_ttl - now), SyncRes::s_minimumTTL);
-
-  cached.clear();
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::NS), false, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
-  BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_maxcachettl);
-}
-
-BOOST_AUTO_TEST_CASE(test_cache_min_max_ecs_ttl) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("cacheecsttl.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-
-  EDNSSubnetOpts incomingECS;
-  incomingECS.source = Netmask("192.0.2.128/32");
-  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
-  SyncRes::addEDNSDomain(target);
-
-  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      BOOST_REQUIRE(srcmask);
-      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
-
-      if (isRootServer(ip)) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 20);
-        srcmask = boost::none;
-
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, false);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-  SyncRes::s_minimumTTL = 60;
-  SyncRes::s_minimumECSTTL = 120;
-  SyncRes::s_maxcachettl = 3600;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(ret[0].d_ttl, SyncRes::s_minimumECSTTL);
-
-  const ComboAddress who("192.0.2.128");
-  vector<DNSRecord> cached;
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
-  BOOST_CHECK_EQUAL((cached[0].d_ttl - now), SyncRes::s_minimumECSTTL);
-
-  cached.clear();
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::NS), false, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
-  BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_maxcachettl);
-
-  cached.clear();
-  BOOST_REQUIRE_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
-  BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_minimumTTL);
-}
-
-BOOST_AUTO_TEST_CASE(test_cache_expired_ttl) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  /* we populate the cache with entries that expired 60s ago*/
-  const time_t now = sr->getNow().tv_sec;
-
-  std::vector<DNSRecord> records;
-  std::vector<shared_ptr<RRSIGRecordContent> > sigs;
-  addRecordToList(records, target, QType::A, "192.0.2.42", DNSResourceRecord::ANSWER, now - 60);
-
-  t_RC->replace(now - 3600, target, QType(QType::A), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>());
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_REQUIRE(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toStringWithPort(), ComboAddress("192.0.2.2").toStringWithPort());
-}
-
-BOOST_AUTO_TEST_CASE(test_cache_auth) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  /* the auth server is sending the same answer in answer and additional,
-     check that we only return one result, and we only cache one too. */
-  const DNSName target("cache-auth.powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10);
-      addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 10);
-
-      return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_REQUIRE_EQUAL(QType(ret.at(0).d_type).getName(), QType(QType::A).getName());
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret.at(0))->getCA().toString(), ComboAddress("192.0.2.2").toString());
-
-  /* check that we correctly cached only the answer entry, not the additional one */
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_EQUAL(QType(cached.at(0).d_type).getName(), QType(QType::A).getName());
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(cached.at(0))->getCA().toString(), ComboAddress("192.0.2.2").toString());
-}
-
-BOOST_AUTO_TEST_CASE(test_delegation_only) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  /* Thanks, Verisign */
-  SyncRes::addDelegationOnly(DNSName("com."));
-  SyncRes::addDelegationOnly(DNSName("net."));
-
-  const DNSName target("nx-powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_unauth_any) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::ANY), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_no_data) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      return 1;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_skip_opt_any) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.42");
-      addRecordToLW(res, domain, QType::ANY, "0 0");
-      addRecordToLW(res, domain, QType::OPT, "");
-      return 1;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_nodata_nsec_nodnssec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
-      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      return 1;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_nodata_nsec_dnssec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
-      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      return 1;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_nx_nsec_nodnssec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, RCode::NXDomain, true, false, true);
-      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
-      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      return 1;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_nx_nsec_dnssec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, RCode::NXDomain, true, false, true);
-      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
-      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
-      return 1;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_qclass_none) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  /* apart from special names and QClass::ANY, anything else than QClass::IN should be rejected right away */
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      return 0;
-    });
-
-  const DNSName target("powerdns.com.");
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::NONE, ret);
-  BOOST_CHECK_EQUAL(res, -1);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_answer_no_aa) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, false, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.1");
-      return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::ServFail);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-
-  /* check that the record in the answer section has not been cached */
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  vector<std::shared_ptr<RRSIGRecordContent>> signatures;
-  BOOST_REQUIRE_EQUAL(t_RC->get(now, target, QType(QType::A), false, &cached, who, &signatures), -1);
-}
-
-BOOST_AUTO_TEST_CASE(test_special_types) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  /* {A,I}XFR, RRSIG and NSEC3 should be rejected right away */
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
-      queriesCount++;
-      return 0;
-    });
-
-  const DNSName target("powerdns.com.");
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::AXFR), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -1);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  res = sr->beginResolve(target, QType(QType::IXFR), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -1);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  res = sr->beginResolve(target, QType(QType::RRSIG), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -1);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  res = sr->beginResolve(target, QType(QType::NSEC3), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -1);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_special_names) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  /* special names should be handled internally */
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("1.0.0.127.in-addr.arpa."), QType(QType::PTR), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::PTR);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("1.0.0.127.in-addr.arpa."), QType(QType::ANY), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::PTR);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), QType(QType::PTR), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::PTR);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), QType(QType::ANY), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::PTR);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("localhost."), QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), "127.0.0.1");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("localhost."), QType(QType::AAAA), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::AAAA);
-  BOOST_CHECK_EQUAL(getRR<AAAARecordContent>(ret[0])->getCA().toString(), "::1");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("localhost."), QType(QType::ANY), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& rec : ret) {
-    BOOST_REQUIRE((rec.d_type == QType::A) || rec.d_type == QType::AAAA);
-    if (rec.d_type == QType::A) {
-      BOOST_CHECK_EQUAL(getRR<ARecordContent>(rec)->getCA().toString(), "127.0.0.1");
-    }
-    else {
-      BOOST_CHECK_EQUAL(getRR<AAAARecordContent>(rec)->getCA().toString(), "::1");
-    }
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("version.bind."), QType(QType::TXT), QClass::CHAOS, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::TXT);
-  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("version.bind."), QType(QType::ANY), QClass::CHAOS, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::TXT);
-  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("version.pdns."), QType(QType::TXT), QClass::CHAOS, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::TXT);
-  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("version.pdns."), QType(QType::ANY), QClass::CHAOS, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::TXT);
-  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("id.server."), QType(QType::TXT), QClass::CHAOS, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::TXT);
-  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests Server ID\"");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-
-  ret.clear();
-  res = sr->beginResolve(DNSName("id.server."), QType(QType::ANY), QClass::CHAOS, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::TXT);
-  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests Server ID\"");
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_nameserver_ipv4_rpz) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("rpz.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-
-  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, false, true, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  DNSFilterEngine::Policy pol;
-  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
-  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
-  zone->setName("Unit test policy 0");
-  zone->addNSIPTrigger(Netmask(ns, 32), std::move(pol));
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.addZone(zone);
-  g_luaconfs.setState(luaconfsCopy);
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -2);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_nameserver_ipv6_rpz) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("rpz.powerdns.com.");
-  const ComboAddress ns("[2001:DB8::42]:53");
-
-  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  DNSFilterEngine::Policy pol;
-  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
-  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
-  zone->setName("Unit test policy 0");
-  zone->addNSIPTrigger(Netmask(ns, 128), std::move(pol));
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.addZone(zone);
-  g_luaconfs.setState(luaconfsCopy);
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -2);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("rpz.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  const DNSName nsName("ns1.powerdns.com.");
-
-  sr->setAsyncCallback([target,ns,nsName](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, nsName.toString(), DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, nsName, QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  DNSFilterEngine::Policy pol;
-  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
-  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
-  zone->setName("Unit test policy 0");
-  zone->addNSTrigger(nsName, std::move(pol));
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.addZone(zone);
-  g_luaconfs.setState(luaconfsCopy);
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, -2);
-  BOOST_CHECK_EQUAL(ret.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz_disabled) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("rpz.powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  const DNSName nsName("ns1.powerdns.com.");
-
-  sr->setAsyncCallback([target,ns,nsName](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::NS, nsName.toString(), DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, nsName, QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ns) {
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  DNSFilterEngine::Policy pol;
-  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
-  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
-  zone->setName("Unit test policy 0");
-  zone->addNSIPTrigger(Netmask(ns, 128), DNSFilterEngine::Policy(pol));
-  zone->addNSTrigger(nsName, std::move(pol));
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.addZone(zone);
-  g_luaconfs.setState(luaconfsCopy);
-
-  /* RPZ is disabled for this query, we should not be blocked */
-  sr->setWantsRPZ(false);
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_nord) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  const ComboAddress forwardedNS("192.0.2.42:53");
-
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = false;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[target] = ad;
-
-  sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (ip == forwardedNS) {
-        BOOST_CHECK_EQUAL(sendRDQuery, false);
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  /* simulate a no-RD query */
-  sr->setCacheOnly();
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_rd) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  const ComboAddress forwardedNS("192.0.2.42:53");
-
-  size_t queriesCount = 0;
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = true;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[target] = ad;
-
-  sr->setAsyncCallback([forwardedNS, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (ip == forwardedNS) {
-        BOOST_CHECK_EQUAL(sendRDQuery, true);
-
-        /* set AA=0, we are a recursor */
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  /* now make sure we can resolve from the cache (see #6340
-     where the entries were added to the cache but not retrieved,
-     because the recursor doesn't set the AA bit and we require
-     it. We fixed it by not requiring the AA bit for forward-recurse
-     answers. */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_nord) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  const ComboAddress forwardedNS("192.0.2.42:53");
-
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = true;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[target] = ad;
-
-  sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (ip == forwardedNS) {
-        BOOST_CHECK_EQUAL(sendRDQuery, false);
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  /* simulate a no-RD query */
-  sr->setCacheOnly();
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("powerdns.com.");
-  const ComboAddress ns("192.0.2.1:53");
-  const ComboAddress forwardedNS("192.0.2.42:53");
-
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = true;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[target] = ad;
-
-  sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (ip == forwardedNS) {
-        BOOST_CHECK_EQUAL(sendRDQuery, true);
-
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        return 1;
-      }
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  /* signed */
-  const DNSName target("test.");
-  /* unsigned */
-  const DNSName cnameTarget("cname.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  const ComboAddress forwardedNS("192.0.2.42:53");
-  size_t queriesCount = 0;
-
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = true;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad;
-
-  sr->setAsyncCallback([target,cnameTarget,keys,forwardedNS,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      BOOST_CHECK_EQUAL(sendRDQuery, true);
-
-      if (ip != forwardedNS) {
-        return 0;
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
-      }
-
-      if (domain == target && type == QType::A) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
-        addRRSIG(keys, res->d_records, domain, 300);
-        addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
-
-        return 1;
-      }
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_bogus) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  /* signed */
-  const DNSName target("test.");
-  /* signed */
-  const DNSName cnameTarget("cname.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(cnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  const ComboAddress forwardedNS("192.0.2.42:53");
-  size_t queriesCount = 0;
-
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = true;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad;
-
-  sr->setAsyncCallback([target,cnameTarget,keys,forwardedNS,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      BOOST_CHECK_EQUAL(sendRDQuery, true);
-
-      if (ip != forwardedNS) {
-        return 0;
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
-      }
-
-      if (domain == target && type == QType::A) {
-
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
-        addRRSIG(keys, res->d_records, domain, 300);
-        addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
-        /* no RRSIG in a signed zone, Bogus ! */
-
-        return 1;
-      }
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_nodata_bogus) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  const ComboAddress forwardedNS("192.0.2.42:53");
-  SyncRes::AuthDomain ad;
-  ad.d_rdForward = true;
-  ad.d_servers.push_back(forwardedNS);
-  (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad;
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,forwardedNS,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      BOOST_CHECK_EQUAL(sendRDQuery, true);
-
-      if (ip != forwardedNS) {
-        return 0;
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-
-        setLWResult(res, 0, false, false, true);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 0);
-  /* com|NS, powerdns.com|NS, powerdns.com|A */
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 0);
-  /* we don't store empty results */
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_oob) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("test.xx.");
-  const ComboAddress targetAddr("127.0.0.1");
-  const DNSName authZone("test.xx");
-
-  SyncRes::AuthDomain ad;
-  DNSRecord dr;
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::A;
-  dr.d_ttl = 1800;
-  dr.d_content = std::make_shared<ARecordContent>(targetAddr);
-  ad.d_records.insert(dr);
-
-  (*SyncRes::t_sstorage.domainmap)[authZone] = ad;
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-        queriesCount++;
-        return 0;
-      });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, 0);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-  BOOST_CHECK(sr->wasOutOfBand());
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-
-  /* a second time, to check that the OOB flag is set when the query cache is used */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, 0);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-  BOOST_CHECK(sr->wasOutOfBand());
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-
-  /* a third time, to check that the validation is disabled when the OOB flag is set */
-  ret.clear();
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, 0);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-  BOOST_CHECK(sr->wasOutOfBand());
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_oob_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("cname.test.xx.");
-  const DNSName targetCname("cname-target.test.xx.");
-  const ComboAddress targetCnameAddr("127.0.0.1");
-  const DNSName authZone("test.xx");
-
-  SyncRes::AuthDomain ad;
-  DNSRecord dr;
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::CNAME;
-  dr.d_ttl = 1800;
-  dr.d_content = std::make_shared<CNAMERecordContent>(targetCname);
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = targetCname;
-  dr.d_type = QType::A;
-  dr.d_ttl = 1800;
-  dr.d_content = std::make_shared<ARecordContent>(targetCnameAddr);
-  ad.d_records.insert(dr);
-
-  (*SyncRes::t_sstorage.domainmap)[authZone] = ad;
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-        queriesCount++;
-        return 0;
-      });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, 0);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-  BOOST_CHECK(sr->wasOutOfBand());
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-
-  /* a second time, to check that the OOB flag is set when the query cache is used */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, 0);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-  BOOST_CHECK(sr->wasOutOfBand());
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-
-  /* a third time, to check that the validation is disabled when the OOB flag is set */
-  ret.clear();
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, 0);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-  BOOST_CHECK(sr->wasOutOfBand());
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("powerdns.com.");
-  const ComboAddress addr("192.0.2.5");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = target;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(addr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[target] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.42");
-      return 1;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), addr.toString());
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_cname_lead_to_oob) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("powerdns.com.");
-  const DNSName authZone("internal.powerdns.com.");
-  const ComboAddress addr("192.0.2.5");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(addr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount,target,authZone](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (domain == target) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, target, QType::CNAME, authZone.toString(), DNSResourceRecord::ANSWER, 3600);
-        return 1;
-      }
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget().toString(), authZone.toString());
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[1])->getCA().toString(), addr.toString());
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_oob_lead_to_outgoing_queryb) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("powerdns.com.");
-  const DNSName externalCNAME("www.open-xchange.com.");
-  const ComboAddress addr("192.0.2.5");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = target;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::CNAME;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<CNAMERecordContent>(externalCNAME);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[target] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount,externalCNAME,addr](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (domain == externalCNAME) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, externalCNAME, QType::A, addr.toString(), DNSResourceRecord::ANSWER, 3600);
-        return 1;
-      }
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget().toString(), externalCNAME.toString());
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[1])->getCA().toString(), addr.toString());
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_nodata) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("nodata.powerdns.com.");
-  const DNSName authZone("powerdns.com");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(ComboAddress("192.0.2.1"));
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::SOA);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_nx) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("nx.powerdns.com.");
-  const DNSName authZone("powerdns.com");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = DNSName("powerdns.com.");
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::SOA);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_delegation) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true, false);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("www.test.powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.2");
-  const DNSName ns("ns1.test.powerdns.com.");
-  const ComboAddress nsAddr("192.0.2.1");
-  const DNSName authZone("powerdns.com");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = DNSName("test.powerdns.com.");
-  dr.d_type = QType::NS;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<NSRecordContent>(ns);
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = ns;
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(nsAddr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  testkeysset_t keys;
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  sr->setAsyncCallback([&queriesCount,target,targetAddr,nsAddr,authZone,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys, domain == authZone);
-      }
-
-      if (ip == ComboAddress(nsAddr.toString(), 53) && domain == target) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-        return 1;
-      }
-
-      return 0;
-  });
-
-  sr->setDNSSECValidationRequested(true);
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_delegation_point) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("test.powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.2");
-  const DNSName ns("ns1.test.powerdns.com.");
-  const ComboAddress nsAddr("192.0.2.1");
-  const DNSName authZone("powerdns.com");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = DNSName("test.powerdns.com.");
-  dr.d_type = QType::NS;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<NSRecordContent>(ns);
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = ns;
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(nsAddr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount,nsAddr,target,targetAddr](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (ip == ComboAddress(nsAddr.toString(), 53) && domain == target) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-        return 1;
-      }
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("test.powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.2");
-  const DNSName authZone("powerdns.com");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = DNSName("*.powerdns.com.");
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(targetAddr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard_nodata) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("test.powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.2");
-  const DNSName authZone("powerdns.com");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = authZone;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = authZone;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = DNSName("*.powerdns.com.");
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(targetAddr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[authZone] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::SOA);
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_auth_zone_cache_only) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  size_t queriesCount = 0;
-  const DNSName target("powerdns.com.");
-  const ComboAddress addr("192.0.2.5");
-
-  SyncRes::AuthDomain ad;
-  ad.d_name = target;
-  DNSRecord dr;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::SOA;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
-  ad.d_records.insert(dr);
-
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.d_name = target;
-  dr.d_type = QType::A;
-  dr.d_ttl = 3600;
-  dr.d_content = std::make_shared<ARecordContent>(addr);
-  ad.d_records.insert(dr);
-
-  auto map = std::make_shared<SyncRes::domainmap_t>();
-  (*map)[target] = ad;
-  SyncRes::setDomainMap(map);
-
-  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.42");
-      return 1;
-  });
-
-  /* simulate a no-RD query */
-  sr->setCacheOnly();
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), addr.toString());
-  BOOST_CHECK_EQUAL(queriesCount, 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_rrsig) {
-  init();
-
-  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dcke->create(dcke->getBits());
-  // cerr<<dcke->convertToISC()<<endl;
-  DNSSECPrivateKey dpk;
-  dpk.d_flags = 256;
-  dpk.setKey(dcke);
-
-  std::vector<std::shared_ptr<DNSRecordContent> > recordcontents;
-  recordcontents.push_back(getRecordContent(QType::A, "192.0.2.1"));
-
-  DNSName qname("powerdns.com.");
-
-  time_t now = time(nullptr);
-  RRSIGRecordContent rrc;
-  /* this RRSIG is valid for the current second only */
-  computeRRSIG(dpk, qname, qname, QType::A, 600, 0, rrc, recordcontents, boost::none, now);
-
-  skeyset_t keyset;
-  keyset.insert(std::make_shared<DNSKEYRecordContent>(dpk.getDNSKEY()));
-
-  std::vector<std::shared_ptr<RRSIGRecordContent> > sigs;
-  sigs.push_back(std::make_shared<RRSIGRecordContent>(rrc));
-
-  BOOST_CHECK(validateWithKeySet(now, qname, recordcontents, sigs, keyset));
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_csk) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_ksk_zsk) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t zskeys;
-  testkeysset_t kskeys;
-
-  /* Generate key material for "." */
-  auto dckeZ = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dckeZ->create(dckeZ->getBits());
-  DNSSECPrivateKey ksk;
-  ksk.d_flags = 257;
-  ksk.setKey(dckeZ);
-  DSRecordContent kskds = makeDSFromDNSKey(target, ksk.getDNSKEY(), DNSSECKeeper::SHA256);
-
-  auto dckeK = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dckeK->create(dckeK->getBits());
-  DNSSECPrivateKey zsk;
-  zsk.d_flags = 256;
-  zsk.setKey(dckeK);
-  DSRecordContent zskds = makeDSFromDNSKey(target, zsk.getDNSKEY(), DNSSECKeeper::SHA256);
-
-  kskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(ksk, kskds);
-  zskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(zsk, zskds);
-
-  /* Set the root DS */
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  luaconfsCopy.dsAnchors[g_rootdnsname].insert(kskds);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,zskeys,kskeys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(zskeys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(kskeys, domain, 300, res->d_records);
-        addDNSKEY(zskeys, domain, 300, res->d_records);
-        addRRSIG(kskeys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        /* No DNSKEY */
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t dskeys;
-  testkeysset_t keys;
-
-  /* Generate key material for "." */
-  auto dckeDS = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dckeDS->create(dckeDS->getBits());
-  DNSSECPrivateKey dskey;
-  dskey.d_flags = 257;
-  dskey.setKey(dckeDS);
-  DSRecordContent drc = makeDSFromDNSKey(target, dskey.getDNSKEY(), DNSSECKeeper::SHA256);
-
-  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dcke->create(dcke->getBits());
-  DNSSECPrivateKey dpk;
-  dpk.d_flags = 256;
-  dpk.setKey(dcke);
-  DSRecordContent uselessdrc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256);
-
-  dskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dskey, drc);
-  keys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk, uselessdrc);
-
-  /* Set the root DS */
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-  testkeysset_t rrsigkeys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  auto dckeRRSIG = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dckeRRSIG->create(dckeRRSIG->getBits());
-  DNSSECPrivateKey rrsigkey;
-  rrsigkey.d_flags = 257;
-  rrsigkey.setKey(dckeRRSIG);
-  DSRecordContent rrsigds = makeDSFromDNSKey(target, rrsigkey.getDNSKEY(), DNSSECKeeper::SHA256);
-
-  rrsigkeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(rrsigkey, rrsigds);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys,rrsigkeys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(rrsigkeys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(rrsigkeys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 86400);
-        }
-
-        /* No RRSIG */
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_maxcachettl = 86400;
-  SyncRes::s_maxbogusttl = 3600;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* 13 NS + 0 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 13);
-  /* no RRSIG so no query for DNSKEYs */
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 13);
-  /* check that we capped the TTL to max-cache-bogus-ttl */
-  for (const auto& record : ret) {
-    BOOST_CHECK_LE(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  /* Generate key material for "." */
-  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dcke->create(dcke->getBits());
-  DNSSECPrivateKey dpk;
-  dpk.d_flags = 256;
-  dpk.setKey(dcke);
-  /* Fake algorithm number (private) */
-  dpk.d_algorithm = 253;
-
-  DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256);
-  keys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk, drc);
-  /* Fake algorithm number (private) */
-  drc.d_algorithm = 253;
-
-  /* Set the root DS */
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  /* no supported DS so no query for DNSKEYs */
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_digest) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  /* Generate key material for "." */
-  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
-  dcke->create(dcke->getBits());
-  DNSSECPrivateKey dpk;
-  dpk.d_flags = 256;
-  dpk.setKey(dcke);
-  DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256);
-  /* Fake digest number (reserved) */
-  drc.d_digesttype = 0;
-
-  keys[target] = std::pair<DNSSECPrivateKey, DSRecordContent>(dpk, drc);
-
-  /* Set the root DS */
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  /* no supported DS so no query for DNSKEYs */
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300, true);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        /* FORCE WRONG ALGO */
-        addRRSIG(keys, res->d_records, domain, 300, false, DNSSECKeeper::RSASHA256);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) {
-          return 0;
-        }
-
-        if (type == QType::DS && domain == target) {
-          /* remove the last record, which is the DS's RRSIG */
-          res->d_records.pop_back();
-        }
-
-        return 1;
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-        /* Include the DS but omit the RRSIG*/
-        addDS(DNSName("com."), 300, res->d_records, keys);
-        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.1:53")) {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-        addRRSIG(keys, res->d_records, auth, 300);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* now we ask directly for the DS */
-  ret.clear();
-  res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) {
-          return 0;
-        }
-
-        if (type == QType::DS && domain == target) {
-          /* remove the last record, which is the DS's RRSIG */
-          res->d_records.pop_back();
-        }
-
-        return 1;
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-        /* Include the DS but omit the RRSIG*/
-        addDS(DNSName("com."), 300, res->d_records, keys);
-        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA384, DNSSECKeeper::SHA384, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      if (domain == target) {
-        auth = DNSName("powerdns.com.");
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-        addDS(DNSName("com."), 300, res->d_records, keys);
-        addRRSIG(keys, res->d_records, DNSName("."), 300);
-        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-          addRRSIG(keys, res->d_records, domain, 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, domain, 300);
-        }
-        else {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(auth, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-        }
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.2:53")) {
-        if (type == QType::NS) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          addRRSIG(keys, res->d_records, auth, 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        else {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      if (domain == target) {
-        auth = DNSName("powerdns.com.");
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-        addDS(DNSName("com."), 300, res->d_records, keys);
-        addRRSIG(keys, res->d_records, DNSName("."), 300);
-        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-          addRRSIG(keys, res->d_records, domain, 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, domain, 300);
-        }
-        else {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(auth, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-        }
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.2:53")) {
-        if (type == QType::NS) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          addRRSIG(keys, res->d_records, auth, 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        else {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* this time we ask for the NS that should be in the cache, to check
-     the validation status */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      if (domain == target) {
-        auth = DNSName("powerdns.com.");
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-        addDS(DNSName("com."), 300, res->d_records, keys);
-        addRRSIG(keys, res->d_records, DNSName("."), 300);
-        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-          addRRSIG(keys, res->d_records, domain, 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, domain, 300);
-        }
-        else {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-          /* no DS */
-          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-        }
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.2:53")) {
-        if (type == QType::NS) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-        }
-        else {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-        }
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-
-  /* this time we ask for the NS that should be in the cache, to check
-     the validation status */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  /* Add a NTA for "powerdns.com" */
-  luaconfsCopy.negAnchors[target] = "NTA for PowerDNS.com";
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      if (domain == target) {
-        auth = DNSName("powerdns.com.");
-      }
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-        addDS(DNSName("com."), 300, res->d_records, keys);
-        addRRSIG(keys, res->d_records, DNSName("."), 300);
-        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-          addRRSIG(keys, res->d_records, domain, 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, domain, 300);
-        }
-        else {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(auth, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-        }
-        return 1;
-      }
-
-      if (ip == ComboAddress("192.0.2.2:53")) {
-        if (type == QType::NS) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          addRRSIG(keys, res->d_records, auth, 300);
-          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        else {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  /* Should be insecure because of the NTA */
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  /* Should be insecure because of the NTA */
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  /* Add a NTA for "powerdns.com" */
-  luaconfsCopy.negAnchors[target] = "NTA for PowerDNS.com";
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-        return 1;
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          if (type == QType::NS) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, RCode::NoError, true, false, true);
-            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  /* There is TA for root but no DS/DNSKEY/RRSIG, should be Bogus, but.. */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  /* Should be insecure because of the NTA */
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(domain, 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          if (type == QType::NS) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          }
-          else {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS, QType::DNSKEY }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("nx.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      if (domain == target) {
-        auth = DNSName("powerdns.com.");
-      }
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          setLWResult(res, RCode::NXDomain, true, false, true);
-          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, auth, 300);
-          addNSECRecordToLW(DNSName("nw.powerdns.com."), DNSName("ny.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, auth, 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(auth, 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          if (type == QType::NS) {
-            setLWResult(res, 0, true, false, true);
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("nx.powerdns.com."), DNSName("nz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-          }
-          else {
-            setLWResult(res, RCode::NXDomain, true, false, true);
-            addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            addRRSIG(keys, res->d_records, auth, 300);
-            addNSECRecordToLW(DNSName("nw.powerdns.com."), DNSName("ny.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, auth, 300);
-            /* add wildcard denial */
-            addNSECRecordToLW(DNSName("powerdns.com."), DNSName("a.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, auth, 300);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-            /* we need to add the proof that this name does not exist, so the wildcard may apply */
-            addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          DNSName auth("com.");
-          setLWResult(res, 0, true, false, true);
-
-          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* add a NSEC denying the DS AND the existence of a cut (no NS) */
-          addNSECRecordToLW(domain, DNSName("z") + domain, { QType::NSEC }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, auth, 300);
-          return 1;
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          setLWResult(res, 0, true, false, true);
-          /* no data */
-          addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* no record for this name */
-          addNSECRecordToLW(DNSName("wwv.com."), DNSName("wwx.com."), { QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* a wildcard matches but has no record for this type */
-          addNSECRecordToLW(DNSName("*.com."), DNSName("com."), { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 6);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 6);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          DNSName auth("com.");
-          setLWResult(res, 0, true, false, true);
-
-          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */
-          /* first the closest encloser */
-          addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* then the next closer */
-          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* a wildcard matches but has no record for this type */
-          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
-          return 1;
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          setLWResult(res, 0, true, false, true);
-          /* no data */
-          addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* no record for this name */
-          /* first the closest encloser */
-          addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* then the next closer */
-          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* a wildcard matches but has no record for this type */
-          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 8);
-  BOOST_CHECK_EQUAL(queriesCount, 6);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 8);
-  BOOST_CHECK_EQUAL(queriesCount, 6);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          DNSName auth("com.");
-          setLWResult(res, 0, true, false, true);
-
-          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */
-          /* first the closest encloser */
-          addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* then the next closer */
-          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* a wildcard matches but has no record for this type */
-          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
-          return 1;
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          setLWResult(res, 0, true, false, true);
-          /* no data */
-          addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* no record for this name */
-          /* first the closest encloser */
-          addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* then the next closer */
-          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          /* a wildcard matches but has no record for this type */
-          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  /* we are generating NSEC3 with more iterations than we allow, so we should go Insecure */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 8);
-  BOOST_CHECK_EQUAL(queriesCount, 6);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 8);
-  BOOST_CHECK_EQUAL(queriesCount, 6);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.sub.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain.isPartOf(DNSName("sub.powerdns.com"))) {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          if (domain == DNSName("sub.powerdns.com")) {
-            addNSECRecordToLW(DNSName("sub.powerdns.com."), DNSName("sud.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          }
-          else if (domain == target) {
-            addNSECRecordToLW(DNSName("www.sub.powerdns.com."), DNSName("wwz.sub.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          }
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-            /* we need to add the proof that this name does not exist, so the wildcard may apply */
-            /* first the closest encloser */
-            addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-            /* then the next closer */
-            addNSEC3NarrowRecordToLW(DNSName("sub.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 10);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 10);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-            /* we need to add the proof that this name does not exist, so the wildcard may apply */
-            /* first the closest encloser */
-            addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-            /* then the next closer */
-            addNSEC3NarrowRecordToLW(DNSName("www.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  /* the NSEC3 providing the denial of existence proof for the next closer has too many iterations,
-     we should end up Insecure */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 6);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (type == QType::DS && domain == target) {
-          setLWResult(res, RCode::NoError, true, false, true);
-          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("*.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == target) {
-          const auto auth = DNSName("powerdns.com.");
-          /* we don't want a cut there */
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* add a NSEC denying the DS */
-          std::set<uint16_t> types = { QType::NSEC };
-          addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
-          addRRSIG(keys, res->d_records, auth, 300);
-          return 1;
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
-        /* we don't _really_ need to add the proof that the exact name does not exist because it does,
-           it's the wildcard itself, but let's do it so other validators don't choke on it */
-        addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-        addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-        return 1;
-      }
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  /* A + RRSIG, NSEC + RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_like_expanded_from_wildcard) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("*.sub.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == target) {
-          const auto auth = DNSName("powerdns.com.");
-          /* we don't want a cut there */
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, auth, 300);
-          addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-          return 1;
-        }
-        else if (domain == DNSName("sub.powerdns.com.")) {
-          const auto auth = DNSName("powerdns.com.");
-          /* we don't want a cut there */
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, auth, 300);
-          /* add a NSEC denying the DS */
-          addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-          return 1;
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, domain, QType::A, "192.0.2.42");
-        addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
-        addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-        addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
-        return 1;
-      }
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  /* A + RRSIG, NSEC + RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-  size_t dsQueriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,&dsQueriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        DNSName auth(domain);
-        auth.chopOff();
-        dsQueriesCount++;
-
-        setLWResult(res, 0, true, false, true);
-        addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
-        addRRSIG(keys, res->d_records, auth, 300);
-        return 1;
-      }
-      else if (type == QType::DNSKEY) {
-        setLWResult(res, 0, true, false, true);
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-        return 1;
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          /* No DS on referral, and no denial of the DS either */
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            /* No DS on referral, and no denial of the DS either */
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-            }
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
-          }
-
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-  BOOST_CHECK_EQUAL(dsQueriesCount, 3);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-  BOOST_CHECK_EQUAL(dsQueriesCount, 3);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        DNSName auth(domain);
-        auth.chopOff();
-
-        setLWResult(res, 0, true, false, true);
-        if (domain == target) {
-          addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, target, 300);
-        }
-        else {
-          addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        return 1;
-      }
-      else if (type == QType::DNSKEY) {
-        setLWResult(res, 0, true, false, true);
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-        return 1;
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            /* no DS */
-            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              setLWResult(res, RCode::Refused, false, false, true);
-            }
-            else {
-              setLWResult(res, 0, true, false, true);
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, domain, 300);
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          else {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, DNSName("www.powerdns.com"), 300);
-          }
-
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) {
-  /* check that we don't accept a signer below us */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("sub.www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        DNSName auth(domain);
-        auth.chopOff();
-
-        setLWResult(res, 0, true, false, true);
-        if (domain == target) {
-          addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
-          addRRSIG(keys, res->d_records, target, 300);
-        }
-        else {
-          addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
-          addRRSIG(keys, res->d_records, auth, 300);
-        }
-        return 1;
-      }
-      else if (type == QType::DNSKEY) {
-        setLWResult(res, 0, true, false, true);
-        addDNSKEY(keys, domain, 300, res->d_records);
-        if (domain == DNSName("www.powerdns.com.")) {
-          addRRSIG(keys, res->d_records, DNSName("sub.www.powerdns.com."), 300);
-        }
-        else {
-          addRRSIG(keys, res->d_records, domain, 300);
-        }
-        return 1;
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          if (type == QType::NS) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-  size_t dsQueriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,&dsQueriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        DNSName auth(domain);
-        auth.chopOff();
-        dsQueriesCount++;
-
-        setLWResult(res, 0, true, false, true);
-        if (domain == DNSName("com.")) {
-          addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
-        }
-        else {
-          addRecordToLW(res, "com.", QType::SOA, "a.gtld-servers.com. hostmastercom. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("powerdnt.com."), { QType::NS }, 600, res->d_records);
-        }
-        addRRSIG(keys, res->d_records, auth, 300);
-        return 1;
-      }
-      else if (type == QType::DNSKEY) {
-        setLWResult(res, 0, true, false, true);
-        addDNSKEY(keys, domain, 300, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 300);
-        return 1;
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          /* No DS on referral, and no denial of the DS either */
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            /* No DS on referral, and no denial of the DS either */
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            }
-            else {
-              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            }
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, "192.0.2.42");
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-  BOOST_CHECK_EQUAL(dsQueriesCount, 2);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-  BOOST_CHECK_EQUAL(dsQueriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(domain, 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS, QType::DNSKEY }, 600, res->d_records);
-            /* NO RRSIG for the NSEC record! */
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  /* NSEC record without the corresponding RRSIG in a secure zone, should be Bogus! */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_CHECK_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(domain, 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-
-            /* NO NSEC record! */
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  /* no NSEC record in a secure zone, should be Bogus! */
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == target) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          return 1;
-        } else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            /* no DS */
-            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, targetAddr.toString());
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  /* 4 NS: com at ., com at com, powerdns.com at com, powerdns.com at powerdns.com
-     4 DNSKEY: ., com (not for powerdns.com because DS denial in referral)
-     1 query for A */
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-}
-
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_direct_ds) {
-  /*
-    Direct DS query:
-    - parent is secure, zone is secure: DS should be secure
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::DS || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::DS || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_direct_ds) {
-  /*
-    Direct DS query:
-    - parent is secure, zone is insecure: DS denial should be secure
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::SOA || record.d_type == QType::NSEC || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::SOA || record.d_type == QType::NSEC || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.sub.powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == DNSName("sub.powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-          return 1;
-        }
-        else if (domain == DNSName("www.sub.powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, DNSName("sub.powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("www.sub.powerdns.com.")) {
-              addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            }
-            else if (domain == DNSName("sub.powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            }
-            else if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
-            }
-          } else {
-            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 9);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("www.sub.powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  /* No key material for .com */
-  /* But TA for sub.powerdns.com. */
-  generateKeyMaterial(DNSName("sub.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  luaconfsCopy.dsAnchors[DNSName("sub.powerdns.com.")].insert(keys[DNSName("sub.powerdns.com.")].second);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == DNSName("www.sub.powerdns.com")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
-          addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-
-          if (domain == DNSName("com.")) {
-            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-            /* no DS */
-            addNSECRecordToLW(DNSName("com."), DNSName("dom."), { QType::NS }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("."), 300);
-          }
-          else {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          }
-        }
-        return 1;
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("sub.powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          /* no DS */
-          addNSECRecordToLW(DNSName("com."), DNSName("dom."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else if (domain.isPartOf(DNSName("powerdns.com."))) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            if (domain == DNSName("www.sub.powerdns.com.")) {
-              addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-              addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
-              addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records);
-              addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
-            }
-            else if (domain == DNSName("sub.powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-              addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300);
-            }
-            else if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            }
-          }
-          else if (domain == DNSName("www.sub.powerdns.com.")) {
-            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-            addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 8);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == target) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            /* no DS */
-            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  /* 4 NS (com from root, com from com, powerdns.com from com,
-     powerdns.com from powerdns.com)
-     2 DNSKEY (. and com., none for powerdns.com because no DS)
-     1 query for A
-  */
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 7);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const DNSName targetCName("power-dns.com.");
-  const ComboAddress targetCNameAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == targetCName) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          setLWResult(res, 0, false, false, true);
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            if (domain == DNSName("powerdns.com.")) {
-              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            }
-            else if (domain == targetCName) {
-              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-            }
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            if (domain == DNSName("powerdns.com.")) {
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            if (domain == DNSName("powerdns.com.")) {
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          else {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-            else if (domain == targetCName) {
-              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
-            }
-          }
-
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const DNSName targetCName1("cname.sub.powerdns.com.");
-  const DNSName targetCName2("cname2.sub.powerdns.com.");
-  const ComboAddress targetCName2Addr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName1,targetCName2,targetCName2Addr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == DNSName("sub.powerdns.com")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          setLWResult(res, 0, false, false, true);
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            if (domain == DNSName("powerdns.com.")) {
-              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            }
-            else if (domain == DNSName("sub.powerdns.com")) {
-              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-            }
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            if (domain == DNSName("powerdns.com.")) {
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            if (domain == DNSName("powerdns.com.")) {
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          else {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName1.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-              /* add the CNAME target as a glue, with no RRSIG since the sub zone is insecure */
-              addRecordToLW(res, targetCName1, QType::CNAME, targetCName2.toString());
-              addRecordToLW(res, targetCName2, QType::A, targetCName2Addr.toString());
-            }
-            else if (domain == targetCName1) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName2.toString());
-            }
-            else if (domain == targetCName2) {
-              addRecordToLW(res, domain, QType::A, targetCName2Addr.toString());
-            }
-          }
-
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("power-dns.com.");
-  const DNSName targetCName("powerdns.com.");
-  const ComboAddress targetCNameAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == DNSName("power-dns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            if (domain == targetCName) {
-              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            }
-            else if (domain == target) {
-              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-            }
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            if (domain == DNSName("powerdns.com.")) {
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            if (domain == DNSName("powerdns.com.")) {
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          else {
-            if (domain == target) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
-            }
-            else if (domain == targetCName) {
-              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("power-dns.com.");
-  const DNSName targetCName("powerdns.com.");
-  const ComboAddress targetCNameAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName(domain), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            if (domain == target) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
-              /* No RRSIG, leading to bogus */
-            }
-            else if (domain == targetCName) {
-              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("power-dns.com.");
-  const DNSName targetCName("powerdns.com.");
-  const ComboAddress targetCNameAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName(domain), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            if (domain == target) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-            else if (domain == targetCName) {
-              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
-              /* No RRSIG, leading to bogus */
-            }
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 11);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("power-dns.com.");
-  const DNSName targetCName("powerdns.com.");
-  const ComboAddress targetCNameAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addDS(DNSName(domain), 300, res->d_records, keys);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRRSIG(keys, res->d_records, domain, 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, domain, 300);
-          }
-          else {
-            if (domain == target) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-            else if (domain == targetCName) {
-              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
-              addRRSIG(keys, res->d_records, domain, 300);
-            }
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 12);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 12);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const DNSName targetCName("power-dns.com.");
-  const ComboAddress targetCNameAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS) {
-        if (domain == DNSName("power-dns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          return 1;
-        }
-        else {
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-        }
-      }
-      else if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addDS(DNSName("com."), 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-          }
-          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            if (domain == DNSName("powerdns.com.")) {
-              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
-            }
-            else if (domain == targetCName) {
-              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
-            }
-            addRRSIG(keys, res->d_records, DNSName("com."), 300);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else {
-            if (domain == DNSName("powerdns.com.")) {
-              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
-              /* No RRSIG -> Bogus */
-            }
-            else if (domain == targetCName) {
-              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
-            }
-          }
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* no RRSIG to show */
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 10);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 10);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  /* No key material for .com */
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  luaconfsCopy.dsAnchors[target].insert(keys[target].second);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else if (domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addNSECRecordToLW(DNSName("com."), DNSName("com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (target == domain) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          }
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  /* should be insecure but we have a TA for powerdns.com. */
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  /* We got a RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  /* No key material for .com */
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  luaconfsCopy.dsAnchors[target].insert(keys[target].second);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DNSKEY) {
-        if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) {
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        else if (domain == DNSName("com.")) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-          return 1;
-        }
-      }
-      else {
-        if (target.isPartOf(domain) && isRootServer(ip)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
-          addNSECRecordToLW(DNSName("com."), DNSName("com."), { QType::NS }, 600, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (ip == ComboAddress("192.0.2.1:53")) {
-          if (target == domain) {
-            setLWResult(res, 0, false, false, true);
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
-            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          else if (domain == DNSName("com.")) {
-            setLWResult(res, 0, true, false, true);
-            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
-            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          }
-          return 1;
-        }
-        else if (domain == target && ip == ComboAddress("192.0.2.2:53")) {
-          setLWResult(res, 0, true, false, true);
-          if (type == QType::NS) {
-            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
-          }
-          else {
-            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-          }
-          /* No RRSIG in a now (thanks to TA) Secure zone -> Bogus*/
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  /* should be insecure but we have a TA for powerdns.com., but no RRSIG so Bogus */
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* No RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK(ret[0].d_type == QType::A);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_nta) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  /* Add a NTA for "." */
-  luaconfsCopy.negAnchors[g_rootdnsname] = "NTA for Root";
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRRSIG(keys, res->d_records, domain, 300);
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      } else if (domain == target && type == QType::DNSKEY) {
-
-        setLWResult(res, 0, true, false, true);
-
-        /* No DNSKEY */
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  /* 13 NS + 1 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 14);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_no_ta) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target(".");
-  testkeysset_t keys;
-
-  /* Remove the root DS */
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (domain == target && type == QType::NS) {
-
-        setLWResult(res, 0, true, false, true);
-        char addr[] = "a.root-servers.net.";
-        for (char idx = 'a'; idx <= 'm'; idx++) {
-          addr[0] = idx;
-          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
-        }
-
-        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
-
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  /* 13 NS + 0 RRSIG */
-  BOOST_REQUIRE_EQUAL(ret.size(), 13);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 13);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("powerdns.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-      else {
-
-        setLWResult(res, 0, true, false, true);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 0);
-  /* com|NS, powerdns.com|NS, powerdns.com|A */
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 0);
-  /* we don't store empty results */
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    No wrap test case:
-    a.example.org. -> d.example.org. denies the existence of b.example.org.
-   */
-  addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("example.org."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair;
-
-  /* add wildcard denial */
-  recordContents.clear();
-  signatureContents.clear();
-  addNSECRecordToLW(DNSName("example.org."), DNSName("+.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("example.org."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  denialMap[std::make_pair(DNSName("example.org."), QType::NSEC)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
-
-  denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false);
-  /* let's check that d.example.org. is not denied by this proof */
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_1) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    Wrap case 1 test case:
-    z.example.org. -> b.example.org. denies the existence of a.example.org.
-   */
-  addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("example.org."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("z.example.org."), QType::NSEC)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
-
-  denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false);
-  /* let's check that d.example.org. is not denied by this proof */
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_2) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    Wrap case 2 test case:
-    y.example.org. -> a.example.org. denies the existence of z.example.org.
-   */
-  addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("example.org."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("y.example.org."), QType::NSEC)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("z.example.org."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
-
-  denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false);
-  /* let's check that d.example.org. is not denied by this proof */
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_denial_only_one_nsec) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    Only one NSEC in the whole zone test case:
-    a.example.org. -> a.example.org. denies the existence of b.example.org.
-   */
-  addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("example.org."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
-
-  denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A, false, false);
-  /* let's check that d.example.org. is not denied by this proof */
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_root_nxd_denial) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    The RRSIG from "." denies the existence of anything between a. and c.,
-    including b.
-  */
-  addNSECRecordToLW(DNSName("a."), DNSName("c."), { QType::NS }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair;
-
-  /* add wildcard denial */
-  recordContents.clear();
-  signatureContents.clear();
-  addNSECRecordToLW(DNSName("."), DNSName("+"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  denialMap[std::make_pair(DNSName("."), QType::NSEC)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("b."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_ancestor_nxqtype_denial) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    The RRSIG from "." denies the existence of any type except NS at a.
-    However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear,
-    signer field that is shorter than the owner name of the NSEC RR) it can't
-    be used to deny anything except the whole name or a DS.
-  */
-  addNSECRecordToLW(DNSName("a."), DNSName("b."), { QType::NS }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair;
-
-  /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
-     Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
-     nonexistence of any RRs below that zone cut, which include all RRs at
-     that (original) owner name other than DS RRs, and all RRs below that
-     owner name regardless of type.
-  */
-
-  dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, false);
-  /* no data means the qname/qtype is not denied, because an ancestor
-     delegation NSEC can only deny the DS */
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-
-  /* it can not be used to deny any RRs below that owner name either */
-  denialState = getDenial(denialMap, DNSName("sub.a."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-
-  denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
-  BOOST_CHECK_EQUAL(denialState, NXQTYPE);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_insecure_delegation_denial) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-   * RFC 5155 section 8.9:
-   * If there is an NSEC3 RR present in the response that matches the
-   * delegation name, then the validator MUST ensure that the NS bit is
-   * set and that the DS bit is not set in the Type Bit Maps field of the
-   * NSEC3 RR.
-   */
-  /*
-    The RRSIG from "." denies the existence of any type at a.
-    NS should be set if it was proving an insecure delegation, let's check that
-    we correctly detect that it's not.
-  */
-  addNSECRecordToLW(DNSName("a."), DNSName("b."), { }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair;
-
-  /* Insecure because the NS is not set, so while it does
-     denies the DS, it can't prove an insecure delegation */
-  dState denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_nxqtype_cname) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::CNAME }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair;
-
-  /* this NSEC is not valid to deny a.powerdns.com|A since it states that a CNAME exists */
-  dState denialState = getDenial(denialMap, DNSName("a.powerdns.com."), QType::A, true, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec3_nxqtype_cname) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::CNAME }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-  records.clear();
-
-  /* this NSEC3 is not valid to deny a.powerdns.com|A since it states that a CNAME exists */
-  dState denialState = getDenial(denialMap, DNSName("a.powerdns.com."), QType::A, false, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_nxdomain_denial_missing_wildcard) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("d.powerdns.com"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec3_nxdomain_denial_missing_wildcard) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  addNSEC3NarrowRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-
-  /* Add NSEC3 for the closest encloser */
-  recordContents.clear();
-  signatureContents.clear();
-  records.clear();
-  addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-
-  dState denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, false, false);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::A }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair;
-
-  /* this NSEC is valid to prove a NXQTYPE at c.powerdns.com because it proves that
-     it is an ENT */
-  dState denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true);
-  BOOST_CHECK_EQUAL(denialState, NXQTYPE);
-
-  /* this NSEC is not valid to prove a NXQTYPE at b.powerdns.com,
-     it could prove a NXDOMAIN if it had an additional wildcard denial */
-  denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::AAAA, true, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-
-  /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */
-  denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-
-  /* if we add the wildcard denial proof, we should get a NXDOMAIN proof for b.powerdns.com */
-  recordContents.clear();
-  signatureContents.clear();
-  addNSECRecordToLW(DNSName(").powerdns.com."), DNSName("+.powerdns.com."), { }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-  records.clear();
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  denialMap[std::make_pair(DNSName(").powerdns.com."), QType::NSEC)] = pair;
-
-  denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, true, false);
-  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-    The RRSIG from "." denies the existence of any type except NS at a.
-    However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear,
-    signer field that is shorter than the owner name of the NSEC RR) it can't
-    be used to deny anything except the whole name or a DS.
-  */
-  addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::NS }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-  records.clear();
-
-  /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
-     Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
-     nonexistence of any RRs below that zone cut, which include all RRs at
-     that (original) owner name other than DS RRs, and all RRs below that
-     owner name regardless of type.
-  */
-
-  dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, true);
-  /* no data means the qname/qtype is not denied, because an ancestor
-     delegation NSEC3 can only deny the DS */
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-
-  denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
-  BOOST_CHECK_EQUAL(denialState, NXQTYPE);
-
-  /* it can not be used to deny any RRs below that owner name either */
-  /* Add NSEC3 for the next closer */
-  recordContents.clear();
-  signatureContents.clear();
-  records.clear();
-  addNSEC3NarrowRecordToLW(DNSName("sub.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-
-  /* add wildcard denial */
-  recordContents.clear();
-  signatureContents.clear();
-  records.clear();
-  addNSEC3NarrowRecordToLW(DNSName("*.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-
-  denialState = getDenial(denialMap, DNSName("sub.a."), QType::A, false, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec3_denial_too_many_iterations) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /* adding a NSEC3 with more iterations that we support */
-  addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::AAAA }, 600, records, g_maxNSEC3Iterations + 100);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-  records.clear();
-
-  dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, true);
-  /* since we refuse to compute more than g_maxNSEC3Iterations iterations, it should be Insecure */
-  BOOST_CHECK_EQUAL(denialState, INSECURE);
-}
-
-BOOST_AUTO_TEST_CASE(test_nsec3_insecure_delegation_denial) {
-  init();
-
-  testkeysset_t keys;
-  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-
-  vector<DNSRecord> records;
-
-  vector<shared_ptr<DNSRecordContent>> recordContents;
-  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
-
-  /*
-   * RFC 5155 section 8.9:
-   * If there is an NSEC3 RR present in the response that matches the
-   * delegation name, then the validator MUST ensure that the NS bit is
-   * set and that the DS bit is not set in the Type Bit Maps field of the
-   * NSEC3 RR.
-   */
-  /*
-    The RRSIG from "." denies the existence of any type at a.
-    NS should be set if it was proving an insecure delegation, let's check that
-    we correctly detect that it's not.
-  */
-  addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { }, 600, records);
-  recordContents.push_back(records.at(0).d_content);
-  addRRSIG(keys, records, DNSName("."), 300);
-  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
-
-  ContentSigPair pair;
-  pair.records = recordContents;
-  pair.signatures = signatureContents;
-  cspmap_t denialMap;
-  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
-  records.clear();
-
-  /* Insecure because the NS is not set, so while it does
-     denies the DS, it can't prove an insecure delegation */
-  dState denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
-  BOOST_CHECK_EQUAL(denialState, NODATA);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_validity) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-  const time_t fixedNow = sr->getNow().tv_sec;
-
-  sr->setAsyncCallback([target,&queriesCount,keys,fixedNow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      auth.chopOff();
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      else {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-        addRRSIG(keys, res->d_records, domain, 300);
-        addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 600, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 1, false, boost::none, boost::none, fixedNow);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* check that the entry has not been negatively cached for longer than the RRSIG validity */
-  const NegCache::NegCacheEntry* ne = nullptr;
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_ttd, fixedNow + 1);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Secure);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-  const time_t fixedNow = sr->getNow().tv_sec;
-
-  sr->setAsyncCallback([target,&queriesCount,keys,fixedNow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      auth.chopOff();
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      else {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 86400);
-        addRRSIG(keys, res->d_records, domain, 86400);
-        addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 86400, res->d_records);
-        /* no RRSIG */
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_maxnegttl = 3600;
-  SyncRes::s_maxbogusttl = 360;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* check that the entry has been negatively cached but not longer than s_maxbogusttl */
-  const NegCache::NegCacheEntry* ne = nullptr;
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_ttd, fixedNow + SyncRes::s_maxbogusttl);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_cache_validity) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  const ComboAddress targetAddr("192.0.2.42");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-  const time_t tnow = sr->getNow().tv_sec;
-
-  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys,tnow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      auth.chopOff();
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      else {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
-        addRRSIG(keys, res->d_records, domain, 1, false, boost::none, boost::none, tnow);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-
-  /* check that the entry has not been cached for longer than the RRSIG validity */
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  vector<std::shared_ptr<RRSIGRecordContent>> signatures;
-  BOOST_REQUIRE_EQUAL(t_RC->get(tnow, target, QType(QType::A), true, &cached, who, &signatures), 1);
-  BOOST_REQUIRE_EQUAL(cached.size(), 1);
-  BOOST_REQUIRE_EQUAL(signatures.size(), 1);
-  BOOST_CHECK_EQUAL((cached[0].d_ttl - tnow), 1);
-
-  /* again, to test the cache */
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Secure, after just-in-time validation.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::A, "192.0.2.1");
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_insecure) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Insecure.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::A, "192.0.2.1");
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_bogus) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Bogus.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
-          /* no RRSIG */
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_maxbogusttl = 3600;
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A);
-    BOOST_CHECK_EQUAL(record.d_ttl, 86400);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  /* check that we correctly capped the TTD for a Bogus record after
-     just-in-time validation */
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A);
-    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-
-  ret.clear();
-  /* third time also _does_ require validation, so we
-     can check that the cache has been updated */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::A);
-    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_secure) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Secure.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  const DNSName cnameTarget("cname-com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        } else if (domain == cnameTarget && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_insecure) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Insecure.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  const DNSName cnameTarget("cname-com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
-          return 1;
-        } else if (domain == cnameTarget && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_bogus) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Bogus.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  const DNSName cnameTarget("cname-com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::CNAME, cnameTarget.toString(), DNSResourceRecord::ANSWER, 86400);
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
-          /* no RRSIG */
-          return 1;
-        } else if (domain == cnameTarget && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
-          /* no RRSIG */
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_maxbogusttl = 60;
-  SyncRes::s_maxnegttl = 3600;
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
-    BOOST_CHECK_EQUAL(record.d_ttl, 86400);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 2);
-
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  /* check that we correctly capped the TTD for a Bogus record after
-     just-in-time validation */
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
-    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-
-  ret.clear();
-  /* and a third time to make sure that the validation status (and TTL!)
-     was properly updated in the cache */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
-    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_additional_without_rrsig) {
-  /*
-    We get a record from a secure zone in the additional section, without
-    the corresponding RRSIG. The record should not be marked as authoritative
-    and should be correctly validated.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  const DNSName addTarget("nsX.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,addTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == addTarget) {
-          DNSName auth(domain);
-          /* no DS for com, auth will be . */
-          auth.chopOff();
-          return genericDSAndDNSKEYHandler(res, domain, auth, type, keys, false);
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-      }
-      else {
-        if (domain == target && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, target, QType::A, "192.0.2.1");
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, addTarget, QType::A, "192.0.2.42", DNSResourceRecord::ADDITIONAL);
-          /* no RRSIG for the additional record */
-          return 1;
-        } else if (domain == addTarget && type == QType::A) {
-          setLWResult(res, 0, true, false, true);
-          addRecordToLW(res, addTarget, QType::A, "192.0.2.42");
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query for target/A, will pick up the additional record as non-auth / unvalidated */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  ret.clear();
-  /* ask for the additional record directly, we should not use
-     the non-auth one and issue a new query, properly validated */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(addTarget, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_CHECK_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 5);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is negatively cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Secure.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      auth.chopOff();
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      else {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-        addRRSIG(keys, res->d_records, domain, 300);
-        addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 600, res->d_records);
-        addRRSIG(keys, res->d_records, domain, 1);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-  /* check that the entry has not been negatively cached */
-  const NegCache::NegCacheEntry* ne = nullptr;
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1);
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Secure);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure_ds) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is negatively cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Secure.
-    The difference with test_dnssec_validation_from_negcache_secure is
-    that have one more level here, so we are going to look for the proof
-    that the DS does not exist for the last level. Since there is no cut,
-    we should accept the fact that the NSEC denies DS and NS both.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("www.com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == target) {
-          /* there is no cut */
-          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
-        }
-        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4);
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_insecure) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is negatively cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Insecure.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      auth.chopOff();
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      else {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
-        return 1;
-      }
-
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-  /* check that the entry has not been negatively cached */
-  const NegCache::NegCacheEntry* ne = nullptr;
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Insecure);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_bogus) {
-  /*
-    Validation is optional, and the first query does not ask for it,
-    so the answer is negatively cached as Indeterminate.
-    The second query asks for validation, answer should be marked as
-    Bogus.
-  */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::Process);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queriesCount++;
-
-      DNSName auth = domain;
-      auth.chopOff();
-
-      if (type == QType::DS || type == QType::DNSKEY) {
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      else {
-        setLWResult(res, RCode::NoError, true, false, true);
-        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 86400);
-        addRRSIG(keys, res->d_records, domain, 86400);
-        /* no denial */
-        return 1;
-      }
-
-      return 0;
-    });
-
-  SyncRes::s_maxbogusttl = 60;
-  SyncRes::s_maxnegttl = 3600;
-  const auto now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  /* first query does not require validation */
-  sr->setDNSSECValidationRequested(false);
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    if (record.d_type == QType::SOA) {
-      BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxnegttl);
-    }
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 1);
-  const NegCache::NegCacheEntry* ne = nullptr;
-  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxnegttl);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
-
-  ret.clear();
-  /* second one _does_ require validation */
-  sr->setDNSSECValidationRequested(true);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxbogusttl);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
-
-  ret.clear();
-  /* third one _does_ not require validation, we just check that
-     the cache (status and TTL) has been correctly updated */
-  sr->setDNSSECValidationRequested(false);
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  for (const auto& record : ret) {
-    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
-  }
-  BOOST_CHECK_EQUAL(queriesCount, 4);
-  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
-  BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
-  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
-  BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxbogusttl);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
-  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_lowercase_outgoing) {
-  g_lowercaseOutgoing = true;
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  vector<DNSName> sentOutQnames;
-
-  const DNSName target("WWW.POWERDNS.COM");
-  const DNSName cname("WWW.PowerDNS.org");
-
-  sr->setAsyncCallback([target, cname, &sentOutQnames](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      sentOutQnames.push_back(domain);
-
-      if (isRootServer(ip)) {
-        if (domain == target) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        if (domain == cname) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, "powerdns.org.", QType::NS, "pdns-public-ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::CNAME, cname.toString());
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.2:53")) {
-        if (domain == cname) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "127.0.0.1");
-          return 1;
-        }
-      }
-      return 0;
-  });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK_EQUAL(ret[0].d_content->getZoneRepresentation(), cname.toString());
-
-  BOOST_REQUIRE_EQUAL(sentOutQnames.size(), 4);
-  BOOST_CHECK_EQUAL(sentOutQnames[0].toString(), target.makeLowerCase().toString());
-  BOOST_CHECK_EQUAL(sentOutQnames[1].toString(), target.makeLowerCase().toString());
-  BOOST_CHECK_EQUAL(sentOutQnames[2].toString(), cname.makeLowerCase().toString());
-  BOOST_CHECK_EQUAL(sentOutQnames[3].toString(), cname.makeLowerCase().toString());
-
-  g_lowercaseOutgoing = false;
-}
-
-BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys, keys2;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo
-  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys2);
-  // But add the existing root key otherwise no RRSIG can be created
-  auto rootkey = keys.find(g_rootdnsname);
-  keys2.insert(*rootkey);
-
-  sr->setAsyncCallback([target, keys, keys2](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      DNSName auth = domain;
-      auth.chopOff();
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == target) {
-          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) {
-            return 0;
-          }
-        }
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      return 0;
-    });
-
-  dsmap_t ds;
-  auto state = sr->getDSRecords(target, ds, false, 0, false);
-  BOOST_CHECK_EQUAL(state, Secure);
-  BOOST_REQUIRE_EQUAL(ds.size(), 1);
-  for (const auto& i : ds) {
-    BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_all_sha) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys, keys2, keys3;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys2);
-  // But add the existing root key otherwise no RRSIG can be created
-  auto rootkey = keys.find(g_rootdnsname);
-  keys2.insert(*rootkey);
-
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA384, keys3);
-  // But add the existing root key otherwise no RRSIG can be created
-  keys3.insert(*rootkey);
-
-  sr->setAsyncCallback([target, keys, keys2, keys3](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      DNSName auth = domain;
-      auth.chopOff();
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == target) {
-          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) {
-            return 0;
-          }
-          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys3) != 1) {
-            return 0;
-          }
-        }
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      return 0;
-    });
-
-  dsmap_t ds;
-  auto state = sr->getDSRecords(target, ds, false, 0, false);
-  BOOST_CHECK_EQUAL(state, Secure);
-  BOOST_REQUIRE_EQUAL(ds.size(), 1);
-  for (const auto& i : ds) {
-    BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA384);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_two_highest) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-  const DNSName target("com.");
-  testkeysset_t keys, keys2, keys3;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys2);
-  // But add the existing root key otherwise no RRSIG can be created
-  auto rootkey = keys.find(g_rootdnsname);
-  keys2.insert(*rootkey);
-
-  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys3);
-  // But add the existing root key otherwise no RRSIG can be created
-  keys3.insert(*rootkey);
-
-  sr->setAsyncCallback([target, keys, keys2, keys3](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      DNSName auth = domain;
-      auth.chopOff();
-      if (type == QType::DS || type == QType::DNSKEY) {
-        if (domain == target) {
-          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) {
-            return 0;
-          }
-          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys3) != 1) {
-            return 0;
-          }
-        }
-        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
-      }
-      return 0;
-    });
-
-  dsmap_t ds;
-  auto state = sr->getDSRecords(target, ds, false, 0, false);
-  BOOST_CHECK_EQUAL(state, Secure);
-  BOOST_REQUIRE_EQUAL(ds.size(), 2);
-  for (const auto& i : ds) {
-    BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256);
-  }
-}
-
-BOOST_AUTO_TEST_CASE(test_cname_plus_authority_ns_ttl) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("cname.powerdns.com.");
-  const DNSName cnameTarget("cname-target.powerdns.com");
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target, cnameTarget, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-       queriesCount++;
-
-       if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, DNSName("powerdns.com"), QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 42);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-         if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
-          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.2");
-          addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, DNSName("a.gtld-servers.net."), QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        else if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        }
-
-         return 1;
-      }
-
-      return 0;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 2);
-  BOOST_CHECK(ret[0].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[0].d_name, target);
-  BOOST_CHECK(ret[1].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget);
-
-  /* check that the NS in authority has not replaced the one in the cache
-     with auth=0 (or at least has not raised the TTL since it could otherwise
-     be used to create a never-ending ghost zone even after the NS have been
-     changed in the parent.
-  */
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  bool wasAuth = false;
-
-  auto ttl = t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who, nullptr, nullptr, nullptr, nullptr, &wasAuth);
-  BOOST_REQUIRE_GE(ttl, 1);
-  BOOST_REQUIRE_LE(ttl, 42);
-  BOOST_CHECK_EQUAL(cached.size(), 1);
-  BOOST_CHECK_EQUAL(wasAuth, false);
-
-  cached.clear();
-
-  /* Also check that the the part in additional is still not auth */
-  BOOST_REQUIRE_GE(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who, nullptr, nullptr, nullptr, nullptr, &wasAuth), -1);
-  BOOST_CHECK_EQUAL(cached.size(), 1);
-  BOOST_CHECK_EQUAL(wasAuth, false);
-}
-
-BOOST_AUTO_TEST_CASE(test_records_sanitization_general) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("sanitization.powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.1");
-      /* should be scrubbed because it doesn't match the QType */
-      addRecordToLW(res, domain, QType::AAAA, "2001:db8::1");
-      /* should be scrubbed because the DNAME is not relevant to the qname */
-      addRecordToLW(res, DNSName("not-sanitization.powerdns.com."), QType::DNAME, "not-sanitization.powerdns.net.");
-      /* should be scrubbed because a MX has no reason to show up in AUTHORITY */
-      addRecordToLW(res, domain, QType::MX, "10 mx.powerdns.com.", DNSResourceRecord::AUTHORITY);
-      /* should be scrubbed because the SOA name is not relevant to the qname */
-      addRecordToLW(res, DNSName("not-sanitization.powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY);
-      /* should be scrubbed because types other than A or AAAA are not really supposed to show up in ADDITIONAL */
-      addRecordToLW(res, domain, QType::TXT, "TXT", DNSResourceRecord::ADDITIONAL);
-      /* should be scrubbed because it doesn't match any of the accepted names in this answer (mostly 'domain') */
-      addRecordToLW(res, DNSName("powerdns.com."), QType::AAAA, "2001:db8::1", DNSResourceRecord::ADDITIONAL);
-      return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  cached.clear();
-  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::AAAA), true, &cached, who), 0);
-  BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("not-sanitization.powerdns.com."), QType(QType::DNAME), true, &cached, who), -1);
-  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::MX), true, &cached, who), 0);
-  BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("not-sanitization.powerdns.com."), QType(QType::SOA), true, &cached, who), -1);
-  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::TXT), false, &cached, who), 0);
-  BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("powerdns.com."), QType(QType::AAAA), false, &cached, who), -1);
-}
-
-BOOST_AUTO_TEST_CASE(test_records_sanitization_keep_relevant_additional_aaaa) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("sanitization.powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      setLWResult(res, 0, true, false, true);
-      addRecordToLW(res, domain, QType::A, "192.0.2.1");
-      addRecordToLW(res, domain, QType::AAAA, "2001:db8::1", DNSResourceRecord::ADDITIONAL);
-      return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 1);
-
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  cached.clear();
-  /* not auth since it was in the additional section */
-  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::AAAA), true, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::AAAA), false, &cached, who), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_records_sanitization_keep_glue) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("sanitization-glue.powerdns.com.");
-
-  size_t queriesCount = 0;
-
-  sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-      queriesCount++;
-
-      if (isRootServer(ip)) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
-        setLWResult(res, 0, false, false, true);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
-        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
-        return 1;
-      }
-      else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) {
-        setLWResult(res, 0, true, false, true);
-        addRecordToLW(res, target, QType::A, "192.0.2.4");
-        return 1;
-      }
-      else {
-        return 0;
-      }
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-  BOOST_CHECK_EQUAL(queriesCount, 3);
-
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
-  cached.clear();
-
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("com."), QType(QType::NS), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::AAAA), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns1.powerdns.com."), QType(QType::A), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns1.powerdns.com."), QType(QType::AAAA), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns2.powerdns.com."), QType(QType::A), false, &cached, who), 0);
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns2.powerdns.com."), QType(QType::AAAA), false, &cached, who), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_records_sanitization_scrubs_ns_nxd) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName target("sanitization-ns-nxd.powerdns.com.");
-
-  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-
-     setLWResult(res, RCode::NXDomain, true, false, true);
-     addRecordToLW(res, "powerdns.com.", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY);
-     addRecordToLW(res, "powerdns.com.", QType::NS, "spoofed.ns.", DNSResourceRecord::AUTHORITY, 172800);
-     addRecordToLW(res, "spoofed.ns.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-     addRecordToLW(res, "spoofed.ns.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
-     return 1;
-    });
-
-  const time_t now = sr->getNow().tv_sec;
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
-  BOOST_CHECK_EQUAL(ret.size(), 1);
-
-  const ComboAddress who;
-  vector<DNSRecord> cached;
-  BOOST_CHECK_GT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::SOA), true, &cached, who), 0);
-  cached.clear();
-
-  BOOST_CHECK_LT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who), 0);
-  BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::A), false, &cached, who), 0);
-  BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::AAAA), false, &cached, who), 0);
-}
-
-BOOST_AUTO_TEST_CASE(test_dname_processing) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName dnameOwner("powerdns.com");
-  const DNSName dnameTarget("powerdns.net");
-
-  const DNSName target("dname.powerdns.com.");
-  const DNSName cnameTarget("dname.powerdns.net");
-
-  const DNSName uncachedTarget("dname-uncached.powerdns.com.");
-  const DNSName uncachedCNAMETarget("dname-uncached.powerdns.net.");
-
-  const DNSName synthCNAME("cname-uncached.powerdns.com.");
-  const DNSName synthCNAMETarget("cname-uncached.powerdns.net.");
-
-  size_t queries = 0;
-
-  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, uncachedTarget, uncachedCNAMETarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queries++;
-
-      if (isRootServer(ip)) {
-        if (domain.isPartOf(dnameOwner)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        if (domain.isPartOf(dnameTarget)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.2:53")) {
-        if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        }
-        if (domain == uncachedCNAMETarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.3");
-        }
-        return 1;
-      }
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-
-  BOOST_CHECK_EQUAL(queries, 4);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[1].d_name, target);
-
-  BOOST_CHECK(ret[2].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
-
-  // Now check the cache
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-
-  BOOST_CHECK_EQUAL(queries, 4);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[1].d_name, target);
-
-  BOOST_CHECK(ret[2].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
-
-  // Check if we correctly return a synthesizd CNAME, should send out just 1 more query
-  ret.clear();
-  res = sr->beginResolve(uncachedTarget, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(queries, 5);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[1].d_name, uncachedTarget);
-  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), uncachedCNAMETarget);
-
-  BOOST_CHECK(ret[2].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[2].d_name, uncachedCNAMETarget);
-
-  // Check if we correctly return the DNAME from cache when asked
-  ret.clear();
-  res = sr->beginResolve(dnameOwner, QType(QType::DNAME), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(queries, 5);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  // Check if we correctly return the synthesized CNAME from cache when asked
-  ret.clear();
-  res = sr->beginResolve(synthCNAME, QType(QType::CNAME), QClass::IN, ret);
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(queries, 5);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
-  BOOST_CHECK(ret[1].d_name == synthCNAME);
-  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), synthCNAMETarget);
-}
-
-BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-
-  const DNSName dnameOwner("powerdns");
-  const DNSName dnameTarget("example");
-
-  const DNSName target("dname.powerdns");
-  const DNSName cnameTarget("dname.example");
-
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  generateKeyMaterial(dnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queries = 0;
-
-  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queries++;
-      /* We don't use the genericDSAndDNSKEYHandler here, as it would deny names existing at the wrong level of the tree, due to the way computeZoneCuts works
-       * As such, we need to do some more work to make the answers correct.
-       */
-
-      if (isRootServer(ip)) {
-        if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-        if (domain.countLabels() == 1 && type == QType::DS) { // powerdns|DS or example|DS
-          setLWResult(res, 0, true, false, true);
-          addDS(domain, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-        // For the rest, delegate!
-        if (domain.isPartOf(dnameOwner)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addDS(dnameOwner, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        if (domain.isPartOf(dnameTarget)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addDS(dnameTarget, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        if (domain == target && type == QType::DS) { // dname.powerdns|DS
-          return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
-        }
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
-          addRRSIG(keys, res->d_records, dnameOwner, 300);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.2:53")) {
-        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // example|DNSKEY
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        if (domain == target && type == QType::DS) { // dname.example|DS
-          return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
-        }
-        if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.2");
-          addRRSIG(keys, res->d_records, dnameTarget, 300);
-        }
-        return 1;
-      }
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
-
-  BOOST_CHECK_EQUAL(queries, 11);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_REQUIRE(ret[1].d_type == QType::RRSIG);
-  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
-
-  BOOST_CHECK(ret[2].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[2].d_name, target);
-
-  BOOST_CHECK(ret[3].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
-
-  BOOST_CHECK(ret[4].d_type == QType::RRSIG);
-  BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
-
-  // And the cache
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
-
-  BOOST_CHECK_EQUAL(queries, 11);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
-  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
-
-  BOOST_CHECK(ret[2].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[2].d_name, target);
-
-  BOOST_CHECK(ret[3].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
-
-  BOOST_CHECK(ret[4].d_type == QType::RRSIG);
-  BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
-
-}
-
-BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
-  /*
-   * The DNAME itself is signed, but the final A record is not
-   */
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr, true);
-  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
-
-  primeHints();
-
-  const DNSName dnameOwner("powerdns");
-  const DNSName dnameTarget("example");
-
-  const DNSName target("dname.powerdns");
-  const DNSName cnameTarget("dname.example");
-
-  testkeysset_t keys;
-
-  auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dsAnchors.clear();
-  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
-  generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
-  g_luaconfs.setState(luaconfsCopy);
-
-  size_t queries = 0;
-
-  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queries++;
-
-      if (isRootServer(ip)) {
-        if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-        if (domain == dnameOwner && type == QType::DS) { // powerdns|DS
-          setLWResult(res, 0, true, false, true);
-          addDS(domain, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          return 1;
-        }
-        if (domain == dnameTarget && type == QType::DS) { // example|DS
-          return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
-        }
-        // For the rest, delegate!
-        if (domain.isPartOf(dnameOwner)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addDS(dnameOwner, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        if (domain.isPartOf(dnameTarget)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addDS(dnameTarget, 300, res->d_records, keys);
-          addRRSIG(keys, res->d_records, DNSName("."), 300);
-          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
-          setLWResult(res, 0, true, false, true);
-          addDNSKEY(keys, domain, 300, res->d_records);
-          addRRSIG(keys, res->d_records, domain, 300);
-          return 1;
-        }
-        if (domain == target && type == QType::DS) { // dname.powerdns|DS
-          return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
-        }
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
-          addRRSIG(keys, res->d_records, dnameOwner, 300);
-          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.2:53")) {
-        if (domain == target && type == QType::DS) { // dname.example|DS
-          return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
-        }
-        if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        }
-        return 1;
-      }
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
-
-  BOOST_CHECK_EQUAL(queries, 9);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
-  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
-
-  BOOST_CHECK(ret[2].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[2].d_name, target);
-
-  BOOST_CHECK(ret[3].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
-
-  // And the cache
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
-  BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
-
-  BOOST_CHECK_EQUAL(queries, 9);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
-  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
-
-  BOOST_CHECK(ret[2].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[2].d_name, target);
-
-  BOOST_CHECK(ret[3].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
-}
-
-BOOST_AUTO_TEST_CASE(test_dname_processing_no_CNAME) {
-  std::unique_ptr<SyncRes> sr;
-  initSR(sr);
-
-  primeHints();
-
-  const DNSName dnameOwner("powerdns.com");
-  const DNSName dnameTarget("powerdns.net");
-
-  const DNSName target("dname.powerdns.com.");
-  const DNSName cnameTarget("dname.powerdns.net");
-
-  size_t queries = 0;
-
-  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
-      queries++;
-
-      if (isRootServer(ip)) {
-        if (domain.isPartOf(dnameOwner)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-        if (domain.isPartOf(dnameTarget)) {
-          setLWResult(res, 0, false, false, true);
-          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
-          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.1:53")) {
-        if (domain == target) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
-          // No CNAME, recursor should synth
-          return 1;
-        }
-      } else if (ip == ComboAddress("192.0.2.2:53")) {
-        if (domain == cnameTarget) {
-          setLWResult(res, 0, true, false, false);
-          addRecordToLW(res, domain, QType::A, "192.0.2.2");
-        }
-        return 1;
-      }
-      return 0;
-    });
-
-  vector<DNSRecord> ret;
-  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-
-  BOOST_CHECK_EQUAL(queries, 4);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[1].d_name, target);
-
-  BOOST_CHECK(ret[2].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
-
-  // Now check the cache
-  ret.clear();
-  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
-
-  BOOST_CHECK_EQUAL(res, RCode::NoError);
-  BOOST_REQUIRE_EQUAL(ret.size(), 3);
-
-  BOOST_CHECK_EQUAL(queries, 4);
-
-  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
-  BOOST_CHECK(ret[0].d_name == dnameOwner);
-  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
-
-  BOOST_CHECK(ret[1].d_type == QType::CNAME);
-  BOOST_CHECK_EQUAL(ret[1].d_name, target);
-
-  BOOST_CHECK(ret[2].d_type == QType::A);
-  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
-}
-
-/*
-// cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
-
-- check out of band support
-
-- check preoutquery
-
-*/
-
-BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc.hh b/pdns/recursordist/test-syncres_cc.hh
new file mode 100644
index 000000000000..d568a43c5079
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc.hh
@@ -0,0 +1,81 @@
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#pragma once
+
+#include "arguments.hh"
+#include "dnssecinfra.hh"
+#include "dnsseckeeper.hh"
+#include "rec-lua-conf.hh"
+#include "syncres.hh"
+#include "test-common.hh"
+#include "validate-recursor.hh"
+
+extern GlobalStateHolder<LuaConfigItems> g_luaconfs;
+
+ArgvMap &arg();
+int getMTaskerTID();
+
+void primeHints(void);
+
+void initSR(bool debug=false);
+void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=false, time_t fakeNow=0);
+
+void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode);
+
+void setDoQNameMinimisation(void);
+
+void setLWResult(LWResult* res, int rcode, bool aa=false, bool tc=false, bool edns=false, bool validpacket=true);
+
+void addRecordToLW(LWResult* res, const DNSName& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER, uint32_t ttl=60);
+
+void addRecordToLW(LWResult* res, const std::string& name, uint16_t type, const std::string& content, DNSResourceRecord::Place place=DNSResourceRecord::ANSWER, uint32_t ttl=60);
+
+bool isRootServer(const ComboAddress& ip);
+
+
+void computeRRSIG(const DNSSECPrivateKey& dpk, const DNSName& signer, const DNSName& signQName, uint16_t signQType, uint32_t signTTL, uint32_t sigValidity, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign, boost::optional<uint8_t> algo=boost::none, boost::optional<uint32_t> inception=boost::none, boost::optional<time_t> now=boost::none);
+
+typedef std::unordered_map<DNSName, std::pair<DNSSECPrivateKey, DSRecordContent> > testkeysset_t;
+
+bool addRRSIG(const testkeysset_t& keys, std::vector<DNSRecord>& records, const DNSName& signer, uint32_t sigValidity, bool broken=false, boost::optional<uint8_t> algo=boost::none, boost::optional<DNSName> wildcard=boost::none, boost::optional<time_t> now=boost::none);
+
+
+void addDNSKEY(const testkeysset_t& keys, const DNSName& signer, uint32_t ttl, std::vector<DNSRecord>& records);
+
+bool addDS(const DNSName& domain, uint32_t ttl, std::vector<DNSRecord>& records, const testkeysset_t& keys, DNSResourceRecord::Place place=DNSResourceRecord::AUTHORITY);
+
+void addNSECRecordToLW(const DNSName& domain, const DNSName& next, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records);
+
+void addNSEC3RecordToLW(const DNSName& hashedName, const std::string& hashedNext, const std::string& salt, unsigned int iterations, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records);
+
+void addNSEC3UnhashedRecordToLW(const DNSName& domain, const DNSName& zone, const std::string& next, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations=10);
+
+void addNSEC3NarrowRecordToLW(const DNSName& domain, const DNSName& zone, const std::set<uint16_t>& types,  uint32_t ttl, std::vector<DNSRecord>& records, unsigned int iterations=10);
+
+void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys);
+
+void generateKeyMaterial(const DNSName& name, unsigned int algo, uint8_t digest, testkeysset_t& keys, map<DNSName,dsmap_t>& dsAnchors);
+
+int genericDSAndDNSKEYHandler(LWResult* res, const DNSName& domain, DNSName auth, int type, const testkeysset_t& keys, bool proveCut=true);
+
+int basicRecordsForQnameMinimisation(LWResult* res, const DNSName& domain, int type);
+
diff --git a/pdns/recursordist/test-syncres_cc1.cc b/pdns/recursordist/test-syncres_cc1.cc
new file mode 100644
index 000000000000..37c63940e24d
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc1.cc
@@ -0,0 +1,1708 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc1)
+
+BOOST_AUTO_TEST_CASE(test_root_primed) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("a.root-servers.net.");
+
+  /* we are primed, we should be able to resolve A a.root-servers.net. without any query */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::AAAA);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_root_primed_ns) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+  const DNSName target(".");
+
+  /* we are primed, but we should not be able to NS . without any query
+   because the . NS entry is not stored as authoritative */
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, g_rootdnsname, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 13);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_root_not_primed) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == g_rootdnsname && type == QType::NS) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, g_rootdnsname, QType::NS, "a.root-servers.net.", DNSResourceRecord::ANSWER, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* we are not primed yet, so SyncRes will have to call primeHints()
+     then call getRootNS(), for which at least one of the root servers needs to answer */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("."), QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_root_not_primed_and_no_response) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+  std::set<ComboAddress> downServers;
+
+  /* we are not primed yet, so SyncRes will have to call primeHints()
+     then call getRootNS(), for which at least one of the root servers needs to answer.
+     None will, so it should ServFail.
+  */
+  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      downServers.insert(ip);
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("."), QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK(downServers.size() > 0);
+  /* we explicitly refuse to mark the root servers down */
+  for (const auto& server : downServers) {
+    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 0);
+  }
+}
+
+static void test_edns_formerr_fallback_f(bool sample) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+  if (sample) {
+    setDoQNameMinimisation();
+  }
+  ComboAddress noEDNSServer;
+  size_t queriesWithEDNS = 0;
+  size_t queriesWithoutEDNS = 0;
+
+  sr->setAsyncCallback([&queriesWithEDNS, &queriesWithoutEDNS, &noEDNSServer, sample](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      if (EDNS0Level != 0) {
+        queriesWithEDNS++;
+        noEDNSServer = ip;
+
+        setLWResult(res, RCode::FormErr);
+        return 1;
+      }
+
+      queriesWithoutEDNS++;
+
+      if (domain == DNSName("powerdns.com") && type == QType::A && !doTCP) {
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.1");
+        return 1;
+      }
+
+      return sample ? basicRecordsForQnameMinimisation(res, domain, type) : 0;
+    });
+
+  primeHints();
+
+  /* fake that the root NS doesn't handle EDNS, check that we fallback */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesWithEDNS, sample ? 3 : 1);
+  BOOST_CHECK_EQUAL(queriesWithoutEDNS, sample ? 4 : 1);
+  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), sample ? 3 : 1);
+  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(noEDNSServer), SyncRes::EDNSStatus::NOEDNS);
+}
+
+BOOST_AUTO_TEST_CASE(test_edns_formerr_fallback) {
+  test_edns_formerr_fallback_f(false);
+}
+
+BOOST_AUTO_TEST_CASE(test_edns_formerr_fallback_qmin) {
+  // DISABLED UNTIL QNAME MINIMIZATON IS THERE
+  return;
+  test_edns_formerr_fallback_f(true);
+}
+
+BOOST_AUTO_TEST_CASE(test_edns_formerr_but_edns_enabled) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  /* in this test, the auth answers with FormErr to an EDNS-enabled
+     query, but the response does contain EDNS so we should not mark
+     it as EDNS ignorant or intolerant.
+  */
+  size_t queriesWithEDNS = 0;
+  size_t queriesWithoutEDNS = 0;
+  std::set<ComboAddress> usedServers;
+
+  sr->setAsyncCallback([&queriesWithEDNS, &queriesWithoutEDNS, &usedServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (EDNS0Level > 0) {
+        queriesWithEDNS++;
+      }
+      else {
+        queriesWithoutEDNS++;
+      }
+      usedServers.insert(ip);
+
+      if (type == QType::DNAME) {
+        setLWResult(res, RCode::FormErr);
+        if (EDNS0Level > 0) {
+          res->d_haveEDNS = true;
+        }
+        return 1;
+      }
+
+      return 0;
+    });
+
+  primeHints();
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::DNAME), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesWithEDNS, 26);
+  BOOST_CHECK_EQUAL(queriesWithoutEDNS, 0);
+  BOOST_CHECK_EQUAL(SyncRes::getEDNSStatusesSize(), 26);
+  BOOST_CHECK_EQUAL(usedServers.size(), 26);
+  for (const auto& server : usedServers) {
+    BOOST_CHECK_EQUAL(SyncRes::getEDNSStatus(server), SyncRes::EDNSStatus::EDNSOK);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_meta_types) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  static const std::set<uint16_t> invalidTypes = { 128, QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB, 65535 };
+
+  for (const auto qtype : invalidTypes) {
+    size_t queriesCount = 0;
+
+    sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      return 0;
+    });
+
+    primeHints();
+
+    vector<DNSRecord> ret;
+    int res = sr->beginResolve(DNSName("powerdns.com."), QType(qtype), QClass::IN, ret);
+    BOOST_CHECK_EQUAL(res, -1);
+    BOOST_CHECK_EQUAL(ret.size(), 0);
+    BOOST_CHECK_EQUAL(queriesCount, 0);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_tc_fallback_to_tcp) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  sr->setAsyncCallback([](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      if (!doTCP) {
+        setLWResult(res, 0, false, true, false);
+        return 1;
+      }
+      if (domain == DNSName("powerdns.com") && type == QType::A && doTCP) {
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.1");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  primeHints();
+
+  /* fake that the NS truncates every request over UDP, we should fallback to TCP */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+}
+
+BOOST_AUTO_TEST_CASE(test_tc_over_tcp) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  size_t tcpQueriesCount = 0;
+
+  sr->setAsyncCallback([&tcpQueriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      if (!doTCP) {
+        setLWResult(res, 0, true, true, false);
+        return 1;
+      }
+
+      /* first TCP query is answered with a TC response */
+      tcpQueriesCount++;
+      if (tcpQueriesCount == 1) {
+        setLWResult(res, 0, true, true, false);
+      }
+      else {
+        setLWResult(res, 0, true, false, false);
+      }
+
+      addRecordToLW(res, domain, QType::A, "192.0.2.1");
+      return 1;
+    });
+
+  primeHints();
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(tcpQueriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_all_nss_down) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+  std::set<ComboAddress> downServers;
+
+  primeHints();
+
+  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
+        return 1;
+      }
+      else {
+        downServers.insert(ip);
+        return 0;
+      }
+    });
+
+  DNSName target("powerdns.com.");
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(downServers.size(), 4);
+
+  time_t now = sr->getNow().tv_sec;
+  for (const auto& server : downServers) {
+    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 1);
+    BOOST_CHECK(SyncRes::isThrottled(now, server, target, QType::A));
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_all_nss_network_error) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+  std::set<ComboAddress> downServers;
+
+  primeHints();
+
+  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
+        return 1;
+      }
+      else {
+        downServers.insert(ip);
+        return 0;
+      }
+    });
+
+  /* exact same test than the previous one, except instead of a time out we fake a network error */
+  DNSName target("powerdns.com.");
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(downServers.size(), 4);
+
+  time_t now = sr->getNow().tv_sec;
+  for (const auto& server : downServers) {
+    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 1);
+    BOOST_CHECK(SyncRes::isThrottled(now, server, target, QType::A));
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_only_one_ns_up_resolving_itself_with_glue) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  DNSName target("www.powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        if (domain == target) {
+          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
+          addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
+        }
+        else if (domain == DNSName("pdns-public-ns2.powerdns.net.")) {
+          addRecordToLW(res, "powerdns.net.", QType::NS, "pdns-public-ns2.powerdns.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "powerdns.net.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
+          addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
+        }
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.3:53")) {
+        setLWResult(res, 0, true, false, true);
+        if (domain == DNSName("pdns-public-ns2.powerdns.net.")) {
+          if (type == QType::A) {
+            addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::A, "192.0.2.3");
+          }
+          else if (type == QType::AAAA) {
+            addRecordToLW(res, "pdns-public-ns2.powerdns.net.", QType::AAAA, "2001:DB8::3");
+          }
+        }
+        else if (domain == target) {
+          if (type == QType::A) {
+            addRecordToLW(res, domain, QType::A, "192.0.2.1");
+          }
+          else if (type == QType::AAAA) {
+            addRecordToLW(res, domain, QType::AAAA, "2001:DB8::1");
+          }
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_os_limit_errors) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+  std::set<ComboAddress> downServers;
+
+  primeHints();
+
+  sr->setAsyncCallback([&downServers](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
+        return 1;
+      }
+      else {
+        if (downServers.size() < 3) {
+          /* only the last one will answer */
+          downServers.insert(ip);
+          return -2;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, "powerdns.com.", QType::A, "192.0.2.42");
+          return 1;
+        }
+      }
+    });
+
+  DNSName target("powerdns.com.");
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(downServers.size(), 3);
+
+  /* Error is reported as "OS limit error" (-2) so the servers should _NOT_ be marked down */
+  time_t now = sr->getNow().tv_sec;
+  for (const auto& server : downServers) {
+    BOOST_CHECK_EQUAL(SyncRes::getServerFailsCount(server), 0);
+    BOOST_CHECK(!SyncRes::isThrottled(now, server, target, QType::A));
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_glued_referral) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      /* this will cause issue with qname minimization if we ever implement it */
+      if (domain != target) {
+        return 0;
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, target, QType::A, "192.0.2.4");
+        return 1;
+      }
+      else {
+        return 0;
+      }
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_glueless_referral) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+
+        if (domain.isPartOf(DNSName("com."))) {
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        } else if (domain.isPartOf(DNSName("org."))) {
+          addRecordToLW(res, "org.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        }
+        else {
+          setLWResult(res, RCode::NXDomain, false, false, true);
+          return 1;
+        }
+
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+          return 1;
+        }
+        else if (domain == DNSName("pdns-public-ns1.powerdns.org.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::A, "192.0.2.2");
+          addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::AAAA, "2001:DB8::2");
+          return 1;
+        }
+        else if (domain == DNSName("pdns-public-ns2.powerdns.org.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, "pdns-public-ns2.powerdns.org.", QType::A, "192.0.2.3");
+          addRecordToLW(res, "pdns-public-ns2.powerdns.org.", QType::AAAA, "2001:DB8::3");
+          return 1;
+        }
+
+        setLWResult(res, RCode::NXDomain, false, false, true);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, target, QType::A, "192.0.2.4");
+        return 1;
+      }
+      else {
+        return 0;
+      }
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_edns_subnet_by_domain) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  SyncRes::addEDNSDomain(target);
+
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("192.0.2.128/32");
+  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+
+        /* this one did not use the ECS info */
+        srcmask = boost::none;
+
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+
+        /* this one did, but only up to a precision of /16, not the full /24 */
+        srcmask = Netmask("192.0.0.0/16");
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_ecsqueries = 0;
+  SyncRes::s_ecsresponses = 0;
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK_EQUAL(SyncRes::s_ecsqueries, 2);
+  BOOST_CHECK_EQUAL(SyncRes::s_ecsresponses, 1);
+  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize4) {
+    BOOST_CHECK_EQUAL(entry.second, entry.first == 15 ? 1 : 0);
+  }
+  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize6) {
+    BOOST_CHECK_EQUAL(entry.second, 0);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_edns_subnet_by_addr) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
+
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("2001:DB8::FF/128");
+  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        BOOST_REQUIRE(!srcmask);
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        BOOST_REQUIRE(srcmask);
+        BOOST_CHECK_EQUAL(srcmask->toString(), "2001:db8::/56");
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_ecsqueries = 0;
+  SyncRes::s_ecsresponses = 0;
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK_EQUAL(SyncRes::s_ecsqueries, 1);
+  BOOST_CHECK_EQUAL(SyncRes::s_ecsresponses, 1);
+  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize4) {
+    BOOST_CHECK_EQUAL(entry.second, 0);
+  }
+  for (const auto& entry : SyncRes::s_ecsResponsesBySubnetSize6) {
+    BOOST_CHECK_EQUAL(entry.second, entry.first == 55 ? 1 : 0);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_use_requestor) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
+  // No incoming ECS data
+  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::none);
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        BOOST_REQUIRE(!srcmask);
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        BOOST_REQUIRE(srcmask);
+        BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_use_scope_zero) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
+  SyncRes::clearEDNSLocalSubnets();
+  SyncRes::addEDNSLocalSubnet("192.0.2.254/32");
+  // No incoming ECS data, Requestor IP not in ecs-add-for
+  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::none);
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        BOOST_REQUIRE(!srcmask);
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        BOOST_REQUIRE(srcmask);
+        BOOST_CHECK_EQUAL(srcmask->toString(), "127.0.0.1/32");
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_honor_incoming_mask) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
+  SyncRes::clearEDNSLocalSubnets();
+  SyncRes::addEDNSLocalSubnet("192.0.2.254/32");
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("192.0.0.0/16");
+  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        BOOST_REQUIRE(!srcmask);
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        BOOST_REQUIRE(srcmask);
+        BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.0.0/16");
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_honor_incoming_mask_zero) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  SyncRes::addEDNSRemoteSubnet("192.0.2.1/32");
+  SyncRes::clearEDNSLocalSubnets();
+  SyncRes::addEDNSLocalSubnet("192.0.2.254/32");
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("0.0.0.0/0");
+  sr->setQuerySource(ComboAddress("192.0.2.127"), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        BOOST_REQUIRE(!srcmask);
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        BOOST_REQUIRE(srcmask);
+        BOOST_CHECK_EQUAL(srcmask->toString(), "127.0.0.1/32");
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+}
+
+BOOST_AUTO_TEST_CASE(test_following_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("cname.powerdns.com.");
+  const DNSName cnameTarget("cname-target.powerdns.com");
+
+  sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          return 1;
+        }
+        else if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget);
+}
+
+BOOST_AUTO_TEST_CASE(test_cname_nxdomain) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("cname.powerdns.com.");
+  const DNSName cnameTarget("cname-target.powerdns.com");
+
+  sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        if (domain == target) {
+          setLWResult(res, RCode::NXDomain, true, false, false);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, "powerdns.com.", QType::SOA, "a.powerdns.com. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        } else if (domain == cnameTarget) {
+          setLWResult(res, RCode::NXDomain, true, false, false);
+          addRecordToLW(res, "powerdns.com.", QType::SOA, "a.powerdns.com. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          return 1;
+        }
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK(ret[1].d_type == QType::SOA);
+
+  /* a second time, to check the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK(ret[1].d_type == QType::SOA);
+}
+
+BOOST_AUTO_TEST_CASE(test_included_poisonous_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  /* In this test we directly get the NS server for cname.powerdns.com.,
+     and we don't know whether it's also authoritative for
+     cname-target.powerdns.com or powerdns.com, so we shouldn't accept
+     the additional A record for cname-target.powerdns.com. */
+  const DNSName target("cname.powerdns.com.");
+  const DNSName cnameTarget("cname-target.powerdns.com");
+
+  sr->setAsyncCallback([target, cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL);
+          return 1;
+        } else if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.3");
+          return 1;
+        }
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_REQUIRE(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget(), cnameTarget);
+  BOOST_REQUIRE(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget);
+  BOOST_CHECK(getRR<ARecordContent>(ret[1])->getCA() == ComboAddress("192.0.2.3"));
+}
+
+BOOST_AUTO_TEST_CASE(test_cname_loop) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t count = 0;
+  const DNSName target("cname.powerdns.com.");
+
+  sr->setAsyncCallback([target,&count](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      count++;
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::CNAME, domain.toString());
+          return 1;
+        }
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_GT(ret.size(), 0);
+  BOOST_CHECK_EQUAL(count, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_cname_depth) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t depth = 0;
+  const DNSName target("cname.powerdns.com.");
+
+  sr->setAsyncCallback([target,&depth](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::CNAME, std::to_string(depth) + "-cname.powerdns.com");
+        depth++;
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), depth);
+  /* we have an arbitrary limit at 10 when following a CNAME chain */
+  BOOST_CHECK_EQUAL(depth, 10 + 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_time_limit) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queries = 0;
+  const DNSName target("cname.powerdns.com.");
+
+  sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queries++;
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        /* Pretend that this query took 2000 ms */
+        res->d_usec = 2000;
+
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* Set the maximum time to 1 ms */
+  SyncRes::s_maxtotusec = 1000;
+
+  try {
+    vector<DNSRecord> ret;
+    sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+    BOOST_CHECK(false);
+  }
+  catch(const ImmediateServFailException& e) {
+  }
+  BOOST_CHECK_EQUAL(queries, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_processing) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns.com");
+  const DNSName dnameTarget("powerdns.net");
+
+  const DNSName target("dname.powerdns.com.");
+  const DNSName cnameTarget("dname.powerdns.net");
+
+  const DNSName uncachedTarget("dname-uncached.powerdns.com.");
+  const DNSName uncachedCNAMETarget("dname-uncached.powerdns.net.");
+
+  const DNSName synthCNAME("cname-uncached.powerdns.com.");
+  const DNSName synthCNAMETarget("cname-uncached.powerdns.net.");
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, uncachedTarget, uncachedCNAMETarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (isRootServer(ip)) {
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+        if (domain == uncachedCNAMETarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.3");
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+  // Now check the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+  // Check if we correctly return a synthesizd CNAME, should send out just 1 more query
+  ret.clear();
+  res = sr->beginResolve(uncachedTarget, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(queries, 5);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, uncachedTarget);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), uncachedCNAMETarget);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, uncachedCNAMETarget);
+
+  // Check if we correctly return the DNAME from cache when asked
+  ret.clear();
+  res = sr->beginResolve(dnameOwner, QType(QType::DNAME), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(queries, 5);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  // Check if we correctly return the synthesized CNAME from cache when asked
+  ret.clear();
+  res = sr->beginResolve(synthCNAME, QType(QType::CNAME), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(queries, 5);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_REQUIRE(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK(ret[1].d_name == synthCNAME);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[1])->getTarget(), synthCNAMETarget);
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_dnssec_secure) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns");
+  const DNSName dnameTarget("example");
+
+  const DNSName target("dname.powerdns");
+  const DNSName cnameTarget("dname.example");
+
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(dnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+      /* We don't use the genericDSAndDNSKEYHandler here, as it would deny names existing at the wrong level of the tree, due to the way computeZoneCuts works
+       * As such, we need to do some more work to make the answers correct.
+       */
+
+      if (isRootServer(ip)) {
+        if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        if (domain.countLabels() == 1 && type == QType::DS) { // powerdns|DS or example|DS
+          setLWResult(res, 0, true, false, true);
+          addDS(domain, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        // For the rest, delegate!
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameOwner, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameTarget, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        if (domain == target && type == QType::DS) { // dname.powerdns|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
+        }
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          addRRSIG(keys, res->d_records, dnameOwner, 300);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // example|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        if (domain == target && type == QType::DS) { // dname.example|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
+        }
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+          addRRSIG(keys, res->d_records, dnameTarget, 300);
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
+
+  BOOST_CHECK_EQUAL(queries, 11);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_REQUIRE(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+  BOOST_CHECK(ret[4].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
+
+  // And the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 5); /* DNAME + RRSIG(DNAME) + CNAME + A + RRSIG(A) */
+
+  BOOST_CHECK_EQUAL(queries, 11);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+  BOOST_CHECK(ret[4].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[4].d_name, cnameTarget);
+
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_dnssec_insecure) {
+  /*
+   * The DNAME itself is signed, but the final A record is not
+   */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns");
+  const DNSName dnameTarget("example");
+
+  const DNSName target("dname.powerdns");
+  const DNSName cnameTarget("dname.example");
+
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(dnameOwner, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, keys, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (isRootServer(ip)) {
+        if (domain.countLabels() == 0 && type == QType::DNSKEY) { // .|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        if (domain == dnameOwner && type == QType::DS) { // powerdns|DS
+          setLWResult(res, 0, true, false, true);
+          addDS(domain, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        if (domain == dnameTarget && type == QType::DS) { // example|DS
+          return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
+        }
+        // For the rest, delegate!
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameOwner, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addDS(dnameTarget, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain.countLabels() == 1 && type == QType::DNSKEY) { // powerdns|DNSKEY
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        if (domain == target && type == QType::DS) { // dname.powerdns|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameOwner, type, keys);
+        }
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          addRRSIG(keys, res->d_records, dnameOwner, 300);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString()); // CNAME from a DNAME is not signed
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == target && type == QType::DS) { // dname.example|DS
+          return genericDSAndDNSKEYHandler(res, domain, dnameTarget, type, keys);
+        }
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
+
+  BOOST_CHECK_EQUAL(queries, 9);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+
+  // And the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4); /* DNAME + RRSIG(DNAME) + CNAME + A */
+
+  BOOST_CHECK_EQUAL(queries, 9);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::RRSIG);
+  BOOST_CHECK_EQUAL(ret[1].d_name, dnameOwner);
+
+  BOOST_CHECK(ret[2].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[2].d_name, target);
+
+  BOOST_CHECK(ret[3].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[3].d_name, cnameTarget);
+}
+
+BOOST_AUTO_TEST_CASE(test_dname_processing_no_CNAME) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName dnameOwner("powerdns.com");
+  const DNSName dnameTarget("powerdns.net");
+
+  const DNSName target("dname.powerdns.com.");
+  const DNSName cnameTarget("dname.powerdns.net");
+
+  size_t queries = 0;
+
+  sr->setAsyncCallback([dnameOwner, dnameTarget, target, cnameTarget, &queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queries++;
+
+      if (isRootServer(ip)) {
+        if (domain.isPartOf(dnameOwner)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameOwner, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain.isPartOf(dnameTarget)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, dnameTarget, QType::NS, "b.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "b.gtld-servers.net.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, dnameOwner, QType::DNAME, dnameTarget.toString());
+          // No CNAME, recursor should synth
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+        return 1;
+      }
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+
+  // Now check the cache
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+
+  BOOST_CHECK_EQUAL(queries, 4);
+
+  BOOST_REQUIRE(ret[0].d_type == QType::DNAME);
+  BOOST_CHECK(ret[0].d_name == dnameOwner);
+  BOOST_CHECK_EQUAL(getRR<DNAMERecordContent>(ret[0])->getTarget(), dnameTarget);
+
+  BOOST_CHECK(ret[1].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[1].d_name, target);
+
+  BOOST_CHECK(ret[2].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[2].d_name, cnameTarget);
+}
+
+/*
+// cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
+
+- check out of band support
+
+- check preoutquery
+
+*/
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc2.cc b/pdns/recursordist/test-syncres_cc2.cc
new file mode 100644
index 000000000000..691e62bed543
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc2.cc
@@ -0,0 +1,1032 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc2)
+
+BOOST_AUTO_TEST_CASE(test_referral_depth) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queries = 0;
+  const DNSName target("www.powerdns.com.");
+
+  sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queries++;
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+
+        if (domain == DNSName("www.powerdns.com.")) {
+          addRecordToLW(res, domain, QType::NS, "ns.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        }
+        else if (domain == DNSName("ns.powerdns.com.")) {
+          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+        }
+        else if (domain == DNSName("ns1.powerdns.org.")) {
+          addRecordToLW(res, domain, QType::NS, "ns2.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+        }
+        else if (domain == DNSName("ns2.powerdns.org.")) {
+          addRecordToLW(res, domain, QType::NS, "ns3.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+        }
+        else if (domain == DNSName("ns3.powerdns.org.")) {
+          addRecordToLW(res, domain, QType::NS, "ns4.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+        }
+        else if (domain == DNSName("ns4.powerdns.org.")) {
+          addRecordToLW(res, domain, QType::NS, "ns5.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, domain, QType::A, "192.0.2.1", DNSResourceRecord::AUTHORITY, 172800);
+        }
+
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* Set the maximum depth low */
+  SyncRes::s_maxdepth = 10;
+
+  try {
+    vector<DNSRecord> ret;
+    sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+    BOOST_CHECK(false);
+  }
+  catch(const ImmediateServFailException& e) {
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_cname_qperq) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queries = 0;
+  const DNSName target("cname.powerdns.com.");
+
+  sr->setAsyncCallback([target,&queries](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queries++;
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::CNAME, std::to_string(queries) + "-cname.powerdns.com");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* Set the maximum number of questions very low */
+  SyncRes::s_maxqperq = 5;
+
+  try {
+    vector<DNSRecord> ret;
+    sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+    BOOST_CHECK(false);
+  }
+  catch(const ImmediateServFailException& e) {
+    BOOST_CHECK_EQUAL(queries, SyncRes::s_maxqperq);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_throttled_server) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("throttled.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  size_t queriesToNS = 0;
+
+  sr->setAsyncCallback([target,ns,&queriesToNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ns) {
+
+        queriesToNS++;
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* mark ns as down */
+  time_t now = sr->getNow().tv_sec;
+  SyncRes::doThrottle(now, ns, SyncRes::s_serverdownthrottletime, 10000);
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  /* we should not have sent any queries to ns */
+  BOOST_CHECK_EQUAL(queriesToNS, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_throttled_server_count) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const ComboAddress ns("192.0.2.1:53");
+
+  const size_t blocks = 10;
+  /* mark ns as down for 'blocks' queries */
+  time_t now = sr->getNow().tv_sec;
+  SyncRes::doThrottle(now, ns, SyncRes::s_serverdownthrottletime, blocks);
+
+  for (size_t idx = 0; idx < blocks; idx++) {
+    BOOST_CHECK(SyncRes::isThrottled(now, ns));
+  }
+
+  /* we have been throttled 'blocks' times, we should not be throttled anymore */
+  BOOST_CHECK(!SyncRes::isThrottled(now, ns));
+}
+
+BOOST_AUTO_TEST_CASE(test_throttled_server_time) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const ComboAddress ns("192.0.2.1:53");
+
+  const size_t seconds = 1;
+  /* mark ns as down for 'seconds' seconds */
+  time_t now = sr->getNow().tv_sec;
+  SyncRes::doThrottle(now, ns, seconds, 10000);
+
+  BOOST_CHECK(SyncRes::isThrottled(now, ns));
+
+  /* we should not be throttled anymore */
+  BOOST_CHECK(!SyncRes::isThrottled(now + 2, ns));
+}
+
+BOOST_AUTO_TEST_CASE(test_dont_query_server) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("throttled.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  size_t queriesToNS = 0;
+
+  sr->setAsyncCallback([target,ns,&queriesToNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ns) {
+
+        queriesToNS++;
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* prevent querying this NS */
+  SyncRes::addDontQuery(Netmask(ns));
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  /* we should not have sent any queries to ns */
+  BOOST_CHECK_EQUAL(queriesToNS, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_root_nx_trust) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target1("powerdns.com.");
+  const DNSName target2("notpowerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (isRootServer(ip)) {
+
+        if (domain == target1) {
+          setLWResult(res, RCode::NXDomain, true, false, true);
+          addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        }
+
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_maxnegttl = 3600;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  /* one for target1 and one for the entire TLD */
+  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2);
+
+  ret.clear();
+  res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_LE(ret[0].d_ttl, SyncRes::s_maxnegttl);
+  /* one for target1 and one for the entire TLD */
+  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2);
+
+  /* we should have sent only one query */
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_root_nx_trust_specific) {
+  std::unique_ptr<SyncRes> sr;
+  initSR();
+  initSR(sr, true, false);
+
+  primeHints();
+
+  const DNSName target1("powerdns.com.");
+  const DNSName target2("notpowerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  size_t queriesCount = 0;
+
+  /* This time the root denies target1 with a "com." SOA instead of a "." one.
+     We should add target1 to the negcache, but not "com.". */
+
+  sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (isRootServer(ip)) {
+
+        if (domain == target1) {
+          setLWResult(res, RCode::NXDomain, true, false, true);
+          addRecordToLW(res, "com.", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        }
+
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+
+  /* even with root-nx-trust on and a NX answer from the root,
+     we should not have cached the entire TLD this time. */
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+
+  ret.clear();
+  res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target2);
+  BOOST_REQUIRE(ret[0].d_type == QType::A);
+  BOOST_CHECK(getRR<ARecordContent>(ret[0])->getCA() == ComboAddress("192.0.2.2"));
+
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+}
+
+BOOST_AUTO_TEST_CASE(test_root_nx_dont_trust) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target1("powerdns.com.");
+  const DNSName target2("notpowerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target1, target2, ns, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (isRootServer(ip)) {
+
+        if (domain == target1) {
+          setLWResult(res, RCode::NXDomain, true, false, true);
+          addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        }
+
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_rootNXTrust = false;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  /* one for target1 */
+  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1);
+
+  ret.clear();
+  res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  /* one for target1 */
+  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 1);
+
+  /* we should have sent three queries */
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+}
+
+BOOST_AUTO_TEST_CASE(test_skip_negcache_for_variable_response) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("www.powerdns.com.");
+  const DNSName cnameTarget("cname.powerdns.com.");
+
+  SyncRes::addEDNSDomain(DNSName("powerdns.com."));
+
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("192.0.2.128/32");
+  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+
+  sr->setAsyncCallback([target,cnameTarget](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+
+        srcmask = boost::none;
+
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          /* Type 2 NXDOMAIN (rfc2308 section-2.1) */
+          setLWResult(res, RCode::NXDomain, true, false, true);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, "powerdns.com", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+        }
+        else if (domain == cnameTarget) {
+          /* we shouldn't get there since the Type NXDOMAIN should have been enough,
+             but we might if we still chase the CNAME. */
+          setLWResult(res, RCode::NXDomain, true, false, true);
+          addRecordToLW(res, "powerdns.com", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+        }
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  /* no negative cache entry because the response was variable */
+  BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_cache_limit_allowed) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("www.powerdns.com.");
+
+  SyncRes::addEDNSDomain(DNSName("powerdns.com."));
+
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("192.0.2.128/32");
+  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+  SyncRes::s_ecsipv4cachelimit = 24;
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, target, QType::A, "192.0.2.1");
+
+      return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+
+  /* should have been cached */
+  const ComboAddress who("192.0.2.128");
+  vector<DNSRecord> cached;
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_cache_limit_no_ttl_limit_allowed) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("www.powerdns.com.");
+
+  SyncRes::addEDNSDomain(DNSName("powerdns.com."));
+
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("192.0.2.128/32");
+  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+  SyncRes::s_ecsipv4cachelimit = 16;
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, target, QType::A, "192.0.2.1");
+
+      return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+
+  /* should have been cached because /24 is more specific than /16 but TTL limit is nof effective */
+  const ComboAddress who("192.0.2.128");
+  vector<DNSRecord> cached;
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_cache_ttllimit_allowed) {
+    std::unique_ptr<SyncRes> sr;
+    initSR(sr);
+
+    primeHints();
+
+    const DNSName target("www.powerdns.com.");
+
+    SyncRes::addEDNSDomain(DNSName("powerdns.com."));
+
+    EDNSSubnetOpts incomingECS;
+    incomingECS.source = Netmask("192.0.2.128/32");
+    sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+    SyncRes::s_ecscachelimitttl = 30;
+
+    sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, target, QType::A, "192.0.2.1");
+
+      return 1;
+    });
+
+    const time_t now = sr->getNow().tv_sec;
+    vector<DNSRecord> ret;
+    int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+    BOOST_CHECK_EQUAL(res, RCode::NoError);
+    BOOST_CHECK_EQUAL(ret.size(), 1);
+
+    /* should have been cached */
+    const ComboAddress who("192.0.2.128");
+    vector<DNSRecord> cached;
+    BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+    BOOST_REQUIRE_EQUAL(cached.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_cache_ttllimit_and_scope_allowed) {
+    std::unique_ptr<SyncRes> sr;
+    initSR(sr);
+
+    primeHints();
+
+    const DNSName target("www.powerdns.com.");
+
+    SyncRes::addEDNSDomain(DNSName("powerdns.com."));
+
+    EDNSSubnetOpts incomingECS;
+    incomingECS.source = Netmask("192.0.2.128/32");
+    sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+    SyncRes::s_ecscachelimitttl = 100;
+    SyncRes::s_ecsipv4cachelimit = 24;
+
+    sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, target, QType::A, "192.0.2.1");
+
+      return 1;
+    });
+
+    const time_t now = sr->getNow().tv_sec;
+    vector<DNSRecord> ret;
+    int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+    BOOST_CHECK_EQUAL(res, RCode::NoError);
+    BOOST_CHECK_EQUAL(ret.size(), 1);
+
+    /* should have been cached */
+    const ComboAddress who("192.0.2.128");
+    vector<DNSRecord> cached;
+    BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+    BOOST_REQUIRE_EQUAL(cached.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_ecs_cache_ttllimit_notallowed) {
+    std::unique_ptr<SyncRes> sr;
+    initSR(sr);
+
+    primeHints();
+
+    const DNSName target("www.powerdns.com.");
+
+    SyncRes::addEDNSDomain(DNSName("powerdns.com."));
+
+    EDNSSubnetOpts incomingECS;
+    incomingECS.source = Netmask("192.0.2.128/32");
+    sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+    SyncRes::s_ecscachelimitttl = 100;
+    SyncRes::s_ecsipv4cachelimit = 16;
+
+    sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, target, QType::A, "192.0.2.1");
+
+      return 1;
+    });
+
+    const time_t now = sr->getNow().tv_sec;
+    vector<DNSRecord> ret;
+    int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+    BOOST_CHECK_EQUAL(res, RCode::NoError);
+    BOOST_CHECK_EQUAL(ret.size(), 1);
+
+    /* should have NOT been cached because TTL of 60 is too small and /24 is more specific than /16 */
+    const ComboAddress who("192.0.2.128");
+    vector<DNSRecord> cached;
+    BOOST_REQUIRE_LT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+    BOOST_REQUIRE_EQUAL(cached.size(), 0);
+}
+
+
+BOOST_AUTO_TEST_CASE(test_ns_speed) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  std::map<ComboAddress, uint64_t> nsCounts;
+
+  sr->setAsyncCallback([target,&nsCounts](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns3.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "pdns-public-ns3.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "pdns-public-ns3.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else {
+        nsCounts[ip]++;
+
+        if (ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("192.0.2.2:53")) {
+          BOOST_CHECK_LT(nsCounts.size(), 3);
+
+          /* let's time out on pdns-public-ns2.powerdns.com. */
+          return 0;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          BOOST_CHECK_EQUAL(nsCounts.size(), 3);
+
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::A, "192.0.2.254");
+          return 1;
+        }
+
+        return 0;
+      }
+
+      return 0;
+    });
+
+  struct timeval now = sr->getNow();
+
+  /* make pdns-public-ns2.powerdns.com. the fastest NS, with its IPv6 address faster than the IPV4 one,
+     then pdns-public-ns1.powerdns.com. on IPv4 */
+  SyncRes::submitNSSpeed(DNSName("pdns-public-ns1.powerdns.com."), ComboAddress("192.0.2.1:53"), 100, &now);
+  SyncRes::submitNSSpeed(DNSName("pdns-public-ns1.powerdns.com."), ComboAddress("[2001:DB8::1]:53"), 10000, &now);
+  SyncRes::submitNSSpeed(DNSName("pdns-public-ns2.powerdns.com."), ComboAddress("192.0.2.2:53"), 10, &now);
+  SyncRes::submitNSSpeed(DNSName("pdns-public-ns2.powerdns.com."), ComboAddress("[2001:DB8::2]:53"), 1, &now);
+  SyncRes::submitNSSpeed(DNSName("pdns-public-ns3.powerdns.com."), ComboAddress("192.0.2.3:53"), 10000, &now);
+  SyncRes::submitNSSpeed(DNSName("pdns-public-ns3.powerdns.com."), ComboAddress("[2001:DB8::3]:53"), 10000, &now);
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(nsCounts.size(), 3);
+  BOOST_CHECK_EQUAL(nsCounts[ComboAddress("192.0.2.1:53")], 1);
+  BOOST_CHECK_EQUAL(nsCounts[ComboAddress("192.0.2.2:53")], 1);
+  BOOST_CHECK_EQUAL(nsCounts[ComboAddress("[2001:DB8::2]:53")], 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_flawed_nsset) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.254");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* we populate the cache with a flawed NSset, i.e. there is a NS entry but no corresponding glue */
+  time_t now = sr->getNow().tv_sec;
+  std::vector<DNSRecord> records;
+  std::vector<shared_ptr<RRSIGRecordContent> > sigs;
+  addRecordToList(records, target, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, now + 3600);
+
+  t_RC->replace(now, target, QType(QType::NS), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>());
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_completely_flawed_nsset) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([&queriesCount,target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (isRootServer(ip) && domain == target) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns3.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        return 1;
+      } else if (domain == DNSName("pdns-public-ns2.powerdns.com.") || domain == DNSName("pdns-public-ns3.powerdns.com.")){
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, ".", QType::SOA, "a.root-servers.net. nstld.verisign-grs.com. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  /* one query to get NSs, then A and AAAA for each NS */
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_cache_hit) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      return 0;
+    });
+
+  /* we populate the cache with eveything we need */
+  time_t now = sr->getNow().tv_sec;
+  std::vector<DNSRecord> records;
+  std::vector<shared_ptr<RRSIGRecordContent> > sigs;
+
+  addRecordToList(records, target, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, now + 3600);
+  t_RC->replace(now, target , QType(QType::A), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>());
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_no_rd) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  size_t queriesCount = 0;
+
+  sr->setCacheOnly();
+
+  sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_cache_min_max_ttl) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("cachettl.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+
+  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 7200);
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+  SyncRes::s_minimumTTL = 60;
+  SyncRes::s_maxcachettl = 3600;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(ret[0].d_ttl, SyncRes::s_minimumTTL);
+
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
+  BOOST_CHECK_EQUAL((cached[0].d_ttl - now), SyncRes::s_minimumTTL);
+
+  cached.clear();
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::NS), false, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
+  BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_maxcachettl);
+}
+
+BOOST_AUTO_TEST_CASE(test_cache_min_max_ecs_ttl) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("cacheecsttl.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+
+  EDNSSubnetOpts incomingECS;
+  incomingECS.source = Netmask("192.0.2.128/32");
+  sr->setQuerySource(ComboAddress(), boost::optional<const EDNSSubnetOpts&>(incomingECS));
+  SyncRes::addEDNSDomain(target);
+
+  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      BOOST_REQUIRE(srcmask);
+      BOOST_CHECK_EQUAL(srcmask->toString(), "192.0.2.0/24");
+
+      if (isRootServer(ip)) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 20);
+        srcmask = boost::none;
+
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, false);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+  SyncRes::s_minimumTTL = 60;
+  SyncRes::s_minimumECSTTL = 120;
+  SyncRes::s_maxcachettl = 3600;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(ret[0].d_ttl, SyncRes::s_minimumECSTTL);
+
+  const ComboAddress who("192.0.2.128");
+  vector<DNSRecord> cached;
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
+  BOOST_CHECK_EQUAL((cached[0].d_ttl - now), SyncRes::s_minimumECSTTL);
+
+  cached.clear();
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::NS), false, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
+  BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_maxcachettl);
+
+  cached.clear();
+  BOOST_REQUIRE_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_GT(cached[0].d_ttl, now);
+  BOOST_CHECK_LE((cached[0].d_ttl - now), SyncRes::s_minimumTTL);
+}
+
+BOOST_AUTO_TEST_CASE(test_cache_expired_ttl) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  /* we populate the cache with entries that expired 60s ago*/
+  const time_t now = sr->getNow().tv_sec;
+
+  std::vector<DNSRecord> records;
+  std::vector<shared_ptr<RRSIGRecordContent> > sigs;
+  addRecordToList(records, target, QType::A, "192.0.2.42", DNSResourceRecord::ANSWER, now - 60);
+
+  t_RC->replace(now - 3600, target, QType(QType::A), records, sigs, vector<std::shared_ptr<DNSRecord>>(), true, boost::optional<Netmask>());
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_REQUIRE(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toStringWithPort(), ComboAddress("192.0.2.2").toStringWithPort());
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc3.cc b/pdns/recursordist/test-syncres_cc3.cc
new file mode 100644
index 000000000000..715679a6c30f
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc3.cc
@@ -0,0 +1,1303 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc3)
+
+BOOST_AUTO_TEST_CASE(test_cache_auth) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  /* the auth server is sending the same answer in answer and additional,
+     check that we only return one result, and we only cache one too. */
+  const DNSName target("cache-auth.powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ANSWER, 10);
+      addRecordToLW(res, domain, QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 10);
+
+      return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_REQUIRE_EQUAL(QType(ret.at(0).d_type).getName(), QType(QType::A).getName());
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret.at(0))->getCA().toString(), ComboAddress("192.0.2.2").toString());
+
+  /* check that we correctly cached only the answer entry, not the additional one */
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  BOOST_REQUIRE_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_EQUAL(QType(cached.at(0).d_type).getName(), QType(QType::A).getName());
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(cached.at(0))->getCA().toString(), ComboAddress("192.0.2.2").toString());
+}
+
+BOOST_AUTO_TEST_CASE(test_delegation_only) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  /* Thanks, Verisign */
+  SyncRes::addDelegationOnly(DNSName("com."));
+  SyncRes::addDelegationOnly(DNSName("net."));
+
+  const DNSName target("nx-powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_unauth_any) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::ANY), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+}
+
+static void test_no_data_f(bool qmin) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+  if (qmin)
+    setDoQNameMinimisation();
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback(
+    [target](const ComboAddress &ip, const DNSName &domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level,
+             struct timeval *now, boost::optional <Netmask> &srcmask, boost::optional<const ResolveContext &> context,
+             LWResult *res, bool *chained) {
+
+      setLWResult(res, 0, true, false, true);
+      return 1;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_no_data) {
+  test_no_data_f(false);
+}
+
+BOOST_AUTO_TEST_CASE(test_no_data_qmin) {
+  // DISABLED UNTIL QNAME MINIMIZATION IS THERE
+  return;
+  test_no_data_f(true);
+}
+
+BOOST_AUTO_TEST_CASE(test_skip_opt_any) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.42");
+      addRecordToLW(res, domain, QType::ANY, "0 0");
+      addRecordToLW(res, domain, QType::OPT, "");
+      return 1;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_nodata_nsec_nodnssec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
+      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      return 1;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_nodata_nsec_dnssec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
+      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      return 1;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_nx_nsec_nodnssec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, RCode::NXDomain, true, false, true);
+      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
+      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      return 1;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_nx_nsec_dnssec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, RCode::NXDomain, true, false, true);
+      addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+      /* the NSEC and RRSIG contents are complete garbage, please ignore them */
+      addRecordToLW(res, domain, QType::NSEC, "deadbeef", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "NSEC 5 2 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      addRecordToLW(res, domain, QType::RRSIG, "SOA 5 3 600 2100010100000000 2100010100000000 24567 dummy data", DNSResourceRecord::AUTHORITY);
+      return 1;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_qclass_none) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  /* apart from special names and QClass::ANY, anything else than QClass::IN should be rejected right away */
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      return 0;
+    });
+
+  const DNSName target("powerdns.com.");
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::NONE, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_answer_no_aa) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, false, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.1");
+      return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::ServFail);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+
+  /* check that the record in the answer section has not been cached */
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  vector<std::shared_ptr<RRSIGRecordContent>> signatures;
+  BOOST_REQUIRE_EQUAL(t_RC->get(now, target, QType(QType::A), false, &cached, who, &signatures), -1);
+}
+
+BOOST_AUTO_TEST_CASE(test_special_types) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  /* {A,I}XFR, RRSIG and NSEC3 should be rejected right away */
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      cerr<<"asyncresolve called to ask "<<ip.toStringWithPort()<<" about "<<domain.toString()<<" / "<<QType(type).getName()<<" over "<<(doTCP ? "TCP" : "UDP")<<" (rd: "<<sendRDQuery<<", EDNS0 level: "<<EDNS0Level<<")"<<endl;
+      queriesCount++;
+      return 0;
+    });
+
+  const DNSName target("powerdns.com.");
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::AXFR), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  res = sr->beginResolve(target, QType(QType::IXFR), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  res = sr->beginResolve(target, QType(QType::RRSIG), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  res = sr->beginResolve(target, QType(QType::NSEC3), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_special_names) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  /* special names should be handled internally */
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("1.0.0.127.in-addr.arpa."), QType(QType::PTR), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::PTR);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("1.0.0.127.in-addr.arpa."), QType(QType::ANY), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::PTR);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), QType(QType::PTR), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::PTR);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), QType(QType::ANY), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::PTR);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("localhost."), QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), "127.0.0.1");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("localhost."), QType(QType::AAAA), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::AAAA);
+  BOOST_CHECK_EQUAL(getRR<AAAARecordContent>(ret[0])->getCA().toString(), "::1");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("localhost."), QType(QType::ANY), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& rec : ret) {
+    BOOST_REQUIRE((rec.d_type == QType::A) || rec.d_type == QType::AAAA);
+    if (rec.d_type == QType::A) {
+      BOOST_CHECK_EQUAL(getRR<ARecordContent>(rec)->getCA().toString(), "127.0.0.1");
+    }
+    else {
+      BOOST_CHECK_EQUAL(getRR<AAAARecordContent>(rec)->getCA().toString(), "::1");
+    }
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("version.bind."), QType(QType::TXT), QClass::CHAOS, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::TXT);
+  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("version.bind."), QType(QType::ANY), QClass::CHAOS, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::TXT);
+  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("version.pdns."), QType(QType::TXT), QClass::CHAOS, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::TXT);
+  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("version.pdns."), QType(QType::ANY), QClass::CHAOS, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::TXT);
+  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests\"");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("id.server."), QType(QType::TXT), QClass::CHAOS, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::TXT);
+  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests Server ID\"");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  ret.clear();
+  res = sr->beginResolve(DNSName("id.server."), QType(QType::ANY), QClass::CHAOS, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::TXT);
+  BOOST_CHECK_EQUAL(getRR<TXTRecordContent>(ret[0])->d_text, "\"PowerDNS Unit Tests Server ID\"");
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_nameserver_ipv4_rpz) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("rpz.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+
+  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, false, true, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  DNSFilterEngine::Policy pol;
+  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSIPTrigger(Netmask(ns, 32), std::move(pol));
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dfe.addZone(zone);
+  g_luaconfs.setState(luaconfsCopy);
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -2);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_nameserver_ipv6_rpz) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("rpz.powerdns.com.");
+  const ComboAddress ns("[2001:DB8::42]:53");
+
+  sr->setAsyncCallback([target,ns](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  DNSFilterEngine::Policy pol;
+  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSIPTrigger(Netmask(ns, 128), std::move(pol));
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dfe.addZone(zone);
+  g_luaconfs.setState(luaconfsCopy);
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -2);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("rpz.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  const DNSName nsName("ns1.powerdns.com.");
+
+  sr->setAsyncCallback([target,ns,nsName](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, nsName.toString(), DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, nsName, QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  DNSFilterEngine::Policy pol;
+  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSTrigger(nsName, std::move(pol));
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dfe.addZone(zone);
+  g_luaconfs.setState(luaconfsCopy);
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -2);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz_disabled) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("rpz.powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  const DNSName nsName("ns1.powerdns.com.");
+
+  sr->setAsyncCallback([target,ns,nsName](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::NS, nsName.toString(), DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, nsName, QType::A, ns.toString(), DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ns) {
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  DNSFilterEngine::Policy pol;
+  pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSIPTrigger(Netmask(ns, 128), DNSFilterEngine::Policy(pol));
+  zone->addNSTrigger(nsName, std::move(pol));
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dfe.addZone(zone);
+  g_luaconfs.setState(luaconfsCopy);
+
+  /* RPZ is disabled for this query, we should not be blocked */
+  sr->setWantsRPZ(false);
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_nord) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  const ComboAddress forwardedNS("192.0.2.42:53");
+
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = false;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[target] = ad;
+
+  sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (ip == forwardedNS) {
+        BOOST_CHECK_EQUAL(sendRDQuery, false);
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  /* simulate a no-RD query */
+  sr->setCacheOnly();
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_rd) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  const ComboAddress forwardedNS("192.0.2.42:53");
+
+  size_t queriesCount = 0;
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = true;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[target] = ad;
+
+  sr->setAsyncCallback([forwardedNS, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (ip == forwardedNS) {
+        BOOST_CHECK_EQUAL(sendRDQuery, true);
+
+        /* set AA=0, we are a recursor */
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  /* now make sure we can resolve from the cache (see #6340
+     where the entries were added to the cache but not retrieved,
+     because the recursor doesn't set the AA bit and we require
+     it. We fixed it by not requiring the AA bit for forward-recurse
+     answers. */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_nord) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  const ComboAddress forwardedNS("192.0.2.42:53");
+
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = true;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[target] = ad;
+
+  sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (ip == forwardedNS) {
+        BOOST_CHECK_EQUAL(sendRDQuery, false);
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  /* simulate a no-RD query */
+  sr->setCacheOnly();
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("powerdns.com.");
+  const ComboAddress ns("192.0.2.1:53");
+  const ComboAddress forwardedNS("192.0.2.42:53");
+
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = true;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[target] = ad;
+
+  sr->setAsyncCallback([forwardedNS](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      if (ip == forwardedNS) {
+        BOOST_CHECK_EQUAL(sendRDQuery, true);
+
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, "192.0.2.42");
+        return 1;
+      }
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  /* signed */
+  const DNSName target("test.");
+  /* unsigned */
+  const DNSName cnameTarget("cname.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  const ComboAddress forwardedNS("192.0.2.42:53");
+  size_t queriesCount = 0;
+
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = true;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad;
+
+  sr->setAsyncCallback([target,cnameTarget,keys,forwardedNS,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      BOOST_CHECK_EQUAL(sendRDQuery, true);
+
+      if (ip != forwardedNS) {
+        return 0;
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
+      }
+
+      if (domain == target && type == QType::A) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
+        addRRSIG(keys, res->d_records, domain, 300);
+        addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+
+        return 1;
+      }
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_bogus) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  /* signed */
+  const DNSName target("test.");
+  /* signed */
+  const DNSName cnameTarget("cname.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(cnameTarget, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  const ComboAddress forwardedNS("192.0.2.42:53");
+  size_t queriesCount = 0;
+
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = true;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad;
+
+  sr->setAsyncCallback([target,cnameTarget,keys,forwardedNS,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      BOOST_CHECK_EQUAL(sendRDQuery, true);
+
+      if (ip != forwardedNS) {
+        return 0;
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys);
+      }
+
+      if (domain == target && type == QType::A) {
+
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
+        addRRSIG(keys, res->d_records, domain, 300);
+        addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+        /* no RRSIG in a signed zone, Bogus ! */
+
+        return 1;
+      }
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_forward_zone_recurse_rd_dnssec_nodata_bogus) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  const ComboAddress forwardedNS("192.0.2.42:53");
+  SyncRes::AuthDomain ad;
+  ad.d_rdForward = true;
+  ad.d_servers.push_back(forwardedNS);
+  (*SyncRes::t_sstorage.domainmap)[g_rootdnsname] = ad;
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,forwardedNS,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      BOOST_CHECK_EQUAL(sendRDQuery, true);
+
+      if (ip != forwardedNS) {
+        return 0;
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+
+        setLWResult(res, 0, false, false, true);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 0);
+  /* com|NS, powerdns.com|NS, powerdns.com|A */
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 0);
+  /* we don't store empty results */
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_oob) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("test.xx.");
+  const ComboAddress targetAddr("127.0.0.1");
+  const DNSName authZone("test.xx");
+
+  SyncRes::AuthDomain ad;
+  DNSRecord dr;
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::A;
+  dr.d_ttl = 1800;
+  dr.d_content = std::make_shared<ARecordContent>(targetAddr);
+  ad.d_records.insert(dr);
+
+  (*SyncRes::t_sstorage.domainmap)[authZone] = ad;
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+        queriesCount++;
+        return 0;
+      });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, 0);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+  BOOST_CHECK(sr->wasOutOfBand());
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+
+  /* a second time, to check that the OOB flag is set when the query cache is used */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, 0);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+  BOOST_CHECK(sr->wasOutOfBand());
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+
+  /* a third time, to check that the validation is disabled when the OOB flag is set */
+  ret.clear();
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, 0);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+  BOOST_CHECK(sr->wasOutOfBand());
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_oob_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("cname.test.xx.");
+  const DNSName targetCname("cname-target.test.xx.");
+  const ComboAddress targetCnameAddr("127.0.0.1");
+  const DNSName authZone("test.xx");
+
+  SyncRes::AuthDomain ad;
+  DNSRecord dr;
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::CNAME;
+  dr.d_ttl = 1800;
+  dr.d_content = std::make_shared<CNAMERecordContent>(targetCname);
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = targetCname;
+  dr.d_type = QType::A;
+  dr.d_ttl = 1800;
+  dr.d_content = std::make_shared<ARecordContent>(targetCnameAddr);
+  ad.d_records.insert(dr);
+
+  (*SyncRes::t_sstorage.domainmap)[authZone] = ad;
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+        queriesCount++;
+        return 0;
+      });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, 0);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+  BOOST_CHECK(sr->wasOutOfBand());
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+
+  /* a second time, to check that the OOB flag is set when the query cache is used */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, 0);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+  BOOST_CHECK(sr->wasOutOfBand());
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+
+  /* a third time, to check that the validation is disabled when the OOB flag is set */
+  ret.clear();
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, 0);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+  BOOST_CHECK(sr->wasOutOfBand());
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("powerdns.com.");
+  const ComboAddress addr("192.0.2.5");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = target;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(addr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[target] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.42");
+      return 1;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), addr.toString());
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_cname_lead_to_oob) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("powerdns.com.");
+  const DNSName authZone("internal.powerdns.com.");
+  const ComboAddress addr("192.0.2.5");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(addr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount,target,authZone](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (domain == target) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, target, QType::CNAME, authZone.toString(), DNSResourceRecord::ANSWER, 3600);
+        return 1;
+      }
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget().toString(), authZone.toString());
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[1])->getCA().toString(), addr.toString());
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_oob_lead_to_outgoing_queryb) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("powerdns.com.");
+  const DNSName externalCNAME("www.open-xchange.com.");
+  const ComboAddress addr("192.0.2.5");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = target;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::CNAME;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<CNAMERecordContent>(externalCNAME);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[target] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount,externalCNAME,addr](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (domain == externalCNAME) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, externalCNAME, QType::A, addr.toString(), DNSResourceRecord::ANSWER, 3600);
+        return 1;
+      }
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(getRR<CNAMERecordContent>(ret[0])->getTarget().toString(), externalCNAME.toString());
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[1])->getCA().toString(), addr.toString());
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc4.cc b/pdns/recursordist/test-syncres_cc4.cc
new file mode 100644
index 000000000000..a515f936250e
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc4.cc
@@ -0,0 +1,1281 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc4)
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_nodata) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("nodata.powerdns.com.");
+  const DNSName authZone("powerdns.com");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(ComboAddress("192.0.2.1"));
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::SOA);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_nx) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("nx.powerdns.com.");
+  const DNSName authZone("powerdns.com");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = DNSName("powerdns.com.");
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::SOA);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_delegation) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true, false);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("www.test.powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.2");
+  const DNSName ns("ns1.test.powerdns.com.");
+  const ComboAddress nsAddr("192.0.2.1");
+  const DNSName authZone("powerdns.com");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = DNSName("test.powerdns.com.");
+  dr.d_type = QType::NS;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<NSRecordContent>(ns);
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = ns;
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(nsAddr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  testkeysset_t keys;
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  sr->setAsyncCallback([&queriesCount,target,targetAddr,nsAddr,authZone,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, DNSName("."), type, keys, domain == authZone);
+      }
+
+      if (ip == ComboAddress(nsAddr.toString(), 53) && domain == target) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+        return 1;
+      }
+
+      return 0;
+  });
+
+  sr->setDNSSECValidationRequested(true);
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_delegation_point) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("test.powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.2");
+  const DNSName ns("ns1.test.powerdns.com.");
+  const ComboAddress nsAddr("192.0.2.1");
+  const DNSName authZone("powerdns.com");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = DNSName("test.powerdns.com.");
+  dr.d_type = QType::NS;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<NSRecordContent>(ns);
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = ns;
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(nsAddr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount,nsAddr,target,targetAddr](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (ip == ComboAddress(nsAddr.toString(), 53) && domain == target) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+        return 1;
+      }
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("test.powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.2");
+  const DNSName authZone("powerdns.com");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = DNSName("*.powerdns.com.");
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(targetAddr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_wildcard_nodata) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("test.powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.2");
+  const DNSName authZone("powerdns.com");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = authZone;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = authZone;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = DNSName("*.powerdns.com.");
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(targetAddr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[authZone] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::AAAA), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::SOA);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_auth_zone_cache_only) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  size_t queriesCount = 0;
+  const DNSName target("powerdns.com.");
+  const ComboAddress addr("192.0.2.5");
+
+  SyncRes::AuthDomain ad;
+  ad.d_name = target;
+  DNSRecord dr;
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::SOA;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<SOARecordContent>("pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600");
+  ad.d_records.insert(dr);
+
+  dr.d_place = DNSResourceRecord::ANSWER;
+  dr.d_name = target;
+  dr.d_type = QType::A;
+  dr.d_ttl = 3600;
+  dr.d_content = std::make_shared<ARecordContent>(addr);
+  ad.d_records.insert(dr);
+
+  auto map = std::make_shared<SyncRes::domainmap_t>();
+  (*map)[target] = ad;
+  SyncRes::setDomainMap(map);
+
+  sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.42");
+      return 1;
+  });
+
+  /* simulate a no-RD query */
+  sr->setCacheOnly();
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(getRR<ARecordContent>(ret[0])->getCA().toString(), addr.toString());
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_rrsig) {
+  initSR();
+
+  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dcke->create(dcke->getBits());
+  // cerr<<dcke->convertToISC()<<endl;
+  DNSSECPrivateKey dpk;
+  dpk.d_flags = 256;
+  dpk.setKey(dcke);
+
+  std::vector<std::shared_ptr<DNSRecordContent> > recordcontents;
+  recordcontents.push_back(getRecordContent(QType::A, "192.0.2.1"));
+
+  DNSName qname("powerdns.com.");
+
+  time_t now = time(nullptr);
+  RRSIGRecordContent rrc;
+  /* this RRSIG is valid for the current second only */
+  computeRRSIG(dpk, qname, qname, QType::A, 600, 0, rrc, recordcontents, boost::none, now);
+
+  skeyset_t keyset;
+  keyset.insert(std::make_shared<DNSKEYRecordContent>(dpk.getDNSKEY()));
+
+  std::vector<std::shared_ptr<RRSIGRecordContent> > sigs;
+  sigs.push_back(std::make_shared<RRSIGRecordContent>(rrc));
+
+  BOOST_CHECK(validateWithKeySet(now, qname, recordcontents, sigs, keyset));
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_csk) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_ksk_zsk) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t zskeys;
+  testkeysset_t kskeys;
+
+  /* Generate key material for "." */
+  auto dckeZ = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dckeZ->create(dckeZ->getBits());
+  DNSSECPrivateKey ksk;
+  ksk.d_flags = 257;
+  ksk.setKey(dckeZ);
+  DSRecordContent kskds = makeDSFromDNSKey(target, ksk.getDNSKEY(), DNSSECKeeper::SHA256);
+
+  auto dckeK = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dckeK->create(dckeK->getBits());
+  DNSSECPrivateKey zsk;
+  zsk.d_flags = 256;
+  zsk.setKey(dckeK);
+  DSRecordContent zskds = makeDSFromDNSKey(target, zsk.getDNSKEY(), DNSSECKeeper::SHA256);
+
+  kskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(ksk, kskds);
+  zskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(zsk, zskds);
+
+  /* Set the root DS */
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  luaconfsCopy.dsAnchors[g_rootdnsname].insert(kskds);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,zskeys,kskeys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(zskeys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(kskeys, domain, 300, res->d_records);
+        addDNSKEY(zskeys, domain, 300, res->d_records);
+        addRRSIG(kskeys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        /* No DNSKEY */
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t dskeys;
+  testkeysset_t keys;
+
+  /* Generate key material for "." */
+  auto dckeDS = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dckeDS->create(dckeDS->getBits());
+  DNSSECPrivateKey dskey;
+  dskey.d_flags = 257;
+  dskey.setKey(dckeDS);
+  DSRecordContent drc = makeDSFromDNSKey(target, dskey.getDNSKEY(), DNSSECKeeper::SHA256);
+
+  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dcke->create(dcke->getBits());
+  DNSSECPrivateKey dpk;
+  dpk.d_flags = 256;
+  dpk.setKey(dcke);
+  DSRecordContent uselessdrc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256);
+
+  dskeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dskey, drc);
+  keys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk, uselessdrc);
+
+  /* Set the root DS */
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+  testkeysset_t rrsigkeys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  auto dckeRRSIG = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dckeRRSIG->create(dckeRRSIG->getBits());
+  DNSSECPrivateKey rrsigkey;
+  rrsigkey.d_flags = 257;
+  rrsigkey.setKey(dckeRRSIG);
+  DSRecordContent rrsigds = makeDSFromDNSKey(target, rrsigkey.getDNSKEY(), DNSSECKeeper::SHA256);
+
+  rrsigkeys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(rrsigkey, rrsigds);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys,rrsigkeys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(rrsigkeys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(rrsigkeys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 86400);
+        }
+
+        /* No RRSIG */
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_maxcachettl = 86400;
+  SyncRes::s_maxbogusttl = 3600;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* 13 NS + 0 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 13);
+  /* no RRSIG so no query for DNSKEYs */
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 13);
+  /* check that we capped the TTL to max-cache-bogus-ttl */
+  for (const auto& record : ret) {
+    BOOST_CHECK_LE(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  /* Generate key material for "." */
+  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dcke->create(dcke->getBits());
+  DNSSECPrivateKey dpk;
+  dpk.d_flags = 256;
+  dpk.setKey(dcke);
+  /* Fake algorithm number (private) */
+  dpk.d_algorithm = 253;
+
+  DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256);
+  keys[target] = std::pair<DNSSECPrivateKey,DSRecordContent>(dpk, drc);
+  /* Fake algorithm number (private) */
+  drc.d_algorithm = 253;
+
+  /* Set the root DS */
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  /* no supported DS so no query for DNSKEYs */
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_digest) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  /* Generate key material for "." */
+  auto dcke = std::shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256));
+  dcke->create(dcke->getBits());
+  DNSSECPrivateKey dpk;
+  dpk.d_flags = 256;
+  dpk.setKey(dcke);
+  DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::SHA256);
+  /* Fake digest number (reserved) */
+  drc.d_digesttype = 0;
+
+  keys[target] = std::pair<DNSSECPrivateKey, DSRecordContent>(dpk, drc);
+
+  /* Set the root DS */
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  luaconfsCopy.dsAnchors[g_rootdnsname].insert(drc);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  /* no supported DS so no query for DNSKEYs */
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300, true);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        /* FORCE WRONG ALGO */
+        addRRSIG(keys, res->d_records, domain, 300, false, DNSSECKeeper::RSASHA256);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) {
+          return 0;
+        }
+
+        if (type == QType::DS && domain == target) {
+          /* remove the last record, which is the DS's RRSIG */
+          res->d_records.pop_back();
+        }
+
+        return 1;
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+        /* Include the DS but omit the RRSIG*/
+        addDS(DNSName("com."), 300, res->d_records, keys);
+        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.1:53")) {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+        addRRSIG(keys, res->d_records, auth, 300);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* now we ask directly for the DS */
+  ret.clear();
+  res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_unsigned_ds_direct) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys) == 0) {
+          return 0;
+        }
+
+        if (type == QType::DS && domain == target) {
+          /* remove the last record, which is the DS's RRSIG */
+          res->d_records.pop_back();
+        }
+
+        return 1;
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+        /* Include the DS but omit the RRSIG*/
+        addDS(DNSName("com."), 300, res->d_records, keys);
+        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc5.cc b/pdns/recursordist/test-syncres_cc5.cc
new file mode 100644
index 000000000000..512f664d7cc3
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc5.cc
@@ -0,0 +1,1520 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc5)
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::RSASHA512, DNSSECKeeper::SHA384, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA384, DNSSECKeeper::SHA384, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      if (domain == target) {
+        auth = DNSName("powerdns.com.");
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+        addDS(DNSName("com."), 300, res->d_records, keys);
+        addRRSIG(keys, res->d_records, DNSName("."), 300);
+        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+          addRRSIG(keys, res->d_records, domain, 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, domain, 300);
+        }
+        else {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(auth, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+        }
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.2:53")) {
+        if (type == QType::NS) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          addRRSIG(keys, res->d_records, auth, 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        else {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      if (domain == target) {
+        auth = DNSName("powerdns.com.");
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+        addDS(DNSName("com."), 300, res->d_records, keys);
+        addRRSIG(keys, res->d_records, DNSName("."), 300);
+        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+          addRRSIG(keys, res->d_records, domain, 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, domain, 300);
+        }
+        else {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(auth, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+        }
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.2:53")) {
+        if (type == QType::NS) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          addRRSIG(keys, res->d_records, auth, 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        else {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* this time we ask for the NS that should be in the cache, to check
+     the validation status */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      if (domain == target) {
+        auth = DNSName("powerdns.com.");
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+        addDS(DNSName("com."), 300, res->d_records, keys);
+        addRRSIG(keys, res->d_records, DNSName("."), 300);
+        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+          addRRSIG(keys, res->d_records, domain, 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, domain, 300);
+        }
+        else {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+          /* no DS */
+          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+        }
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.2:53")) {
+        if (type == QType::NS) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+        }
+        else {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+        }
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+
+  /* this time we ask for the NS that should be in the cache, to check
+     the validation status */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  /* Add a NTA for "powerdns.com" */
+  luaconfsCopy.negAnchors[target] = "NTA for PowerDNS.com";
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      if (domain == target) {
+        auth = DNSName("powerdns.com.");
+      }
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+        addDS(DNSName("com."), 300, res->d_records, keys);
+        addRRSIG(keys, res->d_records, DNSName("."), 300);
+        addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+          addRRSIG(keys, res->d_records, domain, 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, domain, 300);
+        }
+        else {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(auth, 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+        }
+        return 1;
+      }
+
+      if (ip == ComboAddress("192.0.2.2:53")) {
+        if (type == QType::NS) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          addRRSIG(keys, res->d_records, auth, 300);
+          addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        else {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  /* Should be insecure because of the NTA */
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  /* Should be insecure because of the NTA */
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  /* Add a NTA for "powerdns.com" */
+  luaconfsCopy.negAnchors[target] = "NTA for PowerDNS.com";
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+        return 1;
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          if (type == QType::NS) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, RCode::NoError, true, false, true);
+            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  /* There is TA for root but no DS/DNSKEY/RRSIG, should be Bogus, but.. */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  /* Should be insecure because of the NTA */
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(domain, 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          if (type == QType::NS) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          }
+          else {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS, QType::DNSKEY }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("nx.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      if (domain == target) {
+        auth = DNSName("powerdns.com.");
+      }
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          setLWResult(res, RCode::NXDomain, true, false, true);
+          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, auth, 300);
+          addNSECRecordToLW(DNSName("nw.powerdns.com."), DNSName("ny.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, auth, 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, auth, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(auth, 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          if (type == QType::NS) {
+            setLWResult(res, 0, true, false, true);
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("nx.powerdns.com."), DNSName("nz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+          }
+          else {
+            setLWResult(res, RCode::NXDomain, true, false, true);
+            addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            addRRSIG(keys, res->d_records, auth, 300);
+            addNSECRecordToLW(DNSName("nw.powerdns.com."), DNSName("ny.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, auth, 300);
+            /* add wildcard denial */
+            addNSECRecordToLW(DNSName("powerdns.com."), DNSName("a.powerdns.com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, auth, 300);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+            /* we need to add the proof that this name does not exist, so the wildcard may apply */
+            addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_nodata_nowildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          DNSName auth("com.");
+          setLWResult(res, 0, true, false, true);
+
+          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* add a NSEC denying the DS AND the existence of a cut (no NS) */
+          addNSECRecordToLW(domain, DNSName("z") + domain, { QType::NSEC }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, auth, 300);
+          return 1;
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          setLWResult(res, 0, true, false, true);
+          /* no data */
+          addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* no record for this name */
+          addNSECRecordToLW(DNSName("wwv.com."), DNSName("wwx.com."), { QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* a wildcard matches but has no record for this type */
+          addNSECRecordToLW(DNSName("*.com."), DNSName("com."), { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 6);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 6);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          DNSName auth("com.");
+          setLWResult(res, 0, true, false, true);
+
+          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */
+          /* first the closest encloser */
+          addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* then the next closer */
+          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* a wildcard matches but has no record for this type */
+          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+          return 1;
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          setLWResult(res, 0, true, false, true);
+          /* no data */
+          addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* no record for this name */
+          /* first the closest encloser */
+          addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* then the next closer */
+          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* a wildcard matches but has no record for this type */
+          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 8);
+  BOOST_CHECK_EQUAL(queriesCount, 6);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 8);
+  BOOST_CHECK_EQUAL(queriesCount, 6);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_nodata_nowildcard_too_many_iterations) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          DNSName auth("com.");
+          setLWResult(res, 0, true, false, true);
+
+          addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* add a NSEC3 denying the DS AND the existence of a cut (no NS) */
+          /* first the closest encloser */
+          addNSEC3UnhashedRecordToLW(DNSName("com."), auth, "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* then the next closer */
+          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+          addRRSIG(keys, res->d_records, auth, 300);
+          /* a wildcard matches but has no record for this type */
+          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+          return 1;
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          setLWResult(res, 0, true, false, true);
+          /* no data */
+          addRecordToLW(res, DNSName("com."), QType::SOA, "com. com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* no record for this name */
+          /* first the closest encloser */
+          addNSEC3UnhashedRecordToLW(DNSName("com."), DNSName("com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* then the next closer */
+          addNSEC3NarrowRecordToLW(domain, DNSName("com."), { QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          /* a wildcard matches but has no record for this type */
+          addNSEC3UnhashedRecordToLW(DNSName("*.com."), DNSName("com."), "whatever", { QType::AAAA, QType::NSEC, QType::RRSIG }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+          addRRSIG(keys, res->d_records, DNSName("com"), 300, false, boost::none, DNSName("*.com"));
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  /* we are generating NSEC3 with more iterations than we allow, so we should go Insecure */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 8);
+  BOOST_CHECK_EQUAL(queriesCount, 6);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 8);
+  BOOST_CHECK_EQUAL(queriesCount, 6);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.sub.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain.isPartOf(DNSName("sub.powerdns.com"))) {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          if (domain == DNSName("sub.powerdns.com")) {
+            addNSECRecordToLW(DNSName("sub.powerdns.com."), DNSName("sud.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          }
+          else if (domain == target) {
+            addNSECRecordToLW(DNSName("www.sub.powerdns.com."), DNSName("wwz.sub.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          }
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+            /* we need to add the proof that this name does not exist, so the wildcard may apply */
+            /* first the closest encloser */
+            addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+            /* then the next closer */
+            addNSEC3NarrowRecordToLW(DNSName("sub.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 10);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 10);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec3_wildcard_too_many_iterations) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+            /* we need to add the proof that this name does not exist, so the wildcard may apply */
+            /* first the closest encloser */
+            addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+            /* then the next closer */
+            addNSEC3NarrowRecordToLW(DNSName("www.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, res->d_records, g_maxNSEC3Iterations + 100);
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  /* the NSEC3 providing the denial of existence proof for the next closer has too many iterations,
+     we should end up Insecure */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 6);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard_missing) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (type == QType::DS && domain == target) {
+          setLWResult(res, RCode::NoError, true, false, true);
+          addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("*.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+    if (type == QType::DS || type == QType::DNSKEY) {
+      if (domain == target) {
+        const auto auth = DNSName("powerdns.com.");
+        /* we don't want a cut there */
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        addRRSIG(keys, res->d_records, auth, 300);
+        /* add a NSEC denying the DS */
+        std::set<uint16_t> types = { QType::NSEC };
+        addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
+        addRRSIG(keys, res->d_records, auth, 300);
+        return 1;
+      }
+      return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+    }
+    else {
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.42");
+      addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+      /* we don't _really_ need to add the proof that the exact name does not exist because it does,
+         it's the wildcard itself, but let's do it so other validators don't choke on it */
+      addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+      addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+      return 1;
+    }
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  /* A + RRSIG, NSEC + RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_like_expanded_from_wildcard) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("*.sub.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+    if (type == QType::DS || type == QType::DNSKEY) {
+      if (domain == target) {
+        const auto auth = DNSName("powerdns.com.");
+        /* we don't want a cut there */
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        addRRSIG(keys, res->d_records, auth, 300);
+        addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+        addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+        return 1;
+      }
+      else if (domain == DNSName("sub.powerdns.com.")) {
+        const auto auth = DNSName("powerdns.com.");
+        /* we don't want a cut there */
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+        addRRSIG(keys, res->d_records, auth, 300);
+        /* add a NSEC denying the DS */
+        addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+        addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+        return 1;
+      }
+      return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+    }
+    else {
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.42");
+      addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+      addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+      addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+      return 1;
+    }
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  /* A + RRSIG, NSEC + RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc6.cc b/pdns/recursordist/test-syncres_cc6.cc
new file mode 100644
index 000000000000..7bb466afbbb7
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc6.cc
@@ -0,0 +1,993 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc6)
+
+BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+  size_t dsQueriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,&dsQueriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        DNSName auth(domain);
+        auth.chopOff();
+        dsQueriesCount++;
+
+        setLWResult(res, 0, true, false, true);
+        addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
+        addRRSIG(keys, res->d_records, auth, 300);
+        return 1;
+      }
+      else if (type == QType::DNSKEY) {
+        setLWResult(res, 0, true, false, true);
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+        return 1;
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          /* No DS on referral, and no denial of the DS either */
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            /* No DS on referral, and no denial of the DS either */
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("www.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+            }
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300);
+          }
+
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+  BOOST_CHECK_EQUAL(dsQueriesCount, 3);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+  BOOST_CHECK_EQUAL(dsQueriesCount, 3);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_ds_sign_loop) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        DNSName auth(domain);
+        auth.chopOff();
+
+        setLWResult(res, 0, true, false, true);
+        if (domain == target) {
+          addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, target, 300);
+        }
+        else {
+          addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        return 1;
+      }
+      else if (type == QType::DNSKEY) {
+        setLWResult(res, 0, true, false, true);
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+        return 1;
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            /* no DS */
+            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              setLWResult(res, RCode::Refused, false, false, true);
+            }
+            else {
+              setLWResult(res, 0, true, false, true);
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, domain, 300);
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          else {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, DNSName("www.powerdns.com"), 300);
+          }
+
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_dnskey_signed_child) {
+  /* check that we don't accept a signer below us */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("sub.www.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        DNSName auth(domain);
+        auth.chopOff();
+
+        setLWResult(res, 0, true, false, true);
+        if (domain == target) {
+          addRecordToLW(res, domain, QType::SOA, "ns1.powerdns.com. blah. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+          addRRSIG(keys, res->d_records, target, 300);
+        }
+        else {
+          addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
+          addRRSIG(keys, res->d_records, auth, 300);
+        }
+        return 1;
+      }
+      else if (type == QType::DNSKEY) {
+        setLWResult(res, 0, true, false, true);
+        addDNSKEY(keys, domain, 300, res->d_records);
+        if (domain == DNSName("www.powerdns.com.")) {
+          addRRSIG(keys, res->d_records, DNSName("sub.www.powerdns.com."), 300);
+        }
+        else {
+          addRRSIG(keys, res->d_records, domain, 300);
+        }
+        return 1;
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          if (type == QType::NS) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+  size_t dsQueriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,&dsQueriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        DNSName auth(domain);
+        auth.chopOff();
+        dsQueriesCount++;
+
+        setLWResult(res, 0, true, false, true);
+        if (domain == DNSName("com.")) {
+          addDS(domain, 300, res->d_records, keys, DNSResourceRecord::ANSWER);
+        }
+        else {
+          addRecordToLW(res, "com.", QType::SOA, "a.gtld-servers.com. hostmastercom. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("powerdnt.com."), { QType::NS }, 600, res->d_records);
+        }
+        addRRSIG(keys, res->d_records, auth, 300);
+        return 1;
+      }
+      else if (type == QType::DNSKEY) {
+        setLWResult(res, 0, true, false, true);
+        addDNSKEY(keys, domain, 300, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 300);
+        return 1;
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          /* No DS on referral, and no denial of the DS either */
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, "powerdns.com.", QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            /* No DS on referral, and no denial of the DS either */
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            }
+            else {
+              addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            }
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, "192.0.2.42");
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+  BOOST_CHECK_EQUAL(dsQueriesCount, 2);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+  BOOST_CHECK_EQUAL(dsQueriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(domain, 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS, QType::DNSKEY }, 600, res->d_records);
+            /* NO RRSIG for the NSEC record! */
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  /* NSEC record without the corresponding RRSIG in a secure zone, should be Bogus! */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_CHECK_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(domain, 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+
+            /* NO NSEC record! */
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  /* no NSEC record in a secure zone, should be Bogus! */
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          return 1;
+        } else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            /* no DS */
+            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, targetAddr.toString());
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  /* 4 NS: com at ., com at com, powerdns.com at com, powerdns.com at powerdns.com
+     4 DNSKEY: ., com (not for powerdns.com because DS denial in referral)
+     1 query for A */
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+}
+
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_direct_ds) {
+  /*
+    Direct DS query:
+    - parent is secure, zone is secure: DS should be secure
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::DS || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::DS || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_direct_ds) {
+  /*
+    Direct DS query:
+    - parent is secure, zone is insecure: DS denial should be secure
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::SOA || record.d_type == QType::NSEC || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::SOA || record.d_type == QType::NSEC || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.sub.powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == DNSName("sub.powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+          return 1;
+        }
+        else if (domain == DNSName("www.sub.powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, DNSName("sub.powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("www.sub.powerdns.com.")) {
+              addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            }
+            else if (domain == DNSName("sub.powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            }
+            else if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300);
+            }
+          } else {
+            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 9);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc7.cc b/pdns/recursordist/test-syncres_cc7.cc
new file mode 100644
index 000000000000..59550b9280e9
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc7.cc
@@ -0,0 +1,1390 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc7)
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("www.sub.powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  /* No key material for .com */
+  /* But TA for sub.powerdns.com. */
+  generateKeyMaterial(DNSName("sub.powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  luaconfsCopy.dsAnchors[DNSName("sub.powerdns.com.")].insert(keys[DNSName("sub.powerdns.com.")].second);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == DNSName("www.sub.powerdns.com")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
+          addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+
+          if (domain == DNSName("com.")) {
+            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+            /* no DS */
+            addNSECRecordToLW(DNSName("com."), DNSName("dom."), { QType::NS }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("."), 300);
+          }
+          else {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          }
+        }
+        return 1;
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("sub.powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          /* no DS */
+          addNSECRecordToLW(DNSName("com."), DNSName("dom."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, DNSName("com."), QType::NS, "a.gtld-servers.com.");
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else if (domain.isPartOf(DNSName("powerdns.com."))) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            if (domain == DNSName("www.sub.powerdns.com.")) {
+              addRecordToLW(res, DNSName("sub.powerdns.com"), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+              addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
+              addNSECRecordToLW(DNSName("www.sub.powerdns.com"), DNSName("vww.sub.powerdns.com."), { QType::A }, 600, res->d_records);
+              addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com"), 300);
+            }
+            else if (domain == DNSName("sub.powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+              addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300);
+            }
+            else if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            }
+          }
+          else if (domain == DNSName("www.sub.powerdns.com.")) {
+            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+            addRRSIG(keys, res->d_records, DNSName("sub.powerdns.com."), 300);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 8);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            /* no DS */
+            addNSECRecordToLW(domain, DNSName("z.powerdns.com."), { QType::NS }, 600, res->d_records);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  /* 4 NS (com from root, com from com, powerdns.com from com,
+     powerdns.com from powerdns.com)
+     2 DNSKEY (. and com., none for powerdns.com because no DS)
+     1 query for A
+  */
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 7);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const DNSName targetCName("power-dns.com.");
+  const ComboAddress targetCNameAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == targetCName) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          setLWResult(res, 0, false, false, true);
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            if (domain == DNSName("powerdns.com.")) {
+              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            }
+            else if (domain == targetCName) {
+              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+            }
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            if (domain == DNSName("powerdns.com.")) {
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            if (domain == DNSName("powerdns.com.")) {
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          else {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+            else if (domain == targetCName) {
+              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
+            }
+          }
+
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname_glue) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const DNSName targetCName1("cname.sub.powerdns.com.");
+  const DNSName targetCName2("cname2.sub.powerdns.com.");
+  const ComboAddress targetCName2Addr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName1,targetCName2,targetCName2Addr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == DNSName("sub.powerdns.com")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          setLWResult(res, 0, false, false, true);
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            if (domain == DNSName("powerdns.com.")) {
+              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            }
+            else if (domain == DNSName("sub.powerdns.com")) {
+              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+            }
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            if (domain == DNSName("powerdns.com.")) {
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            if (domain == DNSName("powerdns.com.")) {
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          else {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName1.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+              /* add the CNAME target as a glue, with no RRSIG since the sub zone is insecure */
+              addRecordToLW(res, targetCName1, QType::CNAME, targetCName2.toString());
+              addRecordToLW(res, targetCName2, QType::A, targetCName2Addr.toString());
+            }
+            else if (domain == targetCName1) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName2.toString());
+            }
+            else if (domain == targetCName2) {
+              addRecordToLW(res, domain, QType::A, targetCName2Addr.toString());
+            }
+          }
+
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("power-dns.com.");
+  const DNSName targetCName("powerdns.com.");
+  const ComboAddress targetCNameAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == DNSName("power-dns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            if (domain == targetCName) {
+              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            }
+            else if (domain == target) {
+              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+            }
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            if (domain == DNSName("powerdns.com.")) {
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            if (domain == DNSName("powerdns.com.")) {
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          else {
+            if (domain == target) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
+            }
+            else if (domain == targetCName) {
+              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("power-dns.com.");
+  const DNSName targetCName("powerdns.com.");
+  const ComboAddress targetCNameAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName(domain), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            if (domain == target) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
+              /* No RRSIG, leading to bogus */
+            }
+            else if (domain == targetCName) {
+              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("power-dns.com.");
+  const DNSName targetCName("powerdns.com.");
+  const ComboAddress targetCNameAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName(domain), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            if (domain == target) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+            else if (domain == targetCName) {
+              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
+              /* No RRSIG, leading to bogus */
+            }
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 11);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("power-dns.com.");
+  const DNSName targetCName("powerdns.com.");
+  const ComboAddress targetCNameAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addDS(DNSName(domain), 300, res->d_records, keys);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRRSIG(keys, res->d_records, domain, 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, domain, 300);
+          }
+          else {
+            if (domain == target) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+            else if (domain == targetCName) {
+              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
+              addRRSIG(keys, res->d_records, domain, 300);
+            }
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 12);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 12);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const DNSName targetCName("power-dns.com.");
+  const ComboAddress targetCNameAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  generateKeyMaterial(DNSName("power-dns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetCName,targetCNameAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS) {
+        if (domain == DNSName("power-dns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          return 1;
+        }
+        else {
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+        }
+      }
+      else if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("com.") || domain == DNSName("powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addDS(DNSName("com."), 300, res->d_records, keys);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+          }
+          else if (domain == DNSName("powerdns.com.") || domain == DNSName("power-dns.com.")) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            if (domain == DNSName("powerdns.com.")) {
+              addDS(DNSName("powerdns.com."), 300, res->d_records, keys);
+            }
+            else if (domain == targetCName) {
+              addNSECRecordToLW(domain, DNSName("z.power-dns.com."), { QType::NS }, 600, res->d_records);
+            }
+            addRRSIG(keys, res->d_records, DNSName("com."), 300);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else {
+            if (domain == DNSName("powerdns.com.")) {
+              addRecordToLW(res, domain, QType::CNAME, targetCName.toString());
+              /* No RRSIG -> Bogus */
+            }
+            else if (domain == targetCName) {
+              addRecordToLW(res, domain, QType::A, targetCNameAddr.toString());
+            }
+          }
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* no RRSIG to show */
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 10);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 10);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  /* No key material for .com */
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  luaconfsCopy.dsAnchors[target].insert(keys[target].second);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else if (domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addNSECRecordToLW(DNSName("com."), DNSName("com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (target == domain) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          }
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  /* should be insecure but we have a TA for powerdns.com. */
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  /* We got a RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  /* No key material for .com */
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  luaconfsCopy.dsAnchors[target].insert(keys[target].second);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DNSKEY) {
+        if (domain == g_rootdnsname || domain == DNSName("powerdns.com.")) {
+          setLWResult(res, 0, true, false, true);
+          addDNSKEY(keys, domain, 300, res->d_records);
+          addRRSIG(keys, res->d_records, domain, 300);
+          return 1;
+        }
+        else if (domain == DNSName("com.")) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, domain, QType::SOA, ". yop. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+          return 1;
+        }
+      }
+      else {
+        if (target.isPartOf(domain) && isRootServer(ip)) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.com.", DNSResourceRecord::AUTHORITY, 3600);
+          addNSECRecordToLW(DNSName("com."), DNSName("com."), { QType::NS }, 600, res->d_records);
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (ip == ComboAddress("192.0.2.1:53")) {
+          if (target == domain) {
+            setLWResult(res, 0, false, false, true);
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 3600);
+            addRecordToLW(res, "ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          else if (domain == DNSName("com.")) {
+            setLWResult(res, 0, true, false, true);
+            addRecordToLW(res, domain, QType::NS, "a.gtld-servers.com.");
+            addRecordToLW(res, "a.gtld-servers.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          }
+          return 1;
+        }
+        else if (domain == target && ip == ComboAddress("192.0.2.2:53")) {
+          setLWResult(res, 0, true, false, true);
+          if (type == QType::NS) {
+            addRecordToLW(res, domain, QType::NS, "ns1.powerdns.com.");
+          }
+          else {
+            addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+          }
+          /* No RRSIG in a now (thanks to TA) Secure zone -> Bogus*/
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  /* should be insecure but we have a TA for powerdns.com., but no RRSIG so Bogus */
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* No RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK(ret[0].d_type == QType::A);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_nta) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  /* Add a NTA for "." */
+  luaconfsCopy.negAnchors[g_rootdnsname] = "NTA for Root";
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRRSIG(keys, res->d_records, domain, 300);
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      } else if (domain == target && type == QType::DNSKEY) {
+
+        setLWResult(res, 0, true, false, true);
+
+        /* No DNSKEY */
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  /* 13 NS + 1 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 14);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_no_ta) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target(".");
+  testkeysset_t keys;
+
+  /* Remove the root DS */
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (domain == target && type == QType::NS) {
+
+        setLWResult(res, 0, true, false, true);
+        char addr[] = "a.root-servers.net.";
+        for (char idx = 'a'; idx <= 'm'; idx++) {
+          addr[0] = idx;
+          addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+        }
+
+        addRecordToLW(res, "a.root-servers.net.", QType::A, "198.41.0.4", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.root-servers.net.", QType::AAAA, "2001:503:ba3e::2:30", DNSResourceRecord::ADDITIONAL, 3600);
+
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  /* 13 NS + 0 RRSIG */
+  BOOST_REQUIRE_EQUAL(ret.size(), 13);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 13);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_bogus_nodata) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("powerdns.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+      else {
+
+        setLWResult(res, 0, true, false, true);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 0);
+  /* com|NS, powerdns.com|NS, powerdns.com|A */
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 0);
+  /* we don't store empty results */
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc8.cc b/pdns/recursordist/test-syncres_cc8.cc
new file mode 100644
index 000000000000..9cdc28bacdcf
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc8.cc
@@ -0,0 +1,1035 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc8)
+
+BOOST_AUTO_TEST_CASE(test_nsec_denial_nowrap) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    No wrap test case:
+    a.example.org. -> d.example.org. denies the existence of b.example.org.
+   */
+  addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("example.org."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair;
+
+  /* add wildcard denial */
+  recordContents.clear();
+  signatureContents.clear();
+  addNSECRecordToLW(DNSName("example.org."), DNSName("+.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("example.org."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  denialMap[std::make_pair(DNSName("example.org."), QType::NSEC)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+
+  denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false);
+  /* let's check that d.example.org. is not denied by this proof */
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_1) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    Wrap case 1 test case:
+    z.example.org. -> b.example.org. denies the existence of a.example.org.
+   */
+  addNSECRecordToLW(DNSName("z.example.org."), DNSName("b.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("example.org."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("z.example.org."), QType::NSEC)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+
+  denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false);
+  /* let's check that d.example.org. is not denied by this proof */
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_denial_wrap_case_2) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    Wrap case 2 test case:
+    y.example.org. -> a.example.org. denies the existence of z.example.org.
+   */
+  addNSECRecordToLW(DNSName("y.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("example.org."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("y.example.org."), QType::NSEC)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("z.example.org."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+
+  denialState = getDenial(denialMap, DNSName("d.example.org."), QType::A, false, false);
+  /* let's check that d.example.org. is not denied by this proof */
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_denial_only_one_nsec) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    Only one NSEC in the whole zone test case:
+    a.example.org. -> a.example.org. denies the existence of b.example.org.
+   */
+  addNSECRecordToLW(DNSName("a.example.org."), DNSName("a.example.org"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("example.org."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("b.example.org."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+
+  denialState = getDenial(denialMap, DNSName("a.example.org."), QType::A, false, false);
+  /* let's check that d.example.org. is not denied by this proof */
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_root_nxd_denial) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    The RRSIG from "." denies the existence of anything between a. and c.,
+    including b.
+  */
+  addNSECRecordToLW(DNSName("a."), DNSName("c."), { QType::NS }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair;
+
+  /* add wildcard denial */
+  recordContents.clear();
+  signatureContents.clear();
+  addNSECRecordToLW(DNSName("."), DNSName("+"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  denialMap[std::make_pair(DNSName("."), QType::NSEC)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("b."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_ancestor_nxqtype_denial) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    The RRSIG from "." denies the existence of any type except NS at a.
+    However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear,
+    signer field that is shorter than the owner name of the NSEC RR) it can't
+    be used to deny anything except the whole name or a DS.
+  */
+  addNSECRecordToLW(DNSName("a."), DNSName("b."), { QType::NS }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair;
+
+  /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
+     Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
+     nonexistence of any RRs below that zone cut, which include all RRs at
+     that (original) owner name other than DS RRs, and all RRs below that
+     owner name regardless of type.
+  */
+
+  dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, false);
+  /* no data means the qname/qtype is not denied, because an ancestor
+     delegation NSEC can only deny the DS */
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+
+  /* it can not be used to deny any RRs below that owner name either */
+  denialState = getDenial(denialMap, DNSName("sub.a."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+
+  denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
+  BOOST_CHECK_EQUAL(denialState, NXQTYPE);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_insecure_delegation_denial) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+   * RFC 5155 section 8.9:
+   * If there is an NSEC3 RR present in the response that matches the
+   * delegation name, then the validator MUST ensure that the NS bit is
+   * set and that the DS bit is not set in the Type Bit Maps field of the
+   * NSEC3 RR.
+   */
+  /*
+    The RRSIG from "." denies the existence of any type at a.
+    NS should be set if it was proving an insecure delegation, let's check that
+    we correctly detect that it's not.
+  */
+  addNSECRecordToLW(DNSName("a."), DNSName("b."), { }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a."), QType::NSEC)] = pair;
+
+  /* Insecure because the NS is not set, so while it does
+     denies the DS, it can't prove an insecure delegation */
+  dState denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_nxqtype_cname) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::CNAME }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair;
+
+  /* this NSEC is not valid to deny a.powerdns.com|A since it states that a CNAME exists */
+  dState denialState = getDenial(denialMap, DNSName("a.powerdns.com."), QType::A, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec3_nxqtype_cname) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::CNAME }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+  records.clear();
+
+  /* this NSEC3 is not valid to deny a.powerdns.com|A since it states that a CNAME exists */
+  dState denialState = getDenial(denialMap, DNSName("a.powerdns.com."), QType::A, false, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_nxdomain_denial_missing_wildcard) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("d.powerdns.com"), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec3_nxdomain_denial_missing_wildcard) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  addNSEC3NarrowRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+
+  /* Add NSEC3 for the closest encloser */
+  recordContents.clear();
+  signatureContents.clear();
+  records.clear();
+  addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", { QType::A, QType::TXT, QType::RRSIG, QType::NSEC }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+
+  dState denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, false, false);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  addNSECRecordToLW(DNSName("a.powerdns.com."), DNSName("a.c.powerdns.com."), { QType::A }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(DNSName("a.powerdns.com."), QType::NSEC)] = pair;
+
+  /* this NSEC is valid to prove a NXQTYPE at c.powerdns.com because it proves that
+     it is an ENT */
+  dState denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true);
+  BOOST_CHECK_EQUAL(denialState, NXQTYPE);
+
+  /* this NSEC is not valid to prove a NXQTYPE at b.powerdns.com,
+     it could prove a NXDOMAIN if it had an additional wildcard denial */
+  denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::AAAA, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+
+  /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */
+  denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+
+  /* if we add the wildcard denial proof, we should get a NXDOMAIN proof for b.powerdns.com */
+  recordContents.clear();
+  signatureContents.clear();
+  addNSECRecordToLW(DNSName(").powerdns.com."), DNSName("+.powerdns.com."), { }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("powerdns.com."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+  records.clear();
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  denialMap[std::make_pair(DNSName(").powerdns.com."), QType::NSEC)] = pair;
+
+  denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, true, false);
+  BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+    The RRSIG from "." denies the existence of any type except NS at a.
+    However since it's an ancestor delegation NSEC (NS bit set, SOA bit clear,
+    signer field that is shorter than the owner name of the NSEC RR) it can't
+    be used to deny anything except the whole name or a DS.
+  */
+  addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::NS }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+  records.clear();
+
+  /* RFC 6840 section 4.1 "Clarifications on Nonexistence Proofs":
+     Ancestor delegation NSEC or NSEC3 RRs MUST NOT be used to assume
+     nonexistence of any RRs below that zone cut, which include all RRs at
+     that (original) owner name other than DS RRs, and all RRs below that
+     owner name regardless of type.
+  */
+
+  dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, true);
+  /* no data means the qname/qtype is not denied, because an ancestor
+     delegation NSEC3 can only deny the DS */
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+
+  denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
+  BOOST_CHECK_EQUAL(denialState, NXQTYPE);
+
+  /* it can not be used to deny any RRs below that owner name either */
+  /* Add NSEC3 for the next closer */
+  recordContents.clear();
+  signatureContents.clear();
+  records.clear();
+  addNSEC3NarrowRecordToLW(DNSName("sub.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+
+  /* add wildcard denial */
+  recordContents.clear();
+  signatureContents.clear();
+  records.clear();
+  addNSEC3NarrowRecordToLW(DNSName("*.a."), DNSName("."), { QType::A, QType::TXT, QType::RRSIG, QType::NSEC3 }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+
+  denialState = getDenial(denialMap, DNSName("sub.a."), QType::A, false, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec3_denial_too_many_iterations) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /* adding a NSEC3 with more iterations that we support */
+  addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { QType::AAAA }, 600, records, g_maxNSEC3Iterations + 100);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+  records.clear();
+
+  dState denialState = getDenial(denialMap, DNSName("a."), QType::A, false, true);
+  /* since we refuse to compute more than g_maxNSEC3Iterations iterations, it should be Insecure */
+  BOOST_CHECK_EQUAL(denialState, INSECURE);
+}
+
+BOOST_AUTO_TEST_CASE(test_nsec3_insecure_delegation_denial) {
+  initSR();
+
+  testkeysset_t keys;
+  generateKeyMaterial(DNSName("."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+
+  vector<DNSRecord> records;
+
+  vector<shared_ptr<DNSRecordContent>> recordContents;
+  vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+  /*
+   * RFC 5155 section 8.9:
+   * If there is an NSEC3 RR present in the response that matches the
+   * delegation name, then the validator MUST ensure that the NS bit is
+   * set and that the DS bit is not set in the Type Bit Maps field of the
+   * NSEC3 RR.
+   */
+  /*
+    The RRSIG from "." denies the existence of any type at a.
+    NS should be set if it was proving an insecure delegation, let's check that
+    we correctly detect that it's not.
+  */
+  addNSEC3UnhashedRecordToLW(DNSName("a."), DNSName("."), "whatever", { }, 600, records);
+  recordContents.push_back(records.at(0).d_content);
+  addRRSIG(keys, records, DNSName("."), 300);
+  signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+
+  ContentSigPair pair;
+  pair.records = recordContents;
+  pair.signatures = signatureContents;
+  cspmap_t denialMap;
+  denialMap[std::make_pair(records.at(0).d_name, records.at(0).d_type)] = pair;
+  records.clear();
+
+  /* Insecure because the NS is not set, so while it does
+     denies the DS, it can't prove an insecure delegation */
+  dState denialState = getDenial(denialMap, DNSName("a."), QType::DS, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_validity) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+  const time_t fixedNow = sr->getNow().tv_sec;
+
+  sr->setAsyncCallback([target,&queriesCount,keys,fixedNow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      auth.chopOff();
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      else {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+        addRRSIG(keys, res->d_records, domain, 300);
+        addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 600, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 1, false, boost::none, boost::none, fixedNow);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* check that the entry has not been negatively cached for longer than the RRSIG validity */
+  const NegCache::NegCacheEntry* ne = nullptr;
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_ttd, fixedNow + 1);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Secure);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+  const time_t fixedNow = sr->getNow().tv_sec;
+
+  sr->setAsyncCallback([target,&queriesCount,keys,fixedNow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      auth.chopOff();
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      else {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 86400);
+        addRRSIG(keys, res->d_records, domain, 86400);
+        addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 86400, res->d_records);
+        /* no RRSIG */
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_maxnegttl = 3600;
+  SyncRes::s_maxbogusttl = 360;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* check that the entry has been negatively cached but not longer than s_maxbogusttl */
+  const NegCache::NegCacheEntry* ne = nullptr;
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_ttd, fixedNow + SyncRes::s_maxbogusttl);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 3);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_cache_validity) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  const ComboAddress targetAddr("192.0.2.42");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+  const time_t tnow = sr->getNow().tv_sec;
+
+  sr->setAsyncCallback([target,targetAddr,&queriesCount,keys,tnow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      auth.chopOff();
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      else {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::A, targetAddr.toString(), DNSResourceRecord::ANSWER, 3600);
+        addRRSIG(keys, res->d_records, domain, 1, false, boost::none, boost::none, tnow);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+
+  /* check that the entry has not been cached for longer than the RRSIG validity */
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  vector<std::shared_ptr<RRSIGRecordContent>> signatures;
+  BOOST_REQUIRE_EQUAL(t_RC->get(tnow, target, QType(QType::A), true, &cached, who, &signatures), 1);
+  BOOST_REQUIRE_EQUAL(cached.size(), 1);
+  BOOST_REQUIRE_EQUAL(signatures.size(), 1);
+  BOOST_CHECK_EQUAL((cached[0].d_ttl - tnow), 1);
+
+  /* again, to test the cache */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_secure) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Secure, after just-in-time validation.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::A, "192.0.2.1");
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_insecure) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Insecure.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::A, "192.0.2.1");
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cache_bogus) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Bogus.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
+          /* no RRSIG */
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_maxbogusttl = 3600;
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A);
+    BOOST_CHECK_EQUAL(record.d_ttl, 86400);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  /* check that we correctly capped the TTD for a Bogus record after
+     just-in-time validation */
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A);
+    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+
+  ret.clear();
+  /* third time also _does_ require validation, so we
+     can check that the cache has been updated */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::A);
+    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+}
+
+BOOST_AUTO_TEST_SUITE_END()
diff --git a/pdns/recursordist/test-syncres_cc9.cc b/pdns/recursordist/test-syncres_cc9.cc
new file mode 100644
index 000000000000..61afa24e806d
--- /dev/null
+++ b/pdns/recursordist/test-syncres_cc9.cc
@@ -0,0 +1,1115 @@
+#define BOOST_TEST_DYN_LINK
+#include <boost/test/unit_test.hpp>
+
+#include "test-syncres_cc.hh"
+
+BOOST_AUTO_TEST_SUITE(syncres_cc9)
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_secure) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Secure.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  const DNSName cnameTarget("cname-com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        } else if (domain == cnameTarget && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A || record.d_type == QType::RRSIG);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_insecure) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Insecure.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  const DNSName cnameTarget("cname-com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+          return 1;
+        } else if (domain == cnameTarget && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_cname_cache_bogus) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Bogus.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  const DNSName cnameTarget("cname-com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,cnameTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::CNAME, cnameTarget.toString(), DNSResourceRecord::ANSWER, 86400);
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
+          /* no RRSIG */
+          return 1;
+        } else if (domain == cnameTarget && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
+          /* no RRSIG */
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_maxbogusttl = 60;
+  SyncRes::s_maxnegttl = 3600;
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+    BOOST_CHECK_EQUAL(record.d_ttl, 86400);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 2);
+
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  /* check that we correctly capped the TTD for a Bogus record after
+     just-in-time validation */
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+
+  ret.clear();
+  /* and a third time to make sure that the validation status (and TTL!)
+     was properly updated in the cache */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_additional_without_rrsig) {
+  /*
+    We get a record from a secure zone in the additional section, without
+    the corresponding RRSIG. The record should not be marked as authoritative
+    and should be correctly validated.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  const DNSName addTarget("nsX.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,addTarget,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == addTarget) {
+          DNSName auth(domain);
+          /* no DS for com, auth will be . */
+          auth.chopOff();
+          return genericDSAndDNSKEYHandler(res, domain, auth, type, keys, false);
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+      }
+      else {
+        if (domain == target && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, target, QType::A, "192.0.2.1");
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          addRecordToLW(res, addTarget, QType::A, "192.0.2.42", DNSResourceRecord::ADDITIONAL);
+          /* no RRSIG for the additional record */
+          return 1;
+        } else if (domain == addTarget && type == QType::A) {
+          setLWResult(res, 0, true, false, true);
+          addRecordToLW(res, addTarget, QType::A, "192.0.2.42");
+          addRRSIG(keys, res->d_records, DNSName("."), 300);
+          return 1;
+        }
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query for target/A, will pick up the additional record as non-auth / unvalidated */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  ret.clear();
+  /* ask for the additional record directly, we should not use
+     the non-auth one and issue a new query, properly validated */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(addTarget, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_CHECK_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK(record.d_type == QType::RRSIG || record.d_type == QType::A);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 5);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is negatively cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Secure.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      auth.chopOff();
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      else {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+        addRRSIG(keys, res->d_records, domain, 300);
+        addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 600, res->d_records);
+        addRRSIG(keys, res->d_records, domain, 1);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+  /* check that the entry has not been negatively cached */
+  const NegCache::NegCacheEntry* ne = nullptr;
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1);
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Secure);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 1);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_secure_ds) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is negatively cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Secure.
+    The difference with test_dnssec_validation_from_negcache_secure is
+    that have one more level here, so we are going to look for the proof
+    that the DS does not exist for the last level. Since there is no cut,
+    we should accept the fact that the NSEC denies DS and NS both.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("www.com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == target) {
+          /* there is no cut */
+          return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false);
+        }
+        return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4);
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_insecure) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is negatively cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Insecure.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      auth.chopOff();
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      else {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
+        return 1;
+      }
+
+      return 0;
+    });
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+  /* check that the entry has not been negatively cached */
+  const NegCache::NegCacheEntry* ne = nullptr;
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Insecure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Insecure);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_from_negcache_bogus) {
+  /*
+    Validation is optional, and the first query does not ask for it,
+    so the answer is negatively cached as Indeterminate.
+    The second query asks for validation, answer should be marked as
+    Bogus.
+  */
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::Process);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      queriesCount++;
+
+      DNSName auth = domain;
+      auth.chopOff();
+
+      if (type == QType::DS || type == QType::DNSKEY) {
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      else {
+        setLWResult(res, RCode::NoError, true, false, true);
+        addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 86400);
+        addRRSIG(keys, res->d_records, domain, 86400);
+        /* no denial */
+        return 1;
+      }
+
+      return 0;
+    });
+
+  SyncRes::s_maxbogusttl = 60;
+  SyncRes::s_maxnegttl = 3600;
+  const auto now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  /* first query does not require validation */
+  sr->setDNSSECValidationRequested(false);
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    if (record.d_type == QType::SOA) {
+      BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxnegttl);
+    }
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 1);
+  const NegCache::NegCacheEntry* ne = nullptr;
+  BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxnegttl);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+
+  ret.clear();
+  /* second one _does_ require validation */
+  sr->setDNSSECValidationRequested(true);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxbogusttl);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+
+  ret.clear();
+  /* third one _does_ not require validation, we just check that
+     the cache (status and TTL) has been correctly updated */
+  sr->setDNSSECValidationRequested(false);
+  res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  for (const auto& record : ret) {
+    BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+  }
+  BOOST_CHECK_EQUAL(queriesCount, 4);
+  BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+  BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+  BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+  BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxbogusttl);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
+  BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_lowercase_outgoing) {
+  g_lowercaseOutgoing = true;
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  vector<DNSName> sentOutQnames;
+
+  const DNSName target("WWW.POWERDNS.COM");
+  const DNSName cname("WWW.PowerDNS.org");
+
+  sr->setAsyncCallback([target, cname, &sentOutQnames](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      sentOutQnames.push_back(domain);
+
+      if (isRootServer(ip)) {
+        if (domain == target) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        if (domain == cname) {
+          setLWResult(res, 0, false, false, true);
+          addRecordToLW(res, "powerdns.org.", QType::NS, "pdns-public-ns1.powerdns.org.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, "pdns-public-ns1.powerdns.org.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+        if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::CNAME, cname.toString());
+          return 1;
+        }
+      } else if (ip == ComboAddress("192.0.2.2:53")) {
+        if (domain == cname) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "127.0.0.1");
+          return 1;
+        }
+      }
+      return 0;
+  });
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK_EQUAL(ret[0].d_content->getZoneRepresentation(), cname.toString());
+
+  BOOST_REQUIRE_EQUAL(sentOutQnames.size(), 4);
+  BOOST_CHECK_EQUAL(sentOutQnames[0].toString(), target.makeLowerCase().toString());
+  BOOST_CHECK_EQUAL(sentOutQnames[1].toString(), target.makeLowerCase().toString());
+  BOOST_CHECK_EQUAL(sentOutQnames[2].toString(), cname.makeLowerCase().toString());
+  BOOST_CHECK_EQUAL(sentOutQnames[3].toString(), cname.makeLowerCase().toString());
+
+  g_lowercaseOutgoing = false;
+}
+
+BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys, keys2;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo
+  generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys2);
+  // But add the existing root key otherwise no RRSIG can be created
+  auto rootkey = keys.find(g_rootdnsname);
+  keys2.insert(*rootkey);
+
+  sr->setAsyncCallback([target, keys, keys2](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      DNSName auth = domain;
+      auth.chopOff();
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == target) {
+          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) {
+            return 0;
+          }
+        }
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      return 0;
+    });
+
+  dsmap_t ds;
+  auto state = sr->getDSRecords(target, ds, false, 0, false);
+  BOOST_CHECK_EQUAL(state, Secure);
+  BOOST_REQUIRE_EQUAL(ds.size(), 1);
+  for (const auto& i : ds) {
+    BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_all_sha) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys, keys2, keys3;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys2);
+  // But add the existing root key otherwise no RRSIG can be created
+  auto rootkey = keys.find(g_rootdnsname);
+  keys2.insert(*rootkey);
+
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA384, keys3);
+  // But add the existing root key otherwise no RRSIG can be created
+  keys3.insert(*rootkey);
+
+  sr->setAsyncCallback([target, keys, keys2, keys3](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      DNSName auth = domain;
+      auth.chopOff();
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == target) {
+          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) {
+            return 0;
+          }
+          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys3) != 1) {
+            return 0;
+          }
+        }
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      return 0;
+    });
+
+  dsmap_t ds;
+  auto state = sr->getDSRecords(target, ds, false, 0, false);
+  BOOST_CHECK_EQUAL(state, Secure);
+  BOOST_REQUIRE_EQUAL(ds.size(), 1);
+  for (const auto& i : ds) {
+    BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA384);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_getDSRecords_multialgo_two_highest) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr, true);
+
+  setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+  primeHints();
+  const DNSName target("com.");
+  testkeysset_t keys, keys2, keys3;
+
+  auto luaconfsCopy = g_luaconfs.getCopy();
+  luaconfsCopy.dsAnchors.clear();
+  generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+  g_luaconfs.setState(luaconfsCopy);
+
+  // As testkeysset_t only contains one DSRecordContent, create another one with a different hash algo
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys2);
+  // But add the existing root key otherwise no RRSIG can be created
+  auto rootkey = keys.find(g_rootdnsname);
+  keys2.insert(*rootkey);
+
+  generateKeyMaterial(target, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA1, keys3);
+  // But add the existing root key otherwise no RRSIG can be created
+  keys3.insert(*rootkey);
+
+  sr->setAsyncCallback([target, keys, keys2, keys3](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+      DNSName auth = domain;
+      auth.chopOff();
+      if (type == QType::DS || type == QType::DNSKEY) {
+        if (domain == target) {
+          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys2) != 1) {
+            return 0;
+          }
+          if (genericDSAndDNSKEYHandler(res, domain, auth, type, keys3) != 1) {
+            return 0;
+          }
+        }
+        return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+      }
+      return 0;
+    });
+
+  dsmap_t ds;
+  auto state = sr->getDSRecords(target, ds, false, 0, false);
+  BOOST_CHECK_EQUAL(state, Secure);
+  BOOST_REQUIRE_EQUAL(ds.size(), 2);
+  for (const auto& i : ds) {
+    BOOST_CHECK_EQUAL(i.d_digesttype, DNSSECKeeper::SHA256);
+  }
+}
+
+BOOST_AUTO_TEST_CASE(test_cname_plus_authority_ns_ttl) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("cname.powerdns.com.");
+  const DNSName cnameTarget("cname-target.powerdns.com");
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target, cnameTarget, &queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+       queriesCount++;
+
+       if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, DNSName("powerdns.com"), QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 42);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      } else if (ip == ComboAddress("192.0.2.1:53")) {
+         if (domain == target) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::CNAME, cnameTarget.toString());
+          addRecordToLW(res, cnameTarget, QType::A, "192.0.2.2");
+          addRecordToLW(res, DNSName("powerdns.com."), QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+          addRecordToLW(res, DNSName("a.gtld-servers.net."), QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+          return 1;
+        }
+        else if (domain == cnameTarget) {
+          setLWResult(res, 0, true, false, false);
+          addRecordToLW(res, domain, QType::A, "192.0.2.2");
+        }
+
+         return 1;
+      }
+
+      return 0;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 2);
+  BOOST_CHECK(ret[0].d_type == QType::CNAME);
+  BOOST_CHECK_EQUAL(ret[0].d_name, target);
+  BOOST_CHECK(ret[1].d_type == QType::A);
+  BOOST_CHECK_EQUAL(ret[1].d_name, cnameTarget);
+
+  /* check that the NS in authority has not replaced the one in the cache
+     with auth=0 (or at least has not raised the TTL since it could otherwise
+     be used to create a never-ending ghost zone even after the NS have been
+     changed in the parent.
+  */
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  bool wasAuth = false;
+
+  auto ttl = t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who, nullptr, nullptr, nullptr, nullptr, &wasAuth);
+  BOOST_REQUIRE_GE(ttl, 1);
+  BOOST_REQUIRE_LE(ttl, 42);
+  BOOST_CHECK_EQUAL(cached.size(), 1);
+  BOOST_CHECK_EQUAL(wasAuth, false);
+
+  cached.clear();
+
+  /* Also check that the the part in additional is still not auth */
+  BOOST_REQUIRE_GE(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who, nullptr, nullptr, nullptr, nullptr, &wasAuth), -1);
+  BOOST_CHECK_EQUAL(cached.size(), 1);
+  BOOST_CHECK_EQUAL(wasAuth, false);
+}
+
+BOOST_AUTO_TEST_CASE(test_records_sanitization_general) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("sanitization.powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.1");
+      /* should be scrubbed because it doesn't match the QType */
+      addRecordToLW(res, domain, QType::AAAA, "2001:db8::1");
+      /* should be scrubbed because the DNAME is not relevant to the qname */
+      addRecordToLW(res, DNSName("not-sanitization.powerdns.com."), QType::DNAME, "not-sanitization.powerdns.net.");
+      /* should be scrubbed because a MX has no reason to show up in AUTHORITY */
+      addRecordToLW(res, domain, QType::MX, "10 mx.powerdns.com.", DNSResourceRecord::AUTHORITY);
+      /* should be scrubbed because the SOA name is not relevant to the qname */
+      addRecordToLW(res, DNSName("not-sanitization.powerdns.com."), QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY);
+      /* should be scrubbed because types other than A or AAAA are not really supposed to show up in ADDITIONAL */
+      addRecordToLW(res, domain, QType::TXT, "TXT", DNSResourceRecord::ADDITIONAL);
+      /* should be scrubbed because it doesn't match any of the accepted names in this answer (mostly 'domain') */
+      addRecordToLW(res, DNSName("powerdns.com."), QType::AAAA, "2001:db8::1", DNSResourceRecord::ADDITIONAL);
+      return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  cached.clear();
+  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::AAAA), true, &cached, who), 0);
+  BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("not-sanitization.powerdns.com."), QType(QType::DNAME), true, &cached, who), -1);
+  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::MX), true, &cached, who), 0);
+  BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("not-sanitization.powerdns.com."), QType(QType::SOA), true, &cached, who), -1);
+  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::TXT), false, &cached, who), 0);
+  BOOST_CHECK_EQUAL(t_RC->get(now, DNSName("powerdns.com."), QType(QType::AAAA), false, &cached, who), -1);
+}
+
+BOOST_AUTO_TEST_CASE(test_records_sanitization_keep_relevant_additional_aaaa) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("sanitization.powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      setLWResult(res, 0, true, false, true);
+      addRecordToLW(res, domain, QType::A, "192.0.2.1");
+      addRecordToLW(res, domain, QType::AAAA, "2001:db8::1", DNSResourceRecord::ADDITIONAL);
+      return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_REQUIRE_EQUAL(ret.size(), 1);
+
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  cached.clear();
+  /* not auth since it was in the additional section */
+  BOOST_CHECK_LT(t_RC->get(now, target, QType(QType::AAAA), true, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::AAAA), false, &cached, who), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_records_sanitization_keep_glue) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("sanitization-glue.powerdns.com.");
+
+  size_t queriesCount = 0;
+
+  sr->setAsyncCallback([target,&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+      queriesCount++;
+
+      if (isRootServer(ip)) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "com.", QType::NS, "a.gtld-servers.net.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+        addRecordToLW(res, "a.gtld-servers.net.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.1:53") || ip == ComboAddress("[2001:DB8::1]:53")) {
+        setLWResult(res, 0, false, false, true);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns1.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "powerdns.com.", QType::NS, "pdns-public-ns2.powerdns.com.", DNSResourceRecord::AUTHORITY, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::A, "192.0.2.2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns1.powerdns.com.", QType::AAAA, "2001:DB8::2", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::A, "192.0.2.3", DNSResourceRecord::ADDITIONAL, 172800);
+        addRecordToLW(res, "pdns-public-ns2.powerdns.com.", QType::AAAA, "2001:DB8::3", DNSResourceRecord::ADDITIONAL, 172800);
+        return 1;
+      }
+      else if (ip == ComboAddress("192.0.2.2:53") || ip == ComboAddress("192.0.2.3:53") || ip == ComboAddress("[2001:DB8::2]:53") || ip == ComboAddress("[2001:DB8::3]:53")) {
+        setLWResult(res, 0, true, false, true);
+        addRecordToLW(res, target, QType::A, "192.0.2.4");
+        return 1;
+      }
+      else {
+        return 0;
+      }
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+  BOOST_CHECK_EQUAL(queriesCount, 3);
+
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  BOOST_CHECK_GT(t_RC->get(now, target, QType(QType::A), true, &cached, who), 0);
+  cached.clear();
+
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("com."), QType(QType::NS), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::A), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("a.gtld-servers.net."), QType(QType::AAAA), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns1.powerdns.com."), QType(QType::A), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns1.powerdns.com."), QType(QType::AAAA), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns2.powerdns.com."), QType(QType::A), false, &cached, who), 0);
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("pdns-public-ns2.powerdns.com."), QType(QType::AAAA), false, &cached, who), 0);
+}
+
+BOOST_AUTO_TEST_CASE(test_records_sanitization_scrubs_ns_nxd) {
+  std::unique_ptr<SyncRes> sr;
+  initSR(sr);
+
+  primeHints();
+
+  const DNSName target("sanitization-ns-nxd.powerdns.com.");
+
+  sr->setAsyncCallback([target](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+
+     setLWResult(res, RCode::NXDomain, true, false, true);
+     addRecordToLW(res, "powerdns.com.", QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY);
+     addRecordToLW(res, "powerdns.com.", QType::NS, "spoofed.ns.", DNSResourceRecord::AUTHORITY, 172800);
+     addRecordToLW(res, "spoofed.ns.", QType::A, "192.0.2.1", DNSResourceRecord::ADDITIONAL, 3600);
+     addRecordToLW(res, "spoofed.ns.", QType::AAAA, "2001:DB8::1", DNSResourceRecord::ADDITIONAL, 3600);
+     return 1;
+    });
+
+  const time_t now = sr->getNow().tv_sec;
+
+  vector<DNSRecord> ret;
+  int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NXDomain);
+  BOOST_CHECK_EQUAL(ret.size(), 1);
+
+  const ComboAddress who;
+  vector<DNSRecord> cached;
+  BOOST_CHECK_GT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::SOA), true, &cached, who), 0);
+  cached.clear();
+
+  BOOST_CHECK_LT(t_RC->get(now, DNSName("powerdns.com."), QType(QType::NS), false, &cached, who), 0);
+  BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::A), false, &cached, who), 0);
+  BOOST_CHECK_LT(t_RC->get(now, DNSName("spoofed.ns."), QType(QType::AAAA), false, &cached, who), 0);
+}
+
+BOOST_AUTO_TEST_SUITE_END()

From 260936e86546731b02d04e883cf780591f095119 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 30 Apr 2019 15:02:43 +0200
Subject: [PATCH 123/127] Fix a delete call on abstract class without virtual
 dt clang warning.

---
 pdns/dnswasher.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pdns/dnswasher.cc b/pdns/dnswasher.cc
index 3ae3ea7ee388..c3da28c2d595 100644
--- a/pdns/dnswasher.cc
+++ b/pdns/dnswasher.cc
@@ -54,6 +54,9 @@ po::variables_map g_vm;
 class IPObfuscator
 {
 public:
+  virtual ~IPObfuscator()
+  {
+  }
   virtual uint32_t obf4(uint32_t orig)=0;
   virtual struct in6_addr obf6(const struct in6_addr& orig)=0;
 };

From fc8ed1ad6e818a386f8142c9085e34a849db5c9e Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 2 May 2019 20:01:30 +0200
Subject: [PATCH 124/127] auth: always add DS for secure zones, broken since
 #7523

---
 pdns/packethandler.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f626ff95f843..9d686a69fe80 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1031,7 +1031,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const DN
   if(!retargeted)
     r->setA(false);
 
-  if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
+  if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name) && d_dnssec) {
     addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
   }
 

From f2e91dbd4767cafa07acb91e9dcd5d9f08e3d92d Mon Sep 17 00:00:00 2001
From: Hannu Ylitalo <hannu.ylitalo@dovecot.fi>
Date: Fri, 3 May 2019 11:44:51 +0200
Subject: [PATCH 125/127] dnsdist: Change addLocal example to IPv6 address in
 quickstart

---
 pdns/dnsdistdist/docs/quickstart.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/dnsdistdist/docs/quickstart.rst b/pdns/dnsdistdist/docs/quickstart.rst
index 78b8126735a2..386ee71f3588 100644
--- a/pdns/dnsdistdist/docs/quickstart.rst
+++ b/pdns/dnsdistdist/docs/quickstart.rst
@@ -106,7 +106,7 @@ To listen on a different address, use the ``-l`` command line option (useful for
 .. code-block:: lua
 
   setLocal('192.0.2.53')      -- Listen on 192.0.2.53, port 53
-  addLocal('192.0.2.54:5300') -- Also listen on 192.0.2.54, port 5300
+  addLocal('[::1]:5300') -- Also listen on ::1, port 5300
 
 Before packets are processed they have to pass the ACL, which helpfully defaults to :rfc:`1918` private IP space.
 This prevents us from easily becoming an open DNS resolver.

From 20698543b3f7b099868f7e8a30d7836d5b98d7d3 Mon Sep 17 00:00:00 2001
From: aerique <erik.winkels@powerdns.com>
Date: Tue, 7 May 2019 11:00:42 +0200
Subject: [PATCH 126/127] Merge pull request #7782 from
 aerique/feature/update-changelog-and-secpoll-for-rec-4.2.0-beta1

Update changelog and secpoll for rec-4.2.0-beta1.
---
 docs/secpoll.zone                        |   3 +-
 pdns/recursordist/docs/changelog/4.2.rst | 165 +++++++++++++++++++++++
 2 files changed, 167 insertions(+), 1 deletion(-)

diff --git a/docs/secpoll.zone b/docs/secpoll.zone
index f72b334decce..14012a04532c 100644
--- a/docs/secpoll.zone
+++ b/docs/secpoll.zone
@@ -1,4 +1,4 @@
-@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019042601 10800 3600 604800 10800
+@       86400   IN  SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2019050701 10800 3600 604800 10800
 @       3600    IN  NS  pdns-public-ns1.powerdns.com.
 @       3600    IN  NS  pdns-public-ns2.powerdns.com.
 ; Auth
@@ -182,6 +182,7 @@ recursor-4.1.10.security-status                         60 IN TXT "1 OK"
 recursor-4.1.11.security-status                         60 IN TXT "1 OK"
 recursor-4.1.12.security-status                         60 IN TXT "1 OK"
 recursor-4.2.0-alpha1.security-status                   60 IN TXT "1 OK"
+recursor-4.2.0-beta1.security-status                    60 IN TXT "1 OK"
 
 ; Recursor Debian
 recursor-3.6.2-2.debian.security-status                 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
diff --git a/pdns/recursordist/docs/changelog/4.2.rst b/pdns/recursordist/docs/changelog/4.2.rst
index 4196eca1175a..fb85f956a27f 100644
--- a/pdns/recursordist/docs/changelog/4.2.rst
+++ b/pdns/recursordist/docs/changelog/4.2.rst
@@ -1,6 +1,171 @@
 Changelogs for 4.2.x
 ====================
 
+.. changelog::
+  :version: 4.2.0-beta1
+  :released: 7th of May 2019
+
+  .. change::
+    :tags: Bug Fixes, Internals
+    :pullreq: 7730
+
+    Move replaced negcache entries to the back of the expunge queue.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7571
+
+    Add a ``distribution-pipe-buffer-size`` setting.
+
+  .. change::
+    :tags: Bug Fixes, DNSSEC
+    :pullreq: 7714
+
+    Fix DNSSEC validation of non-expanded wildcards.
+
+  .. change::
+    :tags: Bug Fixes, DNSSEC
+    :pullreq: 6341
+    :tickets: 6318
+
+    Add DNAME support.
+
+  .. change::
+    :tags: New Features, Internals
+    :pullreq: 7480
+
+    Implement a way to disallow throttling of auths.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7508
+
+    Add ``protobuf-use-kernel-timestamp`` for sharper latencies.
+
+  .. change::
+    :tags: Improvements, Internals
+    :pullreq: 7410
+
+    Ignore path MTU discovery on UDP server socket.
+
+  .. change::
+    :tags: Bug Fixes, Internals
+    :pullreq: 7731
+
+    Fix the cache cleaning code being only run once for workers.
+
+  .. change::
+    :tags: Improvements, Internals
+    :pullreq: 7669
+    :tickets: 7671
+
+    Set ``--enable-option-checking=fatal`` on all package builds, enable SNMP in RPMS.
+
+  .. change::
+    :tags: Bug Fixes, Internals
+    :pullreq: 7708
+
+    Alternative solution to the unaligned accesses.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7649
+
+    This provides cpu usage statistics per thread (worker & distributor).
+
+  .. change::
+    :tags: Bug Fixes, Lua
+    :pullreq: 7652
+
+    ``ednsoptionview`` improvements.
+
+  .. change::
+    :tags: New Features
+    :pullreq: 7631
+
+    ECS cache limit with TTL.
+
+  .. change::
+    :tags: New Features, Internals
+    :pullreq: 7507
+
+    Use a bounded load balancing algo to distribute queries.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7574
+
+    Add a new ``ecs-minimum-ttl-override`` setting.
+
+  .. change::
+    :tags: Improvements, Internals
+    :pullreq: 7484
+
+    ``Utility::random()`` and ``srandom()`` are not used anymore.
+
+  .. change::
+    :tags: Improvements, API
+    :pullreq: 7504
+    :tickets: 7498
+
+    Add rec statistics about ECS response sizes, API endpoint to get a specific stat.
+
+  .. change::
+    :tags: Bug Fixes, Lua
+    :pullreq: 7589
+
+    Add missing ``getregisteredname`` Lua function. (Aki Tuomi)
+
+  .. change::
+    :tags: Improvements, Internals
+    :pullreq: 7583
+
+    Move back to malloc on !openbsd. Doing mmap/munmap all the time hurts…
+
+  .. change::
+    :tags: Improvements, Internals
+    :pullreq: 7540
+
+    Set ``ip(v6)_recverr`` socket option to get notified of more than just port unreachable errors on Linux.
+
+  .. change::
+    :tags: Improvements, Internals
+    :pullreq: 7502
+
+    Change the way ``getRealMemUsage()`` works on Linux (using ``statm``).
+
+  .. change::
+    :tags: Bug Fixes
+    :pullreq: 7494
+
+    Correctly interpret an empty AXFR response to an IXFR query.
+
+  .. change::
+    :tags: New Features, DNSSEC
+    :pullreq: 7478
+    :tickets: 7445
+
+    Add a new ``max-cache-bogus-ttl`` option.
+
+  .. change::
+    :tags: Improvements, Lua
+    :pullreq: 7492
+    :tickets: 6853
+
+    Lua: expose ``dns_random`` as ``pdnsrandom``.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7476
+
+    Add an option to not override custom RPZ types with the default policy.
+
+  .. change::
+    :tags: Improvements
+    :pullreq: 7433
+
+    Resync YaHTTP code to cmouse/yahttp@11be77a1fc4032. (Chris Hofstaedtler)
+
 .. changelog::
   :version: 4.2.0-alpha1
   :released: 1st of February 2019

From 1c1442db3040cd79b747c007540f644b0e210142 Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Date: Wed, 8 May 2019 16:10:17 +0200
Subject: [PATCH 127/127] tcpreceiver/doIXFR: Reuse UeberBackend for later

---
 pdns/tcpreceiver.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index b9160c072d58..dc89995e9209 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -1124,7 +1124,8 @@ int TCPNameserver::doIXFR(shared_ptr<DNSPacket> q, int outsock)
     }
   }
 
-  DNSSECKeeper dk;
+  UeberBackend db;
+  DNSSECKeeper dk(&db);
   NSEC3PARAMRecordContent ns3pr;
   bool narrow;
 
@@ -1142,7 +1143,6 @@ int TCPNameserver::doIXFR(shared_ptr<DNSPacket> q, int outsock)
 
   DNSName target = q->qdomain;
 
-  UeberBackend db;
   if(!db.getSOAUncached(target, sd)) {
     g_log<<Logger::Error<<"IXFR of domain '"<<target<<"' failed: not authoritative in second instance"<<endl;
     outpacket->setRcode(RCode::NotAuth);