vendor/unbound/1.6.6

514 files changed, 12153 insertions, 4 deletions

diff --git a/testdata/00-lint.tdir/00-lint.dsc b/testdata/00-lint.tdir/00-lint.dsc
new file mode 100644
index 000000000000..4778f7a81ba5
--- /dev/null
+++ b/testdata/00-lint.tdir/00-lint.dsc
@@ -0,0 +1,16 @@
+BaseName: 00-lint
+Version: 1.0
+Description: Put source into lint.
+CreationDate: Wed Jan  3 14:12:02 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 00-lint.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/00-lint.tdir/00-lint.test b/testdata/00-lint.tdir/00-lint.test
new file mode 100644
index 000000000000..e40dce7d6234
--- /dev/null
+++ b/testdata/00-lint.tdir/00-lint.test
@@ -0,0 +1,11 @@
+# #-- 00-lint.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+. ../common.sh
+PRE="../.."
+get_make
+
+(cd $PRE ; $MAKE lint)
+
diff --git a/testdata/00-lint.tpkg b/testdata/00-lint.tpkg
deleted file mode 100644
index 89e44966d8b6..000000000000
--- a/testdata/00-lint.tpkg
+++ /dev/null
diff --git a/testdata/01-doc.tdir/01-doc.dsc b/testdata/01-doc.tdir/01-doc.dsc
new file mode 100644
index 000000000000..a9282c70171d
--- /dev/null
+++ b/testdata/01-doc.tdir/01-doc.dsc
@@ -0,0 +1,16 @@
+BaseName: 01-doc
+Version: 1.0
+Description: Check documentation
+CreationDate: Wed Jan  3 15:15:01 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 01-doc.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/01-doc.tdir/01-doc.test b/testdata/01-doc.tdir/01-doc.test
new file mode 100644
index 000000000000..6a78a9cd356d
--- /dev/null
+++ b/testdata/01-doc.tdir/01-doc.test
@@ -0,0 +1,47 @@
+# #-- 01-doc.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+. ../common.sh
+
+set_doxygen_path
+
+PRE="../.."
+get_make
+(cd $PRE ; $MAKE doc) > mylog 2>&1
+
+bad=0
+if grep -e "Warning" -e "warning" -e "Error" -e "error" mylog >/dev/null 2>&1;
+then
+	cat mylog
+	bad=1
+else
+	# "doxygen ok"
+	cat mylog
+fi
+
+(cd $PRE; find . -name "*.h" -print) >hlist
+(cd $PRE; find . -name "*.c" -print) >>hlist
+# filter out config.h
+fgrep -v -e "config.h" hlist > ilist; mv ilist hlist
+fgrep -v -e "util/configparser" hlist > ilist; mv ilist hlist
+fgrep -v -e "util/configlexer" hlist > ilist; mv ilist hlist
+fgrep -v -e "util/configyyrename" hlist > ilist; mv ilist hlist
+fgrep -v -e "util/locks.h" hlist > ilist; mv ilist hlist
+fgrep -v -e "util/storage/lookup3.c" hlist > ilist; mv ilist hlist
+fgrep -v -e "ldns-src/" hlist > ilist; mv ilist hlist
+fgrep -v -e "libunbound/python/libunbound_wrap.c" hlist > ilist; mv ilist hlist
+fgrep -v -e "pythonmod/interface.h" hlist > ilist; mv ilist hlist
+fgrep -v -e "dnstap" hlist > ilist; mv ilist hlist
+# filter out compat
+fgrep -v -e "compat/" hlist > ilist; mv ilist hlist
+for h in `cat hlist`; do
+	if fgrep "`basename $h`" $PRE/doc/html/files.html >/dev/null; then
+		: # ok
+	else
+		echo "Warning: $h has no documentation."
+		bad=1
+	fi
+done
+exit $bad
diff --git a/testdata/01-doc.tpkg b/testdata/01-doc.tpkg
deleted file mode 100644
index 6502bdc14e25..000000000000
--- a/testdata/01-doc.tpkg
+++ /dev/null
diff --git a/testdata/02-unittest.tdir/02-unittest.dsc b/testdata/02-unittest.tdir/02-unittest.dsc
new file mode 100644
index 000000000000..b30695a2a846
--- /dev/null
+++ b/testdata/02-unittest.tdir/02-unittest.dsc
@@ -0,0 +1,16 @@
+BaseName: 02-unittest
+Version: 1.0
+Description: Unit tests.
+CreationDate: Thu Jan  4 16:32:42 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 02-unittest.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/02-unittest.tdir/02-unittest.test b/testdata/02-unittest.tdir/02-unittest.test
new file mode 100644
index 000000000000..898cd3dcc124
--- /dev/null
+++ b/testdata/02-unittest.tdir/02-unittest.test
@@ -0,0 +1,26 @@
+# #-- 02-unittest.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+get_make
+(cd $PRE ; $MAKE unittest; $MAKE lock-verify)
+
+if (cd $PRE; ./unittest); then
+	echo "unit test worked."
+else
+	echo "unit test failed."
+	exit 1
+fi
+if test -f $PRE/ublocktrace.0; then
+	if (cd $PRE; ./lock-verify ublocktrace.*); then
+		echo "lock-verify test worked."
+	else
+		echo "lock-verify test failed."
+		exit 1
+	fi
+fi
+exit 0
diff --git a/testdata/02-unittest.tpkg b/testdata/02-unittest.tpkg
deleted file mode 100644
index 4618ae30e6a1..000000000000
--- a/testdata/02-unittest.tpkg
+++ /dev/null
diff --git a/testdata/03-testbound.tdir/03-testbound.dsc b/testdata/03-testbound.tdir/03-testbound.dsc
new file mode 100644
index 000000000000..40cd9f9baf6a
--- /dev/null
+++ b/testdata/03-testbound.tdir/03-testbound.dsc
@@ -0,0 +1,16 @@
+BaseName: 03-testbound
+Version: 1.0
+Description: Run testbound event replay scenarios.
+CreationDate: Tue Feb 13 16:36:18 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 03-testbound.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/03-testbound.tdir/03-testbound.test b/testdata/03-testbound.tdir/03-testbound.test
new file mode 100644
index 000000000000..e23151c41657
--- /dev/null
+++ b/testdata/03-testbound.tdir/03-testbound.test
@@ -0,0 +1,123 @@
+# #-- 03-testbound.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+get_make
+(cd $PRE ; $MAKE testbound)
+exitval=0
+# quiet="" to make verbose
+
+do_valgrind=no
+# valgrind mode for debug
+#if grep "staticexe=-static" $PRE/Makefile >/dev/null 2>&1; then
+#	if test -x "`which valgrind`"; then
+#		do_valgrind=yes
+#	fi
+#fi
+
+# self-test (unit test of testbound)
+if test $do_valgrind = "yes"; then
+	if (valgrind $PRE/testbound -s >tmpout 2>&1;); then
+		echo "selftest   OK  "
+	else
+		echo "selftest FAILED"
+		exit 1
+	fi
+	if grep "All heap blocks were freed -- no leaks are possible." tmpout >/dev/null 2>&1; then
+		:  # clean
+	else
+		echo "Memory leaked in selftest"
+		grep "in use at exit" tmpout
+		exit 1
+	fi
+else
+	if ($PRE/testbound -s >/dev/null 2>&1;); then
+		echo "selftest   OK  "
+	else
+		echo "selftest FAILED"
+		exit 1
+	fi
+fi
+
+
+# the .crpl are not always supported and need checking for SHA256 and GOST
+# support.
+# the .rpl should work on any system (portable).
+for input in $PRE/testdata/*.rpl $PRE/testdata/*.crpl; do
+	header=`grep SCENARIO_BEGIN $input | head -1 | sed -e 's/SCENARIO_BEGIN //'`
+	cleaninput=`echo $input | sed -e "s?$PRE/testdata/??"`
+
+	# detect if SHA256 is needed
+	if echo $cleaninput | grep sha2 >/dev/null 2>&1; then
+		if $PRE/testbound -2 >/dev/null 2>&1; then
+			: # the SHA256 is supported
+		else
+			continue
+		fi
+	fi
+
+	# detect if GOST is needed
+	if echo $cleaninput | grep gost >/dev/null 2>&1; then
+		if $PRE/testbound -g >/dev/null 2>&1; then
+			: # GOST is supported
+		else
+			continue
+		fi
+	fi
+
+	# detect if CLIENT_SUBNET is needed
+	if echo $cleaninput | grep subnet >/dev/null 2>&1; then
+		if $PRE/testbound -c >/dev/null 2>&1; then
+			: # CLIENT_SUBNET is supported
+		else
+			continue
+		fi
+	fi
+
+	# detect if IPSECMOD is needed
+	if echo $cleaninput | grep ipsecmod >/dev/null 2>&1; then
+		if $PRE/testbound -i >/dev/null 2>&1; then
+			: # IPSECMOD is supported
+		else
+			continue
+		fi
+	fi
+
+	if test $do_valgrind = "yes"; then
+		if (valgrind $PRE/testbound -p $input >tmpout 2>&1;); then
+			echo "  OK   $cleaninput: $header"
+		else
+			echo "FAILED $cleaninput: $header"
+			exitval=1
+		fi
+		if grep "All heap blocks were freed -- no leaks are possible." tmpout >/dev/null 2>&1; then
+			:  # clean
+		else
+			echo "Memory leaked in $cleaninput"
+			grep "in use at exit" tmpout
+			exitval=1
+		fi
+	else
+		# do valgrind=no
+		if ($PRE/testbound -p $input >/dev/null 2>&1;); then
+			echo "  OK   $cleaninput: $header"
+		else
+			echo "FAILED $cleaninput: $header"
+			exitval=1
+		fi
+	fi
+	if test -f ublocktrace.0; then
+        	if $PRE/lock-verify ublocktrace.*; then
+                	#echo "lock-verify test $input worked."
+			i=i
+        	else
+                	echo "lock-verify test $input failed."
+			exitval=1
+        	fi
+	fi
+done
+exit $exitval
diff --git a/testdata/03-testbound.tpkg b/testdata/03-testbound.tpkg
deleted file mode 100644
index 5db2b7731336..000000000000
--- a/testdata/03-testbound.tpkg
+++ /dev/null
diff --git a/testdata/04-checkconf.tdir/04-checkconf.dsc b/testdata/04-checkconf.tdir/04-checkconf.dsc
new file mode 100644
index 000000000000..6d307fb88595
--- /dev/null
+++ b/testdata/04-checkconf.tdir/04-checkconf.dsc
@@ -0,0 +1,16 @@
+BaseName: 04-checkconf
+Version: 1.0
+Description: Test configuration checker.
+CreationDate: Fri Sep 28 15:46:27 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 04-checkconf.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/04-checkconf.tdir/04-checkconf.test b/testdata/04-checkconf.tdir/04-checkconf.test
new file mode 100644
index 000000000000..a2396fef7608
--- /dev/null
+++ b/testdata/04-checkconf.tdir/04-checkconf.test
@@ -0,0 +1,72 @@
+# #-- 04-checkconf.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# test that failed exit code is used
+$PRE/unbound-checkconf bla bla bla>/dev/null
+if test $? != 1; then
+	echo "exit code for usage wrong"
+	exit 1
+fi
+$PRE/unbound-checkconf -h >/dev/null
+if test $? != 1; then
+	echo "exit code for usage wrong"
+	exit 1
+fi
+$PRE/unbound-checkconf notexist_file 
+if test $? != 1; then
+	echo "exit code for nofile wrong"
+	exit 1
+fi
+
+# detect windows
+if grep "define UB_ON_WINDOWS 1" ../../config.h; then
+	onwin=1
+else
+	onwin=0
+fi
+
+# test check of config files.
+for f in bad.*; do
+	echo
+	echo $PRE/unbound-checkconf $f
+	if test $f = "bad.user" -a $onwin -eq 1; then
+		echo "skipped on windows"
+		continue
+	fi
+
+	$PRE/unbound-checkconf $f
+	if test $? != 1; then
+		echo "exit code case $f wrong"
+		exit 1
+	fi
+done
+for f in good.*; do
+	echo
+	echo $PRE/unbound-checkconf $f
+	$PRE/unbound-checkconf $f
+	if test $? != 0; then
+		echo "exit code case $f wrong"
+		exit 1
+	fi
+done
+
+echo $PRE/unbound-checkconf warn.algo
+$PRE/unbound-checkconf warn.algo > outfile 2>&1
+if test $? != 0; then
+	cat outfile
+	echo "wrong exit code, warning should not fail with error"
+	exit 1
+fi
+cat outfile
+if grep "unsupported algo" outfile; then
+	echo "OK"
+else
+	echo "Failed, should print warning"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/04-checkconf.tdir/bad.badfwd b/testdata/04-checkconf.tdir/bad.badfwd
new file mode 100644
index 000000000000..27d58c5ea048
--- /dev/null
+++ b/testdata/04-checkconf.tdir/bad.badfwd
@@ -0,0 +1,8 @@
+server:
+	# to make sure the check doesn't fail on username or chrootdir.
+	username: ""	
+	chroot: ""
+
+forward-zone:
+	name: "example.com"
+	forward-addr: 123.123.AAAA.123
diff --git a/testdata/04-checkconf.tdir/bad.badif b/testdata/04-checkconf.tdir/bad.badif
new file mode 100644
index 000000000000..ea261fc2dbdb
--- /dev/null
+++ b/testdata/04-checkconf.tdir/bad.badif
@@ -0,0 +1,17 @@
+# bad host and interface lines.
+server:
+	username: ""
+	interface: 127.0.0.1
+	interface: 127.0.0.1
+	interface: 127.0.0.1
+	outgoing-interface: ::1
+	outgoing-interface: ::1
+	outgoing-interface: ::1
+	
+forward-zone:
+	name: root.
+	forward-host: 127.0.0.1
+
+stub-zone:
+	name: com.
+	stub-host: ::3
diff --git a/testdata/04-checkconf.tdir/bad.badip b/testdata/04-checkconf.tdir/bad.badip
new file mode 100644
index 000000000000..74b2b7eb27a7
--- /dev/null
+++ b/testdata/04-checkconf.tdir/bad.badip
@@ -0,0 +1,2 @@
+server:
+	interface: 123.AAAA.123.123
diff --git a/testdata/04-checkconf.tdir/bad.bind b/testdata/04-checkconf.tdir/bad.bind
new file mode 100644
index 000000000000..863d566e9ef8
--- /dev/null
+++ b/testdata/04-checkconf.tdir/bad.bind
@@ -0,0 +1,35 @@
+# test daemon
+options {
+	directory "/home/wouter/bla";
+	version "test BIND 24";
+	pid-file "/home/wouter/named_24.pid";
+	dnssec-enable yes;
+	listen-on-v6 { any; };
+};
+
+// logging clause
+logging {
+	channel mainlog {
+		file "named_24.log" size 10m;
+		severity info;
+	};
+	category default {
+		mainlog;
+	};
+};
+
+zone "." IN {
+	type hint;
+	file "root.servers";
+};
+
+zone "localhost" IN {
+	type master;
+	file "localhost.zone";
+	allow-update { none; };
+};
+zone "0.0.127.in-addr.arpa" IN {
+	type master;
+	file "localhost.rev";
+	allow-update { none; };
+};
diff --git a/testdata/04-checkconf.tdir/bad.user b/testdata/04-checkconf.tdir/bad.user
new file mode 100644
index 000000000000..40631abb4f79
--- /dev/null
+++ b/testdata/04-checkconf.tdir/bad.user
@@ -0,0 +1,2 @@
+server:
+	username: blabla_noexist_user
diff --git a/testdata/04-checkconf.tdir/good.all b/testdata/04-checkconf.tdir/good.all
new file mode 100644
index 000000000000..33ebaf014abf
--- /dev/null
+++ b/testdata/04-checkconf.tdir/good.all
@@ -0,0 +1,246 @@
+# To test, all options are used.
+#
+# Example configuration file.
+#
+# See unbound.conf(5) man page.
+#
+# this is a comment.
+
+#Use this to include other text into the file.
+#include: "otherfile.conf"
+
+# The server clause sets the main parameters. 
+server:
+	# whitespace is not necessary, but looks cleaner.
+
+	# verbosity number, 0 is least verbose. 1 is default.
+	verbosity: 2
+	
+	# number of threads to create. 1 disables threading.
+	num-threads: 1
+
+	# specify the interfaces to answer queries from by ip-address.
+	# If you give none the default (all) interface is used.
+	# specify every interface on a new 'interface:' labelled line.
+	interface: 192.0.2.153
+	interface: 192.0.2.154
+	interface: 2001:DB8::5
+
+	# port to answer queries from
+	port: 53
+
+	# number of port to allocate per thread, determines the size of the
+	# port range. A larger port range gives more resistance to certain
+	# spoof attacks, as it gets harder to guess which port is used. 
+	# But also takes more system resources (for open sockets).
+	outgoing-range: 16
+
+	outgoing-port-permit: 1000-1020
+	outgoing-port-avoid: 2000-2048
+	outgoing-port-avoid: 3000
+
+	# number of outgoing simultaneous tcp buffers to hold per thread.
+	outgoing-num-tcp: 10
+
+	# number of incoming simultaneous tcp buffers to hold per thread.
+	incoming-num-tcp: 10
+	
+	# buffer size for handling DNS data. No messages larger than this
+	# size can be sent or received, by UDP or TCP. In bytes.
+	msg-buffer-size: 65552
+
+	# the amount of memory to use for the message cache.
+	# in bytes. default is 4 Mb
+	msg-cache-size: 4194304
+
+	# the number of slabs to use for the message cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	msg-cache-slabs: 4
+
+	# the number of queries that a thread gets to service.
+	num-queries-per-thread: 1024
+
+	# the amount of memory to use for the RRset cache.
+	# in bytes. default is 4 Mb
+	rrset-cache-size: 4194304
+
+	# the number of slabs to use for the RRset cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	rrset-cache-slabs: 4
+
+	# the time to live (TTL) value for cached roundtrip times and
+	# EDNS version information for hosts. In seconds.
+	infra-host-ttl: 900
+
+	# the time to live (TTL) value for cached lame delegations. In sec.
+	infra-lame-ttl: 900
+
+	# the number of slabs to use for the Infrastructure cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	infra-cache-slabs: 4
+
+	# the maximum number of hosts that are cached (roundtrip times, EDNS).
+	infra-cache-numhosts: 10000
+
+	# the maximum size of the lame zones cached per host. in bytes.
+	infra-cache-lame-size: 10240
+
+	# Enable IPv4, "yes" or "no".
+	do-ip4: yes
+
+	# Enable IPv6, "yes" or "no".
+	do-ip6: yes
+
+	# Enable UDP, "yes" or "no".
+	do-udp: yes
+
+	# Enable TCP, "yes" or "no".
+	do-tcp: yes
+
+	# if given, a chroot(2) is done to the given directory.
+	# i.e. you can chroot to the working directory, for example,
+	# for extra security, but make sure all files are in that directory.
+	chroot: ""
+
+	# if given, user privileges are dropped (after binding port),
+	# and the given username is assumed. Default is nothing "".
+	username: "nobody"
+
+	# the working directory.
+	directory: "."
+
+	# the log file, "" means log to stderr. 
+	# Use of this option sets use-syslog to "no".
+	logfile: ""
+	
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 
+	# log to, with identity "unbound". If yes, it overrides the logfile.
+	use-syslog: no 
+
+	# the pid file.
+	pidfile: "unbound.pid"
+	
+	# enable to not answer id.server and hostname.bind queries.
+	hide-identity: no
+	
+	# enable to not answer version.server and version.bind queries.
+	hide-version: no
+	
+	# the identity to report. Leave "" or default to return hostname.
+	identity: ""
+	
+	# the version to report. Leave "" or default to return package version.
+	version: ""
+	
+	# the target fetch policy.
+	# series of integers describing the policy per dependency depth. 
+	# The number of values in the list determines the maximum dependency 
+	# depth the recursor will pursue before giving up. Each integer means:
+	# 	-1 : fetch all targets opportunistically,
+	# 	0: fetch on demand,
+	#	positive value: fetch that many targets opportunistically.
+	# Enclose the list of numbers between quotes ("").
+	target-fetch-policy: "3 2 1 0 0"
+	
+	# Harden against very small EDNS buffer sizes. 
+	harden-short-bufsize: yes
+	
+	# Harden against unseemly large queries.
+	harden-large-queries: yes
+	
+	# Harden against out of zone rrsets, to avoid spoofing attempts. 
+	harden-glue: yes
+	
+	# Do not query the following addresses. No DNS queries are sent there.
+	# List one address per entry. To block other ports than the default
+	# DNS port, use "1.2.3.4@123" to block port 123 for 1.2.3.4.
+	do-not-query-address: 127.0.0.1
+	do-not-query-address: 127.0.0.2
+	do-not-query-address: 127.255.255.255
+	do-not-query-address: ::1
+	
+	# module configuration of the server. A string with identifiers
+	# separated by spaces. "iterator" or "validator iterator"
+	module-config: "validator iterator"
+	
+	# File with trusted keys for validation. Specify more than one file
+	# with several entries, one file per entry.
+	# Zone file format, with DS and DNSKEY entries.
+	trust-anchor-file: ""
+	
+	# Trusted key for validation. DS or DNSKEY. specify the RR on a
+	# single line, surrounded by "". TTL is ignored. class is IN default.
+	# (These examples are from August 2007 and may not be valid anymore).
+	trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
+	trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
+
+	# File with trusted keys for validation. Specify more than one file
+	# with several entries, one file per entry. Like trust-anchor-file
+	# but has a different file format. Format is BIND-9 style format, 
+	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+	trusted-keys-file: ""
+
+	# Override the date for validation with a specific fixed date.
+	# Do not set this unless you are debugging signature inception
+	# and expiration. "" or "0" turns the feature off. 
+	val-override-date: ""
+	
+	# The time to live for bogus data, rrsets and messages. This avoids
+	# some of the revalidation, until the time interval expires. in secs.
+	val-bogus-ttl: 900
+	
+	# Should additional section of secure message also be kept clean of
+	# unsecure data. Useful to shield the users of this validator from
+	# potential bogus data in the additional section. All unsigned data 
+	# in the additional section is removed from secure messages.
+	val-clean-additional: yes
+	
+	# Turn permissive mode on to permit bogus messages. Thus, messages
+	# for which security checks failed will be returned to clients,
+	# instead of SERVFAIL. It still performs the security checks, which
+	# result in interesting log files and possibly the AD bit in
+	# replies if the message is found secure. The default is off.
+	val-permissive-mode: no
+	
+	# It is possible to configure NSEC3 maximum iteration counts per
+	# keysize. Keep this table very short, as linear search is done.
+	# A message with an NSEC3 with larger count is marked insecure.
+	# List in ascending order the keysize and count values.
+	val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+
+	# the amount of memory to use for the key cache.
+	# in bytes. default is 4 Mb
+	key-cache-size: 4194304
+
+	# the number of slabs to use for the key cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	key-cache-slabs: 4
+
+
+# Stub zones.
+# Create entries like below, to make all queries for 'example.com' and 
+# 'example.org' go to the given list of nameservers. list zero or more 
+# nameservers by hostname or by ipaddress.
+stub-zone:
+	name: "example.com"
+	stub-addr: 192.0.2.68
+stub-zone:
+	name: "example.org"
+	stub-host: ns.example.com.
+
+# Forward zones
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of servers. These servers have to handle
+# recursion to other nameservers. List zero or more nameservers by hostname
+# or by ipaddress. Use an entry with name "." to forward all queries.
+forward-zone:
+ 	name: "example.com"
+ 	forward-addr: 192.0.2.68
+ 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
+forward-zone:
+ 	name: "example.org"
+ 	forward-host: fwd.example.com
diff --git a/testdata/04-checkconf.tdir/good.ifport b/testdata/04-checkconf.tdir/good.ifport
new file mode 100644
index 000000000000..1aa59d1b701f
--- /dev/null
+++ b/testdata/04-checkconf.tdir/good.ifport
@@ -0,0 +1,23 @@
+#
+# bug301 : unbound-checkconf cannot parse interface '0.0.0.0@5353'
+
+#Use this to include other text into the file.
+#include: "otherfile.conf"
+
+# The server clause sets the main parameters. 
+server:
+	# specify the interfaces to answer queries from by ip-address.
+	# If you give none the default (all) interface is used.
+	# specify every interface on a new 'interface:' labelled line.
+	interface: 192.0.2.153
+	interface: 192.0.2.154
+	interface: 2001:DB8::5
+	interface: 0.0.0.0@5353
+
+	# config
+	chroot: ""
+	username: "nobody"
+	directory: "."
+	logfile: ""
+	use-syslog: no 
+	pidfile: "unbound.pid"
diff --git a/testdata/04-checkconf.tdir/good.include b/testdata/04-checkconf.tdir/good.include
new file mode 100644
index 000000000000..49e742d75d81
--- /dev/null
+++ b/testdata/04-checkconf.tdir/good.include
@@ -0,0 +1,6 @@
+# include some file to test include functionality.
+
+include: "good.all"
+
+server:
+	identity: "my identity"
diff --git a/testdata/04-checkconf.tdir/warn.algo b/testdata/04-checkconf.tdir/warn.algo
new file mode 100644
index 000000000000..dcd1a9073366
--- /dev/null
+++ b/testdata/04-checkconf.tdir/warn.algo
@@ -0,0 +1,9 @@
+server:
+	chroot: ""
+	directory: ""
+	pidfile: ""
+	username: ""
+	logfile: ""
+
+	trust-anchor: "jelte.nlnetlabs.nl. DS 42860 2000 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" 
+
diff --git a/testdata/04-checkconf.tpkg b/testdata/04-checkconf.tpkg
deleted file mode 100644
index c100355de7ba..000000000000
--- a/testdata/04-checkconf.tpkg
+++ /dev/null
diff --git a/testdata/05-asynclook.tdir/05-asynclook.dsc b/testdata/05-asynclook.tdir/05-asynclook.dsc
new file mode 100644
index 000000000000..59ada05b1d51
--- /dev/null
+++ b/testdata/05-asynclook.tdir/05-asynclook.dsc
@@ -0,0 +1,16 @@
+BaseName: 05-asynclook
+Version: 1.0
+Description: Test async lookup using libunbound
+CreationDate: Fri Jan 25 09:50:35 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: 05-asynclook.pre
+Post: 05-asynclook.post
+Test: 05-asynclook.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/05-asynclook.tdir/05-asynclook.hosts b/testdata/05-asynclook.tdir/05-asynclook.hosts
new file mode 100644
index 000000000000..fa5e5482e72f
--- /dev/null
+++ b/testdata/05-asynclook.tdir/05-asynclook.hosts
@@ -0,0 +1,12 @@
+# Host Database
+#
+# This file should contain the addresses and aliases for local hosts that
+# share this file.  Replace 'my.domain' below with the domainname of your
+# machine.
+#
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+# Imaginary network.
+10.0.0.2               myname.my.domain myname
+10.0.0.3               myfriend.my.domain myfriend
+10.20.30.40		virtual.virtual.virtual.local
diff --git a/testdata/05-asynclook.tdir/05-asynclook.post b/testdata/05-asynclook.tdir/05-asynclook.post
new file mode 100644
index 000000000000..a4620f6f412e
--- /dev/null
+++ b/testdata/05-asynclook.tdir/05-asynclook.post
@@ -0,0 +1,10 @@
+# #-- 05-asynclook.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+
+. ../common.sh
+kill_pid $FWD_PID
diff --git a/testdata/05-asynclook.tdir/05-asynclook.pre b/testdata/05-asynclook.tdir/05-asynclook.pre
new file mode 100644
index 000000000000..708f7f6e2d3e
--- /dev/null
+++ b/testdata/05-asynclook.tdir/05-asynclook.pre
@@ -0,0 +1,20 @@
+# #-- 05-asynclook.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+FWD_PORT=$(($RND_PORT + 1))
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT 05-asynclook.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+
+wait_ldns_testns_up fwd.log
diff --git a/testdata/05-asynclook.tdir/05-asynclook.test b/testdata/05-asynclook.tdir/05-asynclook.test
new file mode 100644
index 000000000000..28a054d1aba3
--- /dev/null
+++ b/testdata/05-asynclook.tdir/05-asynclook.test
@@ -0,0 +1,198 @@
+# #-- 05-asynclook.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# test if fwder is up
+echo "> dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile"
+dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile
+if grep "10.20.30.40" outfile; then
+	echo "fwder is up"
+else
+	cat fwd.log
+	echo "fwder not up"
+	exit 1
+fi
+rm outfile
+
+# create asynclook
+get_make
+echo "> (cd $PRE ; $MAKE asynclook)"
+(cd $PRE ; $MAKE asynclook)
+if test ! -x $PRE/asynclook; then
+	echo "cannot build asynclook test program"
+	exit 1
+fi
+(cd $PRE ; $MAKE lock-verify)
+
+# check the locks.
+function locktest() {
+	if test -x $PRE/lock-verify -a -f ublocktrace.0; then
+		$PRE/lock-verify ublocktrace.*
+		if test $? -ne 0; then
+			echo "lock-verify error"
+			exit 1
+		fi
+	fi
+}
+
+# detect if there is forking on this system.
+HAVE_FORK=yes
+if grep "undef HAVE_FORK" $PRE/config.h >/dev/null 2>&1; then
+	HAVE_FORK=no
+fi
+
+if test $HAVE_FORK = yes; then
+# test hosts reading (directed at local auth info)
+echo '> $PRE/asynclook -H 05-asynclook.hosts virtual.virtual.virtual.local 2>&1 | tee outfile'
+$PRE/asynclook -H 05-asynclook.hosts virtual.virtual.virtual.local 2>&1 | tee outfile
+if grep "virtual.virtual.virtual.local: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+# test async lookups (directed at testns)
+echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile'
+$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+fi #HAVE_FORK
+
+echo '> $PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+if test $HAVE_FORK = yes; then
+# test cancellation
+echo '> $PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+fi #HAVE_FORK
+
+echo '> $PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+if test $HAVE_FORK = yes; then
+# test blocking mode
+echo '> $PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+fi #HAVE_FORK
+
+echo '> $PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo "> cat logfiles"
+cat fwd.log 
+exit 0
diff --git a/testdata/05-asynclook.tdir/05-asynclook.testns b/testdata/05-asynclook.tdir/05-asynclook.testns
new file mode 100644
index 000000000000..6245ae164172
--- /dev/null
+++ b/testdata/05-asynclook.tdir/05-asynclook.testns
@@ -0,0 +1,35 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+; for priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+@	IN	NS
+SECTION ANSWER
+@	IN	NS	127.0.0.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/05-asynclook.tpkg b/testdata/05-asynclook.tpkg
deleted file mode 100644
index e13476ab297c..000000000000
--- a/testdata/05-asynclook.tpkg
+++ /dev/null
diff --git a/testdata/06-ianaports.tdir/06-ianaports.dsc b/testdata/06-ianaports.tdir/06-ianaports.dsc
new file mode 100644
index 000000000000..6eb91e3e668d
--- /dev/null
+++ b/testdata/06-ianaports.tdir/06-ianaports.dsc
@@ -0,0 +1,16 @@
+BaseName: 06-ianaports
+Version: 1.0
+Description: check if iana assigned ports have changed.
+CreationDate: Thu Apr 10 12:42:40 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 06-ianaports.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/06-ianaports.tdir/06-ianaports.test b/testdata/06-ianaports.tdir/06-ianaports.test
new file mode 100644
index 000000000000..1c51218a853b
--- /dev/null
+++ b/testdata/06-ianaports.tdir/06-ianaports.test
@@ -0,0 +1,27 @@
+# #-- 06-ianaports.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+mkdir util
+get_make
+echo "> $MAKE -f $PRE/Makefile iana_update"
+$MAKE -f $PRE/Makefile iana_update
+if test $? -ne 0; then
+	echo "cannot iana update"
+	exit 1
+fi
+
+diff -u $PRE/util/iana_ports.inc util/iana_ports.inc
+if test $? -ne 0; then
+	echo "IANA assigned ports have updated, make iana_update and commit"
+	echo "cp util/iana_ports.inc $PRE/util/iana_ports.inc"
+	cp util/iana_ports.inc $PRE/util/iana_ports.inc
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/06-ianaports.tpkg b/testdata/06-ianaports.tpkg
deleted file mode 100644
index 98020a0a5eb1..000000000000
--- a/testdata/06-ianaports.tpkg
+++ /dev/null
diff --git a/testdata/07-confroot.tdir/07-confroot.dsc b/testdata/07-confroot.tdir/07-confroot.dsc
new file mode 100644
index 000000000000..f1cbe6e7da2e
--- /dev/null
+++ b/testdata/07-confroot.tdir/07-confroot.dsc
@@ -0,0 +1,16 @@
+BaseName: 07-confroot
+Version: 1.0
+Description: test checkconf with chroot dir.
+CreationDate: Mon Apr 14 14:54:59 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: 07-confroot.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/07-confroot.tdir/07-confroot.test b/testdata/07-confroot.tdir/07-confroot.test
new file mode 100644
index 000000000000..5238435167a8
--- /dev/null
+++ b/testdata/07-confroot.tdir/07-confroot.test
@@ -0,0 +1,287 @@
+# #-- 07-confroot.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+if uname | grep "MINGW" >/dev/null; then
+	# no chroot, no need to test.
+	# (test fails on / en \ comparisons, by the way).
+	echo "no chroot on windows, end test"
+	exit 0
+fi
+
+# create config file
+cwd=`pwd -P`
+subdir=$cwd/subdir
+user=`whoami`
+mkdir subdir
+if test $? -ne 0; then
+	echo "could not create subdir"
+	exit 1
+fi
+
+cat > test.conf <<EOF
+server:
+	chroot: $cwd
+	directory: $subdir
+	username: $user
+
+	pidfile: "/unbound.pid"
+	root-hints: "root.ca"
+	root-hints: "$subdir/root.cb"
+	root-hints: "/subdir/root.cc"
+
+	logfile: "output.log"
+
+	trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "/subdir/trustanchor.conf"
+	trust-anchor-file: "trustanchor.conf"
+
+	trusted-keys-file: "trustkeys.conf"
+	trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "/subdir/trustkeys3.conf"
+EOF
+
+# fake root file
+echo ". NS a.root-servers.net." > subdir/root.ca
+echo "a.root-servers.net. IN A 127.0.0.1" >> subdir/root.ca
+echo ". CH NS b.root-servers.net." > subdir/root.cb
+echo "b.root-servers.net. CH A 127.0.0.1" >> subdir/root.cb
+echo ". HS NS c.root-servers.net." > subdir/root.cc
+echo "c.root-servers.net. HS A 127.0.0.1" >> subdir/root.cc
+echo "" > subdir/trustkeys.conf
+echo "" > subdir/trustkeys2.conf
+echo "" > subdir/trustkeys3.conf
+echo "" > subdir/trustanchor.conf
+echo "" > subdir/trustanchor2.conf
+echo "" > subdir/trustanchor3.conf
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 0; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 1"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: $cwd
+	directory: "subdir"
+	username: $user
+
+	pidfile: "/unbound.pid"
+	root-hints: "root.ca"
+	root-hints: "$subdir/root.cb"
+	root-hints: "/subdir/root.cc"
+
+	logfile: "output.log"
+
+	trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "/subdir/trustanchor.conf"
+	trust-anchor-file: "trustanchor.conf"
+
+	trusted-keys-file: "trustkeys.conf"
+	trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "/subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 0; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 2"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: $cwd
+	directory: "/subdir"
+	username: $user
+
+	pidfile: "/unbound.pid"
+	root-hints: "root.ca"
+	root-hints: "$subdir/root.cb"
+	root-hints: "/subdir/root.cc"
+
+	logfile: "output.log"
+
+	trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "/subdir/trustanchor.conf"
+	trust-anchor-file: "trustanchor.conf"
+
+	trusted-keys-file: "trustkeys.conf"
+	trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "/subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 0; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 3"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: "."
+	directory: "./subdir"
+	username: $user
+
+	pidfile: "/unbound.pid"
+	root-hints: "root.ca"
+	#root-hints: "$subdir/root.cb"
+	root-hints: "/subdir/root.cc"
+
+	logfile: "output.log"
+
+	#trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "/subdir/trustanchor.conf"
+	trust-anchor-file: "trustanchor.conf"
+
+	trusted-keys-file: "trustkeys.conf"
+	#trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "/subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 1; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 4"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: ""
+	directory: "subdir"
+	username: $user
+
+	pidfile: "/unbound.pid"
+	root-hints: "root.ca"
+	root-hints: "$subdir/root.cb"
+	#root-hints: "/subdir/root.cc"
+
+	logfile: "output.log"
+
+	trust-anchor-file: "$subdir/trustanchor.conf"
+	#trust-anchor-file: "/subdir/trustanchor.conf"
+	trust-anchor-file: "trustanchor.conf"
+
+	trusted-keys-file: "trustkeys.conf"
+	trusted-keys-file: "$subdir/trustkeys2.conf"
+	#trusted-keys-file: "/subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 0; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 5"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: ""
+	directory: ""
+	username: $user
+
+	pidfile: "/unbound.pid"
+	#root-hints: "root.ca"
+	root-hints: "$subdir/root.cb"
+	root-hints: "subdir/root.cc"
+
+	logfile: "output.log"
+
+	trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "subdir/trustanchor.conf"
+	#trust-anchor-file: "trustanchor.conf"
+
+	#trusted-keys-file: "trustkeys.conf"
+	trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 0; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 6"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: "."
+	directory: ""
+	username: $user
+
+	pidfile: "/nosubdir/unbound.pid"
+	#root-hints: "root.ca"
+	#root-hints: "$subdir/root.cb"
+	root-hints: "subdir/root.cc"
+
+	logfile: "output.log"
+
+	#trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "subdir/trustanchor.conf"
+	#trust-anchor-file: "trustanchor.conf"
+
+	#trusted-keys-file: "trustkeys.conf"
+	#trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 1; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 7"
+
+### NEXT TEST
+
+cat > test.conf <<EOF
+server:
+	chroot: $cwd
+	directory: ""
+	username: $user
+
+	pidfile: "/unbound.pid"
+	#root-hints: "root.ca"
+	root-hints: "$subdir/root.cb"
+	root-hints: "/subdir/root.cc"
+
+	logfile: "output.log"
+
+	trust-anchor-file: "$subdir/trustanchor.conf"
+	trust-anchor-file: "/subdir/trustanchor.conf"
+	#trust-anchor-file: "trustanchor.conf"
+
+	#trusted-keys-file: "trustkeys.conf"
+	trusted-keys-file: "$subdir/trustkeys2.conf"
+	trusted-keys-file: "/subdir/trustkeys3.conf"
+EOF
+
+$PRE/unbound-checkconf test.conf
+if test $? -ne 0; then
+	echo "Checkconf of config with chroot inside it failed"
+	exit 1
+fi
+echo "OK 8"
+
+
+exit 0
diff --git a/testdata/07-confroot.tpkg b/testdata/07-confroot.tpkg
deleted file mode 100644
index 705c7087661b..000000000000
--- a/testdata/07-confroot.tpkg
+++ /dev/null
diff --git a/testdata/08-host-lib.tdir/08-host-lib.dsc b/testdata/08-host-lib.tdir/08-host-lib.dsc
new file mode 100644
index 000000000000..c7c18b41bcaf
--- /dev/null
+++ b/testdata/08-host-lib.tdir/08-host-lib.dsc
@@ -0,0 +1,16 @@
+BaseName: 08-host-lib
+Version: 1.0
+Description: Test async lookup using libunbound
+CreationDate: Fri May 16 13:21:58 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: 08-host-lib.pre
+Post: 08-host-lib.post
+Test: 08-host-lib.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/08-host-lib.tdir/08-host-lib.hosts b/testdata/08-host-lib.tdir/08-host-lib.hosts
new file mode 100644
index 000000000000..fa5e5482e72f
--- /dev/null
+++ b/testdata/08-host-lib.tdir/08-host-lib.hosts
@@ -0,0 +1,12 @@
+# Host Database
+#
+# This file should contain the addresses and aliases for local hosts that
+# share this file.  Replace 'my.domain' below with the domainname of your
+# machine.
+#
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+# Imaginary network.
+10.0.0.2               myname.my.domain myname
+10.0.0.3               myfriend.my.domain myfriend
+10.20.30.40		virtual.virtual.virtual.local
diff --git a/testdata/08-host-lib.tdir/08-host-lib.post b/testdata/08-host-lib.tdir/08-host-lib.post
new file mode 100644
index 000000000000..26b046ada5d2
--- /dev/null
+++ b/testdata/08-host-lib.tdir/08-host-lib.post
@@ -0,0 +1,10 @@
+# #-- 08-host-lib.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+
+. ../common.sh
+kill_pid $FWD_PID
diff --git a/testdata/08-host-lib.tdir/08-host-lib.pre b/testdata/08-host-lib.tdir/08-host-lib.pre
new file mode 100644
index 000000000000..84817891ff93
--- /dev/null
+++ b/testdata/08-host-lib.tdir/08-host-lib.pre
@@ -0,0 +1,19 @@
+# #-- 08-host-lib.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+FWD_PORT=$(($RND_PORT + 1))
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT 08-host-lib.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
diff --git a/testdata/08-host-lib.tdir/08-host-lib.test b/testdata/08-host-lib.tdir/08-host-lib.test
new file mode 100644
index 000000000000..8de897776209
--- /dev/null
+++ b/testdata/08-host-lib.tdir/08-host-lib.test
@@ -0,0 +1,194 @@
+# #-- 08-host-lib.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+if grep FORK $PRE/config.h | grep "define" >/dev/null 2>&1; then
+	# nothing
+	:
+else
+	echo "forking is not available; test skipped."
+	exit 0
+fi
+
+# test if fwder is up
+echo "> dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile"
+dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile
+if grep "10.20.30.40" outfile; then
+	echo "fwder is up"
+else
+	cat fwd.log
+	echo "fwder not up"
+	exit 1
+fi
+rm outfile
+
+# create asynclook
+get_make
+echo "> (cd $PRE ; $MAKE asynclook)"
+(cd $PRE ; $MAKE asynclook)
+if test ! -x $PRE/asynclook; then
+	echo "cannot build asynclook test program"
+	exit 1
+fi
+(cd $PRE ; $MAKE lock-verify)
+
+# check the locks.
+function locktest() {
+	if test -x $PRE/lock-verify -a -f ublocktrace.0; then
+		$PRE/lock-verify ublocktrace.*
+		if test $? -ne 0; then
+			echo "lock-verify error"
+			exit 1
+		fi
+	fi
+}
+
+# test hosts reading (directed at local auth info)
+echo '> $PRE/asynclook -H 08-host-lib.hosts virtual.virtual.virtual.local 2>&1 | tee outfile'
+$PRE/asynclook -H 08-host-lib.hosts virtual.virtual.virtual.local 2>&1 | tee outfile
+if grep "virtual.virtual.virtual.local: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+# test async lookups (directed at testns)
+echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile'
+$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo '> $PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo '> $PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -t -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+# test cancellation
+echo '> $PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo '> $PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -t -c -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: cancelled" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+# test blocking mode
+echo '> $PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo '> $PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile'
+$PRE/asynclook -t -b -f "127.0.0.1@"$FWD_PORT www.example.com www2.example.com 2>&1 | tee outfile
+if grep "www.example.com: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www2.example.com: 10.20.30.42" outfile; then
+	echo "OK"
+else
+	cat fwd.log
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo "> cat logfiles"
+cat fwd.log 
+exit 0
diff --git a/testdata/08-host-lib.tdir/08-host-lib.testns b/testdata/08-host-lib.tdir/08-host-lib.testns
new file mode 100644
index 000000000000..6245ae164172
--- /dev/null
+++ b/testdata/08-host-lib.tdir/08-host-lib.testns
@@ -0,0 +1,35 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+; for priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+@	IN	NS
+SECTION ANSWER
+@	IN	NS	127.0.0.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/08-host-lib.tpkg b/testdata/08-host-lib.tpkg
deleted file mode 100644
index 818ed5bca19a..000000000000
--- a/testdata/08-host-lib.tpkg
+++ /dev/null
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.conf b/testdata/09-unbound-control.tdir/09-unbound-control.conf
new file mode 100644
index 000000000000..ba55e34e8869
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.conf
@@ -0,0 +1,24 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.dsc b/testdata/09-unbound-control.tdir/09-unbound-control.dsc
new file mode 100644
index 000000000000..7b4436789e41
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.dsc
@@ -0,0 +1,16 @@
+BaseName: 09-unbound-control
+Version: 1.0
+Description: 09 test unbound-control remote control tool
+CreationDate: Mon Sep 15 11:14:08 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: 09-unbound-control.pre
+Post: 09-unbound-control.post
+Test: 09-unbound-control.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.post b/testdata/09-unbound-control.tdir/09-unbound-control.post
new file mode 100644
index 000000000000..4269fee1b5da
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.post
@@ -0,0 +1,13 @@
+# #-- 09-unbound-control.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+# it was stopped with unbound-control (if the test succeeded)
+kill $UNBOUND_PID >/dev/null 2>&1
+kill $UNBOUND_PID >/dev/null 2>&1
+exit 0
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.pre b/testdata/09-unbound-control.tdir/09-unbound-control.pre
new file mode 100644
index 000000000000..479e4a90bc0f
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.pre
@@ -0,0 +1,33 @@
+# #-- 09-unbound-control.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT 09-unbound-control.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < 09-unbound-control.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.test b/testdata/09-unbound-control.tdir/09-unbound-control.test
new file mode 100644
index 000000000000..f683bf41758c
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.test
@@ -0,0 +1,406 @@
+# #-- 09-unbound-control.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# exit value is 1 on usage
+$PRE/unbound-control -h
+if test $? -ne 1; then
+	echo "wrong exit value for usage."
+	exit 1
+else
+	echo "exit value for usage: OK"
+fi
+
+# use lock-verify if possible
+
+# test if the server is up.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# exit value is 1 when a bad command is given.
+echo "$PRE/unbound-control -c ub.conf blablargh"
+$PRE/unbound-control -c ub.conf blablargh
+if test $? -ne 1; then
+	echo "wrong exit value on error."
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.lo
+	exit 1
+else
+	echo "correct exit value on error"
+fi
+
+# reload the server. test if the server came up by putting a new
+# local-data element in the server.
+echo "server: local-data: 'afterreload. IN A 5.6.7.8'" >> ub.conf
+echo "$PRE/unbound-control -c ub.conf reload"
+$PRE/unbound-control -c ub.conf reload
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+echo "> dig afterreload."
+dig @127.0.0.1 -p $UNBOUND_PORT afterreload. | tee outfile
+echo "> check answer"
+if grep "5.6.7.8" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# must have had queries now.  1 since reload.
+echo "$PRE/unbound-control -c ub.conf stats"
+$PRE/unbound-control -c ub.conf stats > tmp.$$
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+if grep "^total.num.queries=[1-9][0-9]*$" tmp.$$; then
+	echo "OK"
+else
+	echo "bad stats"
+	cat tmp.$$
+	exit 1
+fi
+
+# verbosity
+echo "$PRE/unbound-control -c ub.conf verbosity 2"
+$PRE/unbound-control -c ub.conf verbosity 2
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+# check syntax error in parse 
+echo "$PRE/unbound-control -c ub.conf verbosity jkdf"
+$PRE/unbound-control -c ub.conf verbosity jkdf
+if test $? -ne 1; then
+	echo "wrong exit value after failure"
+	exit 1
+fi
+
+# check bad credentials
+cp ub.conf bad.conf
+echo "remote-control:" >> bad.conf
+echo "	server-key-file: bad_server.key" >> bad.conf
+echo "	server-cert-file: bad_server.pem" >> bad.conf
+echo "	control-key-file: bad_control.key" >> bad.conf
+echo "	control-cert-file: bad_control.pem" >> bad.conf
+echo "$PRE/unbound-control -c bad.conf verbosity 2"
+$PRE/unbound-control -c bad.conf verbosity 2
+if test $? -ne 1; then
+	echo "wrong exit value after failure"
+	exit 1
+fi
+
+# check spoofedclient credentials
+rm -f bad.conf
+cp ub.conf bad.conf
+echo "remote-control:" >> bad.conf
+echo "	server-key-file: unbound_server.key" >> bad.conf
+echo "	server-cert-file: unbound_server.pem" >> bad.conf
+echo "	control-key-file: bad_control.key" >> bad.conf
+echo "	control-cert-file: bad_control.pem" >> bad.conf
+echo "$PRE/unbound-control -c bad.conf verbosity 2"
+$PRE/unbound-control -c bad.conf verbosity 2
+if test $? -ne 1; then
+	echo "wrong exit value after failure"
+	exit 1
+fi
+
+# create a new local zone
+echo "> test of local zone"
+echo "$PRE/unbound-control -c ub.conf local_zone example.net static"
+$PRE/unbound-control -c ub.conf local_zone example.net static
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "$PRE/unbound-control -c ub.conf local_data www.example.net A 192.0.2.1"
+$PRE/unbound-control -c ub.conf local_data www.example.net A 192.0.2.1
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+# check that www.example.net exists
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# check that mail.example.net has nxdomain
+echo "> dig mail.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT mail.example.net. | tee outfile
+echo "> check answer"
+if grep "NXDOMAIN" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# remove www.example.net - check it gets nxdomain
+echo "$PRE/unbound-control -c ub.conf local_data_remove www.example.net"
+$PRE/unbound-control -c ub.conf local_data_remove www.example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "NXDOMAIN" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# remove nonexistent name - check bug#287(segfault) does not happen.
+echo "$PRE/unbound-control -c ub.conf local_data_remove test.example.net"
+$PRE/unbound-control -c ub.conf local_data_remove test.example.net
+# if crash then then we get: error: could not SSL_read from unbound-control
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# remove example.net - check its gone.
+echo "$PRE/unbound-control -c ub.conf local_zone_remove example.net"
+$PRE/unbound-control -c ub.conf local_zone_remove example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "SERVFAIL" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# dump the cache
+echo "> test cache dump"
+# fillup cache
+echo "dig www.example.com"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com.
+echo "$PRE/unbound-control -c ub.conf dump_cache"
+$PRE/unbound-control -c ub.conf dump_cache > tmp.$$
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+cat tmp.$$
+if grep 10.20.30.40 tmp.$$; then
+	echo "OK example.com is in cache dump"
+else
+	echo "Not OK cache dump"
+	exit 1
+fi
+
+# test lookup 
+echo "$PRE/unbound-control -c ub.conf lookup www.example.com"
+$PRE/unbound-control -c ub.conf lookup www.example.com
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+# answer to lookup is meaningless because of use a forwarder, oh well.
+
+# load the cache dump.
+echo "$PRE/unbound-control -c ub.conf load_cache < tmp.$$"
+$PRE/unbound-control -c ub.conf load_cache < tmp.$$
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# load local-zones from file
+echo "$PRE/unbound-control -c ub.conf local_zones < local_zones"
+$PRE/unbound-control -c ub.conf local_zones < local_zones
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig localzonefromfile."
+dig @127.0.0.1 -p $UNBOUND_PORT localzonefromfile | tee outfile
+echo "> check answer"
+if grep "REFUSED" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# load local-data from file
+echo "$PRE/unbound-control -c ub.conf local_datas < local_data"
+$PRE/unbound-control -c ub.conf local_datas < local_data
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig localdatafromfile."
+dig @127.0.0.1 -p $UNBOUND_PORT -t txt localdatafromfile | tee outfile
+echo "> check answer"
+if grep "local data from file OK" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# remove local-zone and local-data from file
+echo "$PRE/unbound-control -c ub.conf local_zones_remove < local_zones_remove"
+$PRE/unbound-control -c ub.conf local_zones_remove < local_zones_remove
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "$PRE/unbound-control -c ub.conf local_datas_remove < local_data_remove"
+$PRE/unbound-control -c ub.conf local_datas_remove < local_data_remove
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> check zone and data removal list_local_zones"
+$PRE/unbound-control -c ub.conf list_local_zones | tee outfile
+if grep "localzonefromfile" outfile; then
+	echo "Not OK"
+	exit 1
+fi
+if grep "local data from file OK" outfile; then
+	echo "Not OK"
+	exit 1
+fi
+if grep "otherlocalzone" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# flushing
+echo "$PRE/unbound-control -c ub.conf flush www.example.net"
+$PRE/unbound-control -c ub.conf flush www.example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+echo "$PRE/unbound-control -c ub.conf flush_type www.example.net TXT"
+$PRE/unbound-control -c ub.conf flush_type www.example.net TXT
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+echo "$PRE/unbound-control -c ub.conf flush_zone example.net"
+$PRE/unbound-control -c ub.conf flush_zone example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+# now stop the server
+echo "$PRE/unbound-control -c ub.conf stop"
+$PRE/unbound-control -c ub.conf stop
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+# see if the server has really exited.
+TRY_MAX=20
+for (( try=0 ; try <= $TRY_MAX ; try++ )) ; do
+	if kill -0 $UNBOUND_PID 2>&1 | tee tmp.$$; then
+		echo "not stopped yet, waiting"
+		sleep 1
+	else
+		echo "stopped OK; break"
+		break;
+	fi
+	if grep "No such process" tmp.$$; then
+		echo "stopped OK; break"
+		break;
+	fi
+done
+if kill -0 $UNBOUND_PID; then
+	echo "still up!"
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "not stopped, failure"
+	exit 1
+else
+	echo "stopped OK"
+
+        if test -f ublocktrace.0; then
+		if $PRE/lock-verify ublocktrace.*; then
+			echo "lock-verify test worked."
+		else
+			echo "lock-verify test failed."
+			cat fwd.log 
+			cat unbound.log
+			exit 1
+		fi
+	fi
+fi
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> OK"
+exit 0
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.testns b/testdata/09-unbound-control.tdir/09-unbound-control.testns
new file mode 100644
index 000000000000..0c911ca5b30e
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.testns
@@ -0,0 +1,22 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA SERVFAIL
+ADJUST copy_id
+SECTION QUESTION
+www.example.net.	IN	A
+ENTRY_END
+
diff --git a/testdata/09-unbound-control.tdir/bad_control.key b/testdata/09-unbound-control.tdir/bad_control.key
new file mode 100644
index 000000000000..d29cdbc91b37
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/bad_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDti51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4G
+SLOE02/hKDkdkOvaUG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtO
+DWc3tXPT1IlSEN0xnAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQAB
+AoGAG3w/DatfMCu/nS5OdQx9BSqPgNbnUSqux9xA0fhgPTlN0T3oRtPcqa7JUDUW
+PryI/a62ry+zGkw98N2AxolCZg3N7Z3vuRx2FMcKKNwpTzDmcZW7TmMk5FPof6gE
+PnYl/ff0w+kxqA+L2EexH3Xi6ApLSZcjyzKWj+dL2AuT9gkCQQD3dPitwITxgCAD
+IaHw23e3FRkM/hw1Gp8bt6nbuxitVxxpO96q1EQ+fCy/mf0bMEJDp3xzMEIfP3r4
+GmNbaxa1AkEA9b8LeBLbQ2cm2+UMeUgygBsRirdUQ786auqH38Jbvi/j6S9sDl2x
+q1vRtikEBZJWfkhsOzrzwFDKe1bI/EEn9wJAAzOwRA9JqRZPU7sLrWIpmmTbfh+L
+neRKSsGFoSI6n4ORCouLxgoZF/XjXldPvxpQwS9ZnOPy9xSLMsqknno0QQJAeDtA
+IT8Yh6GwIWWu9KeeDY8wxe1sDLlCm4yjbZZpzGMh3rSU6XJtuqjxsW3fydoO9zn3
+ugLdvvnIFxAexUwbgQJBANyM13xcObfUJOj9rjlGCh0CDh/04ONl8SH8HBnM8guA
+RJI5S6vBHweVRopEZcF1sQm6wMf3ej/sGkyyNvJxRkY=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/09-unbound-control.tdir/bad_control.pem b/testdata/09-unbound-control.tdir/bad_control.pem
new file mode 100644
index 000000000000..e06b847208e3
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/bad_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQDd5/rocjG5vDANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0NFoXDTI4MDYxMzEyMjQ0NFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDt
+i51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4GSLOE02/hKDkdkOva
+UG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtODWc3tXPT1IlSEN0x
+nAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAHpvcKqY48X9WsqogV16L+zT7iXhZ4tySA9EBk1a+0gud/iDPKSBi7mK
+4rzphVfb4S207dVmTG+1WNpa6l3pTGML6XLElxqIu/kr7w4cF0rKvZxWPsBRqYjH
+5HrK8CrQ0+YvUHXiu7IaACLGvKXY4Tqa3HQyvEtzLWJ4HhOrGx8F
+-----END CERTIFICATE-----
diff --git a/testdata/09-unbound-control.tdir/bad_server.key b/testdata/09-unbound-control.tdir/bad_server.key
new file mode 100644
index 000000000000..0dbb134b5be7
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/bad_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC9hurNHBtB7QFEuPJOnCylUWUF2/US3v9yQQQXnstuXMQXRaq1
+1uviLmwaGurV9tngX59HITsBT74NQrtFKfEDLViLrm2arAM9Ozsn4tnv30HXPRDj
+UOc1M05Q7UzjaSrOv+TkPEqyhtUyaP1DYo0bcmbxtSkYc2ZEWCwhPklUwQIDAQAB
+AoGATjzZxN4ramWaNnJapJTX4U7eczK/0pB3xwSL2exVcjOdRzYdKH+WVIJxYb1m
+3/jNLFCNAeH356yxeevoPr73nG75YJ9I1ZWQWTnS3SDK6JD1+3pmAD0bQWFoitpf
+FoSH9H4X5gFB5vCZ99YVoYH1UXWPcgvUHwxz0voImt6lCKECQQD4YQ4A3M0+Ki8v
+Hl+5FKULnS0UtBkweCvkF/X1zZRjjYr6hLnqldFkkgTBKWe17pUXX0nwRMbP1YZX
+i+vDq5JNAkEAw1eYsmC0nVAMawo57N6LYavGv/n5u1cvpTpKDtn4cXH0Uqq13Kyu
+2FUTzan2NhCEK78UzbWaeewBJmxYda1+RQJAdShKk6uTAEyjnwUjv8h2JWlJN2fQ
+LeWxRlDrCruiz+aW9J4gl/99GoQpy/c83TshhjnDRZsbcDNWv/rXBZ/rTQJAFQva
+CtX6f7yBKgM3DHtJvyM3zbVMH9Ab9QxbsE/xwZ9KeKGl6Hm+eNZpxM3cFiUfaGs0
+/ZjkZOB1m0MvILaplQJAXC3PJ/E+87banGZRJl5qtS6/HoX5lH9TPkL8Essy7ANO
+2BT2OTQawD1A+VKIrQHXs085Of8tQUfrfHHt7s3Kqg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/09-unbound-control.tdir/bad_server.pem b/testdata/09-unbound-control.tdir/bad_server.pem
new file mode 100644
index 000000000000..983247ac73bd
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/bad_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQCDugnhq8B6LzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0M1oXDTI4MDYxMzEyMjQ0M1owEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYbqzRwbQe0B
+RLjyTpwspVFlBdv1Et7/ckEEF57LblzEF0Wqtdbr4i5sGhrq1fbZ4F+fRyE7AU++
+DUK7RSnxAy1Yi65tmqwDPTs7J+LZ799B1z0Q41DnNTNOUO1M42kqzr/k5DxKsobV
+Mmj9Q2KNG3Jm8bUpGHNmRFgsIT5JVMECAwEAATANBgkqhkiG9w0BAQUFAAOBgQCy
+zGMW35/9xXoEWsuLFWUOaEKVq5DXuXtXbcMpDW6k2ELoraa305vh7Zwhj5JSqfcm
+O0xyqIzXvz/cYdyOTgEkdMDZ/EvQsxKTwvj6eA4614yB1r3Ju5eZd4Gpo6BHhSpu
+oqsrr0duJ+JOANTyaBplIxM1sjHbR4FGtmrFknBYBQ==
+-----END CERTIFICATE-----
diff --git a/testdata/09-unbound-control.tdir/local_data b/testdata/09-unbound-control.tdir/local_data
new file mode 100644
index 000000000000..54e6e93b4dd9
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/local_data
@@ -0,0 +1 @@
+localdatafromfile 3600 TXT "local data from file OK"
diff --git a/testdata/09-unbound-control.tdir/local_data_remove b/testdata/09-unbound-control.tdir/local_data_remove
new file mode 100644
index 000000000000..fcb8239589e3
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/local_data_remove
@@ -0,0 +1 @@
+localdatafromfile
diff --git a/testdata/09-unbound-control.tdir/local_zones b/testdata/09-unbound-control.tdir/local_zones
new file mode 100644
index 000000000000..4c65f712fbb2
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/local_zones
@@ -0,0 +1,2 @@
+localzonefromfile refuse
+otherlocalzone	static
diff --git a/testdata/09-unbound-control.tdir/local_zones_remove b/testdata/09-unbound-control.tdir/local_zones_remove
new file mode 100644
index 000000000000..1d215585515a
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/local_zones_remove
@@ -0,0 +1 @@
+localzonefromfile
diff --git a/testdata/09-unbound-control.tdir/unbound_control.key b/testdata/09-unbound-control.tdir/unbound_control.key
new file mode 100644
index 000000000000..d7c43a06bb58
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/09-unbound-control.tdir/unbound_control.pem b/testdata/09-unbound-control.tdir/unbound_control.pem
new file mode 100644
index 000000000000..8f1ba87f1cdd
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----
diff --git a/testdata/09-unbound-control.tdir/unbound_server.key b/testdata/09-unbound-control.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/09-unbound-control.tdir/unbound_server.pem b/testdata/09-unbound-control.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/09-unbound-control.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/09-unbound-control.tpkg b/testdata/09-unbound-control.tpkg
deleted file mode 100644
index d5b11b77f044..000000000000
--- a/testdata/09-unbound-control.tpkg
+++ /dev/null
diff --git a/testdata/10-unbound-anchor.tdir/10-unbound-anchor.conf b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.conf
new file mode 100644
index 000000000000..bb125c0d5c55
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.conf
@@ -0,0 +1,8 @@
+# test config to direct traffic to testns.
+server:
+	do-not-query-localhost: no
+	fake-sha1: yes
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/10-unbound-anchor.tdir/10-unbound-anchor.dsc b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.dsc
new file mode 100644
index 000000000000..869dfafe4310
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.dsc
@@ -0,0 +1,16 @@
+BaseName: 10-unbound-anchor
+Version: 1.0
+Description: Test unbound-anchor for 5011 and cert update.
+CreationDate: Thu Sep 30 15:35:09 CEST 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: 10-unbound-anchor.pre
+Post: 10-unbound-anchor.post
+Test: 10-unbound-anchor.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/10-unbound-anchor.tdir/10-unbound-anchor.post b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.post
new file mode 100644
index 000000000000..b1112940456b
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.post
@@ -0,0 +1,10 @@
+# #-- 10-unbound-anchor.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $PETAL_PID
diff --git a/testdata/10-unbound-anchor.tdir/10-unbound-anchor.pre b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.pre
new file mode 100644
index 000000000000..acf223277514
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.pre
@@ -0,0 +1,33 @@
+# #-- 10-unbound-anchor.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+get_random_port 2
+PETAL_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "PETAL_PORT=$PETAL_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+get_make
+(cd $PRE; $MAKE petal)
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT 10-unbound-anchor.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start https daemon
+$PRE/petal -v -a "127.0.0.1" -p $PETAL_PORT >petal.log 2>&1 &
+PETAL_PID=$!
+echo "PETAL_PID=$PETAL_PID" >> .tpkg.var.test
+cat .tpkg.var.test
+sed -e "s/@TOPORT@/$FWD_PORT/" < 10-unbound-anchor.conf > ub.conf
+
+wait_ldns_testns_up fwd.log
+wait_petal_up petal.log
+
diff --git a/testdata/10-unbound-anchor.tdir/10-unbound-anchor.test b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.test
new file mode 100644
index 000000000000..46cea626cb00
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.test
@@ -0,0 +1,162 @@
+# #-- 10-unbound-anchor.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+OPTS="-u 127.0.0.1 -P $PETAL_PORT -C ub.conf -v -a root.key -c root.pem -n petal"
+DS=`cat K.+005+37348.ds`
+
+# check that the root.key file works.
+function check_works() {
+	if $PRE/unbound-host -C ub.conf -f root.key -t DNSKEY -v . | grep "(secure)" >/dev/null; then
+		echo OK
+	else
+		echo "not OK"
+		cat fwd.log
+		cat petal.log
+		exit 1
+	fi
+}
+
+# check that the root.key file works, but insecurely.
+function check_insecure() {
+	if $PRE/unbound-host -C ub.conf -f root.key -t DNSKEY -v . | grep "(insecure)" >/dev/null; then
+		echo OK
+	else
+		echo "not OK"
+		cat fwd.log
+		cat petal.log
+		exit 1
+	fi
+}
+
+# test with good start key, and must do 5011 (no URL possible)
+echo "*** TEST 1 ***"
+echo $DS > root.key
+$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
+if test $? != 0; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+check_works
+# save for test 5
+cp root.key root.key.probed
+
+# force update with the cert.
+echo "*** TEST 2 ***"
+cp test_cert.pem root.pem
+$PRE/unbound-anchor -F -x "root.xml" -s "root.p7s" $OPTS
+if test $? != 1; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+check_works
+
+# 5011 fails
+echo "*** TEST 3 ***"
+echo ".	IN DS 37000 5 1 b00000000000000000000100f0000000000000b2" > root.key
+$PRE/unbound-anchor -x "root.xml" -s "root.p7s" $OPTS
+if test $? != 1; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+check_works
+
+# cert fails (bad p7s).
+echo "*** TEST 4 ***"
+echo ".	IN DS 44444 5 1 b00000000000000000000100f0000000000000b2" > root.key
+$PRE/unbound-anchor -F -x "bad.xml" -s "bad.p7s" $OPTS
+if test $? != 0; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+if grep "DS 44444" root.key >/dev/null ; then
+	echo OK
+else
+	echo "keyfile changed"
+	exit 1
+fi
+
+# cert fails (bad name).
+echo "*** TEST 4b ***"
+echo ".	IN DS 44444 5 1 b00000000000000000000100f0000000000000b2" > root.key
+$PRE/unbound-anchor -F -x "bad.xml" -s "bad.p7s" $OPTS -n "not-it"
+if test $? != 0; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+if grep "DS 44444" root.key >/dev/null ; then
+	echo OK
+else
+	echo "keyfile changed"
+	exit 1
+fi
+
+# 5011 fails, and probe-time too recent.
+echo "*** TEST 5 ***"
+# break the probed key.
+sed -e 's/bp0KIK3J3/b00KIK0J0/' < root.key.probed > root.key
+$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
+if test $? != 0; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+if grep "b00KIK0J0" root.key >/dev/null ; then
+	echo OK
+else
+	echo "keyfile changed"
+	exit 1
+fi
+
+# 5011 fails, and probe time is very, very old.
+echo "*** TEST 6 ***"
+mv root.key bla.key
+# last probe was Sun Sep  9 03:46:40 2001
+sed -e 's/;;last_success: .*$/;;last_success: 1000000000/' < bla.key > root.key
+rm bla.key
+$PRE/unbound-anchor -x "root.xml" -s "root.p7s" $OPTS
+if test $? != 1; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+check_works
+
+# 5011 update probe is only needed.
+echo "*** TEST 7 ***"
+$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
+if test $? != 0; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+check_works
+
+# root goes to insecure (0 anchors).
+echo "*** TEST 8 ***"
+$PRE/unbound-anchor -F -x "no_more_keys.xml" -s "no_more_keys.p7s" $OPTS
+if test $? != 1; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+if grep ";;REVOKED" root.key >/dev/null; then echo "REVOKED"; else
+	echo "not revoked"; exit 1; fi
+check_insecure
+
+# insecure input file
+echo "*** TEST 9 ***"
+$PRE/unbound-anchor -x "notexist.xml" -s "notexist.p7s" $OPTS
+if test $? != 0; then
+	echo "Exitcode not OK"
+	exit 1
+fi
+if grep ";;REVOKED" root.key >/dev/null; then echo "REVOKED"; else
+	echo "not revoked"; exit 1; fi
+check_insecure
+
+
+echo "logs"
+cat fwd.log
+cat petal.log
+
+exit 0
diff --git a/testdata/10-unbound-anchor.tdir/10-unbound-anchor.testns b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.testns
new file mode 100644
index 000000000000..9aaf75bc06ac
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/10-unbound-anchor.testns
@@ -0,0 +1,17 @@
+; nameserver test file
+$ORIGIN .
+$TTL 3600
+
+; for easy test: valid until 2030.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+.	IN	DNSKEY
+SECTION ANSWER
+.       3600    IN      DNSKEY  257 3 5 AwEAAcjV/I6yYY0LGBEqBFZS0K6zcbCVAfarbOoCKBUEfsR/nVdy3pwMydXopUVhg4Z07tTu8w2gYTPALPv5E6EJFJebA34R0OcvTPRDr3671zVwZO9HyQK+RuT/0d7G/pdCeJX2gHHiVrG796nf078O/agtojZ8+HJ1V3oLnDZYBSDWv2oL2LB2Mpj+610W7RrmEmQQm2KaMP6aX3YMbAyBIrDjVzJTir4/WwJEHRHq59Xw91egJkS2bp0KIK3J3tQFqw== ;{id = 37348 (ksk), size = 1536b}
+.	3600	IN	RRSIG	DNSKEY 5 0 3600 20300930162500 20100530162500 37348 . tjIVLqaVr2o1pLYxNbozR8OxPnGnCJN/rROZoIVzjEgvofyHx24hGMXak6lIlLHZ9GSmOxUM/71MeunhSdMqfjsoktc7MkpB8eR6ATePjdaPTdRH519wHH7qEkHj5WJNKvJOvG7Q9xs6O3KANErr+iotHjOJYpgbmZFoENJvLzqj4FVJ0bIglgD+SZGJGv9/qA+eWAK7WuWSe+ulMU/WH/SnxB/NKDjSAa//TyjzLhlIRR5UTjLIUymWxG4D3TbJ ;{id = 37348}
+
+ENTRY_END
+
diff --git a/testdata/10-unbound-anchor.tdir/127.0.0.1/bad.p7s b/testdata/10-unbound-anchor.tdir/127.0.0.1/bad.p7s
new file mode 100644
index 000000000000..afbdb1b91388
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/127.0.0.1/bad.p7s
diff --git a/testdata/10-unbound-anchor.tdir/127.0.0.1/bad.xml b/testdata/10-unbound-anchor.tdir/127.0.0.1/bad.xml
new file mode 100644
index 000000000000..48abe26f5408
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/127.0.0.1/bad.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml">
+<Zone>.</Zone>
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyTag>37348</KeyTag>
+<Algorithm>5</Algorithm>
+<DigestType>1</DigestType>
+<Digest>b56a31943f14faa31224d147f8b1107b78590000</Digest>
+</KeyDigest>
+</TrustAnchor>
diff --git a/testdata/10-unbound-anchor.tdir/127.0.0.1/no_more_keys.p7s b/testdata/10-unbound-anchor.tdir/127.0.0.1/no_more_keys.p7s
new file mode 100644
index 000000000000..c76b5b6e4754
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/127.0.0.1/no_more_keys.p7s
diff --git a/testdata/10-unbound-anchor.tdir/127.0.0.1/no_more_keys.xml b/testdata/10-unbound-anchor.tdir/127.0.0.1/no_more_keys.xml
new file mode 100644
index 000000000000..ac5cd48af7e2
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/127.0.0.1/no_more_keys.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml">
+<Zone>.</Zone>
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2010-07-16T00:00:00+00:00">
+<KeyTag>37348</KeyTag>
+<Algorithm>5</Algorithm>
+<DigestType>1</DigestType>
+<Digest>b56a31943f14faa31224d147f8b1107b78598eb2</Digest>
+</KeyDigest>
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-18T00:00:00+00:00" validUntil="2010-07-19T00:00:00+00:00">
+<KeyTag>37348</KeyTag>
+<Algorithm>5</Algorithm>
+<DigestType>1</DigestType>
+<Digest>b56a31943f14faa31224d147f8b1107b78598eb2</Digest>
+</KeyDigest>
+</TrustAnchor>
diff --git a/testdata/10-unbound-anchor.tdir/127.0.0.1/root.p7s b/testdata/10-unbound-anchor.tdir/127.0.0.1/root.p7s
new file mode 100644
index 000000000000..afbdb1b91388
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/127.0.0.1/root.p7s
diff --git a/testdata/10-unbound-anchor.tdir/127.0.0.1/root.xml b/testdata/10-unbound-anchor.tdir/127.0.0.1/root.xml
new file mode 100644
index 000000000000..d330d1a31dc9
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/127.0.0.1/root.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93" source="http://data.iana.org/root-anchors/root-anchors.xml">
+<Zone>.</Zone>
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyTag>37348</KeyTag>
+<Algorithm>5</Algorithm>
+<DigestType>1</DigestType>
+<Digest>b56a31943f14faa31224d147f8b1107b78598eb2</Digest>
+</KeyDigest>
+</TrustAnchor>
diff --git a/testdata/10-unbound-anchor.tdir/K.+005+37348.ds b/testdata/10-unbound-anchor.tdir/K.+005+37348.ds
new file mode 100644
index 000000000000..1b98f044f475
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/K.+005+37348.ds
@@ -0,0 +1 @@
+.	3600	IN	DS	37348 5 1 b56a31943f14faa31224d147f8b1107b78598eb2 ; xotek-pusin-gezoc-gevep-feged-gigyg-livor-cagil-riveh-nafar-duxix
diff --git a/testdata/10-unbound-anchor.tdir/K.+005+37348.key b/testdata/10-unbound-anchor.tdir/K.+005+37348.key
new file mode 100644
index 000000000000..65506139333a
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/K.+005+37348.key
@@ -0,0 +1 @@
+.	3600	IN	DNSKEY	257 3 5 AwEAAcjV/I6yYY0LGBEqBFZS0K6zcbCVAfarbOoCKBUEfsR/nVdy3pwMydXopUVhg4Z07tTu8w2gYTPALPv5E6EJFJebA34R0OcvTPRDr3671zVwZO9HyQK+RuT/0d7G/pdCeJX2gHHiVrG796nf078O/agtojZ8+HJ1V3oLnDZYBSDWv2oL2LB2Mpj+610W7RrmEmQQm2KaMP6aX3YMbAyBIrDjVzJTir4/WwJEHRHq59Xw91egJkS2bp0KIK3J3tQFqw== ;{id = 37348 (ksk), size = 1536b}
diff --git a/testdata/10-unbound-anchor.tdir/K.+005+37348.private b/testdata/10-unbound-anchor.tdir/K.+005+37348.private
new file mode 100644
index 000000000000..1e4f9c51f410
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/K.+005+37348.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: yNX8jrJhjQsYESoEVlLQrrNxsJUB9qts6gIoFQR+xH+dV3LenAzJ1eilRWGDhnTu1O7zDaBhM8As+/kToQkUl5sDfhHQ5y9M9EOvfrvXNXBk70fJAr5G5P/R3sb+l0J4lfaAceJWsbv3qd/Tvw79qC2iNnz4cnVXegucNlgFINa/agvYsHYymP7rXRbtGuYSZBCbYpow/ppfdgxsDIEisONXMlOKvj9bAkQdEern1fD3V6AmRLZunQogrcne1AWr
+PublicExponent: AQAB
+PrivateExponent: XKH2f4rfW8LGMwSCQ56nCi1SPvQ7l56x+a1M94S/Q7row7ED5E4xuiw4LqwvkhDVJ/meuaZDry7wkLftydT6XoLtNXTaOgejIvclNvtE5C0XIRanLFC/OliUYIDAZNwPGVCYX8ZIfcbi1Sp5Ng9EofCb1haSGn/Wnar31knaweRdTrAUIPl49+QhJmaHCrTtHVuYEOZjIaOPSGIBvxZAk//3yF6FXY3RVRaNRTcELWvLclSdtt52etVV0/SEWhjh
+Prime1: 4wEpv8UVvqOkOKSxeu1ao42FWHwqzwUdFyNeKrUxg3E7ad5i9V0aaFhqbJKzQtVUreeEtoXsSRvjvbWJ4wSCwEay1qVD4xEJ4UFtasESxQvv1iVsBQ7zEywRkwSIT46/
+Prime2: 4n0h+1TXflSEqdxC4lPiwyIC/z+1iyq0kFru70SB395S44HAynbQBdsapZX29msfl+/tiu2DncIXe1oVaDDqPpbrOT5NZMH9xQnZDSCbM8l7Gyx5UB3MsbT+71J2VrAV
+Exponent1: p81LTDvmyAZ1NX3gyCq+TpolkPQwPNnd2CXHzTAlirFgJvFCG3gYNjvtZ5bFtki2ENtMShQTRzO7lJemds71zCY2ut5toWMN95oCxOA1/LzHLHh7Mf4MBwcTcqbuEElH
+Exponent2: w0ZyWxkuZxyF+VIQVMVQuT+E6ABNDX03i1LruV4OwC8WtlM0HxxLhREBK41eDd4UslJKM8NO/GDRECh+VoP+IxLKImPGJL5hh1ZTTs8zIXZw7t/shJf82acdOsiVgW51
+Coefficient: 10OZvNAPHe/wBO2+AO49EUohPksOxFy9dwspB1XUjlPB9zv93dUfZdou3pjZq1EkxnRChaAwmRMYxks3UiTmDuybMNzKlaFQajyB+UowjA1dStFYbDFpVrIqv6H0q7W2
diff --git a/testdata/10-unbound-anchor.tdir/keys/test_cert.key b/testdata/10-unbound-anchor.tdir/keys/test_cert.key
new file mode 100644
index 000000000000..b860b1b298e6
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/test_cert.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfAIBAAKBwQC48GhhmIU66TZKc3QiyF4L5bsm8Aly/y2SzLP+GACepK0OcOtD
+i2sXrTtoJDvGOPZ9ICqmIy8u/Q/cK26txNEeZFcClLcYF/U+NaqjEwrwkHEIgc3g
+8qnKrhzM61I8foAWVT7cqxFHDKYuClNITXk1i//Yzpnf9wvVKQ51W9UOtm/WA7g4
+IDHCuAjocyyNC3B7XqYawFDOsdMI4ZW7hC0hIRQOvBkvbvY8WxmsSkdd30u1KmoI
+Sg4y6OvnikrEEQkCAwEAAQKBwQC3hQlv37RF82sGkm8qnP6Ge+AuEYCu9v44cJ4k
+hZkH1I5OiEtN6anKAwOyolIWsCwZmrP3zW5jCIiWiRr5oReLOzMEwqK2a//XTdYY
+oSr38b3ZHUY59VP8Zq75woMGuNed35kAmGxzDRP1gI/TmvTvaHlqYyvxBtxnZJij
+Za1CrT+a9JvR6hI8xXrE33CF0T6JO1v3v0HeBuve5+83cCHKo+GyqIBjL3FJgefZ
+EsPz6rGnPDKTYgMyaljFV3LI5ikCYQDlaBnyiWk1C7tYO5x3CRoHoiuiiREZCncK
+QkSxjiDoSP0rc+3BQp2kG3yy6S9mN4qMQPELEtBa6bORogxNK+Pxg8TRI/+xgeFt
+bod5Bd4pfl6Y5hXm21JwELFlOzPI3PMCYQDOYK6Z7vegiOJyyAJXMjcI07H8S0Gr
+SZW8f4tHRzO+RrRpR5ANzarELX7nF/Qj5mPXiZNiiMDGocxqkNzIa5HFLOqBhRkv
+o7yC1Cj582dUBFHyEbsZxR6UMTPLdE3UaRMCYACC1Nv3dmaJ2ib+KwEQ4h/2Ooao
+K4OUxGMfdqu2l1gtIXNBVNxDW7qL3SFA57wgj4x0cJUHu7MYJjBC3igl2uIk2wFk
+RSOOGIR35JFec/o/r9JDYPUcs/hP8TU6hokCBQJgHbH/rZqa+vh3TPjGjXFmRdjg
+JWNWwaTG7OaVTd5K7bgSwYtQiQvs5Gl/dxUVRg0ilKLxGB6BTpN9bGAHxLbltK9v
+1s8l/praxyBr/PsvBQHSILi4aU7ZxY0G3OGRSV0NAmBx28Msdgc0yHh3qSkbwVEr
+gr7av1iOH73ee+o4CmMWXYUBHOMW5Su0s0QHjNGDMiRiRoCvzYqdLcJj9/sFJxOT
+CM35WGGeKDMNubX7C6YroQ91q7kUmhi7HHY3QOyhCDU=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/10-unbound-anchor.tdir/keys/test_cert.pem b/testdata/10-unbound-anchor.tdir/keys/test_cert.pem
new file mode 100644
index 000000000000..6e588a4abc8f
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/test_cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWTCCAYKgAwIBAgIJAN5YIkuCvJf5MA0GCSqGSIb3DQEBBQUAMCYxDjAMBgNV
+BAMTBXBldGFsMRQwEgYJKoZIhvcNAQkBFgVwZXRhbDAeFw0xMzAxMTcxMTUyNDVa
+Fw0zMjEwMDQxMTUyNDVaMCYxDjAMBgNVBAMTBXBldGFsMRQwEgYJKoZIhvcNAQkB
+FgVwZXRhbDCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEAuPBoYZiFOuk2SnN0
+IsheC+W7JvAJcv8tksyz/hgAnqStDnDrQ4trF607aCQ7xjj2fSAqpiMvLv0P3Ctu
+rcTRHmRXApS3GBf1PjWqoxMK8JBxCIHN4PKpyq4czOtSPH6AFlU+3KsRRwymLgpT
+SE15NYv/2M6Z3/cL1SkOdVvVDrZv1gO4OCAxwrgI6HMsjQtwe16mGsBQzrHTCOGV
+u4QtISEUDrwZL272PFsZrEpHXd9LtSpqCEoOMujr54pKxBEJAgMBAAGjDzANMAsG
+A1UdDwQEAwIChDANBgkqhkiG9w0BAQUFAAOBwQCaA3ys5hDPMNV1oXIxH6u2KfAX
+C9tYJId/SR0x8whsZuNaSEZAgImdM5dnyWdjey8Pio772E9/F2aUBGFkdadZx4My
+d7hBfEi/NECEKs86k9g0ijbin41NKtnajb6GwyNQ9vDx7Z5FS8BZ3CD0BZIdCQUE
+gKuDSWBROQU3tqrjdk2QTwGQkj2mgzT871Jn1MwZw0mczPjS1y469Ejym8wi3uCd
+EboDOoGBCpmUQbxBv6JI75cUCdmNNEwjQjZ0XQw=
+-----END CERTIFICATE-----
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
new file mode 100755
index 000000000000..3e593119909c
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
@@ -0,0 +1,167 @@
+#!/bin/sh
+#
+# unbound-control-setup.sh - set up SSL certificates for unbound-control
+#
+# Copyright (c) 2008, NLnet Labs. All rights reserved.
+#
+# This software is open source.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+# Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+# 
+# Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+# 
+# Neither the name of the NLNET LABS nor the names of its contributors may
+# be used to endorse or promote products derived from this software without
+# specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+# settings:
+
+# directory for files
+DESTDIR=/usr/local/etc/unbound
+
+# issuer and subject name for certificates
+SERVERNAME=petal
+CLIENTNAME=unbound-anchor
+
+# validity period for certificates
+DAYS=7200
+
+# size of keys in bits
+BITS=1536
+
+# hash algorithm
+HASH=sha1
+
+# base name for unbound server keys
+SVR_BASE=test_cert
+
+# base name for unbound-control keys
+CTL_BASE=unbound_control
+
+# we want -rw-r--- access (say you run this as root: grp=yes (server), all=no).
+umask 0026
+
+# end of options
+
+# functions:
+error ( ) {
+	echo "$0 fatal error: $1"
+	exit 1
+}
+
+# check arguments:
+while test $# -ne 0; do
+	case $1 in
+	-d)
+	if test $# -eq 1; then error "need argument for -d"; fi
+	DESTDIR="$2"
+	shift
+	;;
+	*)
+	echo "unbound-control-setup.sh - setup SSL keys for unbound-control"
+	echo "	-d dir	use directory to store keys and certificates."
+	echo "		default: $DESTDIR"
+	echo "please run this command using the same user id that the "
+	echo "unboun daemon uses, it needs read privileges."
+	exit 1
+	;;
+	esac
+	shift
+done
+
+# go!:
+echo "setup in directory $DESTDIR"
+cd "$DESTDIR" || error "could not cd to $DESTDIR"
+
+# create certificate keys; do not recreate if they already exist.
+if test -f $SVR_BASE.key; then
+	echo "$SVR_BASE.key exists"
+else
+	echo "generating $SVR_BASE.key"
+	openssl genrsa -out $SVR_BASE.key $BITS || error "could not genrsa"
+fi
+if test -f $CTL_BASE.key; then
+	echo "$CTL_BASE.key exists"
+else
+	echo "generating $CTL_BASE.key"
+	openssl genrsa -out $CTL_BASE.key $BITS || error "could not genrsa"
+fi
+
+# create self-signed cert for server
+cat >request.cfg <<EOF
+[req]
+default_bits=$BITS
+default_md=$HASH
+prompt=no
+distinguished_name=req_distinguished_name
+x509_extensions=v3_ca
+
+[req_distinguished_name]
+commonName=$SERVERNAME
+emailAddress=$SERVERNAME
+
+[v3_ca]
+keyUsage=digitalSignature, keyCertSign
+EOF
+test -f request.cfg || error "could not create request.cfg"
+
+echo "create $SVR_BASE.pem (self signed certificate)"
+openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+# create trusted usage pem
+openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+
+# create client request and sign it, piped
+cat >request.cfg <<EOF
+[req]
+default_bits=$BITS
+default_md=$HASH
+prompt=no
+distinguished_name=req_distinguished_name
+
+[req_distinguished_name]
+commonName=$CLIENTNAME
+EOF
+test -f request.cfg || error "could not create request.cfg"
+
+echo "create $CTL_BASE.pem (signed client certificate)"
+openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -$HASH -out $CTL_BASE.pem
+test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
+# create trusted usage pem
+# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
+
+# see details with openssl x509 -noout -text < $SVR_BASE.pem
+# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
+# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
+# echo "preferences - advanced - encryption - view certificates - your certs"
+# echo "empty password is used, simply click OK on the password dialog box."
+# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
+
+# remove unused permissions
+chmod o-rw $SVR_BASE.pem $SVR_BASE.key $CTL_BASE.pem $CTL_BASE.key
+
+# remove crap
+rm -f request.cfg
+rm -f $CTL_BASE"_trust.pem" $SVR_BASE"_trust.pem" $SVR_BASE"_trust.srl"
+
+echo "Setup success. Certificates created. Enable in unbound.conf file to use"
+
+exit 0
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound_control.key b/testdata/10-unbound-anchor.tdir/keys/unbound_control.key
new file mode 100644
index 000000000000..47d15dd3707f
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_control.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfAIBAAKBwQC2p0MTVVEfvOpaWlI6rLKGxaHfw/4JUxXCwDHRkkyB0hkISRMx
+8imB+io0aY2Uck9zl0BTgPaKtFeA0+lukZk75keOuATPFZwbCGs+6Tx5AoN4+NzI
+aVay5AuO8E1u6AVdmcAqByP+R92yz5f3T93/cSsYzqPZ6Y1wO9sabtrkGTYwnfMg
+nSttyvlBIhRDWbEO+rWL2CCi0JtrnpiK8sa2ysQCq9Y6ZiGjT9PEWIZwkxQ6y5TI
+WVtyitoknpDheZcCAwEAAQKBwAgeXSPh2e5ANmZ3t0n2XSUSacSJcKQ3djMm2dAH
+4bCvhv9QSDMjIWcumGul+W4Muq1XnrtXcx3tMCqAwNJyVE5OSQX19fjCbCLjd+je
+8xop23AoF6As1nazHjRnR/nTBD7QNx2xbaW8RNbaGpTe2G2lpdbg9myRpyqiB8Pk
+73x/AQcPqm4SHBJS+kU/Q9k9yZRHGQ/PhYlvAmY0SCndew28Pcs+IdCI32k7e/aP
+SCEQvVqKeIiSJ0Zj8RSk8Pz1cQJhANtNsvcEa2V8NxI9yL2zwvBXwoBuU+d9Pszt
+Ooqc/kmvU0FV06HgiIPtTSoHLI7Zh9h5Xn4DFGmtS8WeGhwSVCN1iwcW9F2ldgAw
+LXcoXjEK21KXYFNAYeo07vul/Ly/yQJhANU3lM8hAqq7FB4R5zgUCcp08FOVA8tl
+kEK1JoAdfp6Wv4M2xGJ6tmKcf92r0F8zBDV6oZX/dtPwFzWhBZUi+zaA8PcEqbwt
+CJtmM5ycoX6kkkIfXtAVNZiTIYHn01beXwJgQBFA+V03KtzREeku3gzIJILe9bpF
+lNlIIYIkmh4nQ8uOnQW/4AjCmRgYdPDHmav/PcSnUFUB/6V6/26i3hSUtA9A4H9a
+QIl4IbHxdmA6tEUhsc07fNbQRCXWs3nYjiPRAmEAjDe4MhsYYOUUzs2hTFzJL46F
+ucHGtA0/uM7e2eQLsAmdOpJaxhTDOsiGwmXKa8DmJLFX8IgHQkujR850GGbf5DEZ
+xqkXYrwO6/tjN7w97EYYNUniFV/NVmBz6bVmY7trAmAvvg7MoBlb/o6nwoCQqnUM
+QyjIy9A0t8+KHNMFSQwUldG+HIwiU4/7y2zCqBYJg8NOjrdj/3+73A24rP8wRp15
+zqQCS7mLLWmYx7pWE1ZHN8eY3xGoHmr7LzlB+dzYG+w=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound_control.pem b/testdata/10-unbound-anchor.tdir/keys/unbound_control.pem
new file mode 100644
index 000000000000..ec7cd7e7814d
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_control.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICNjCCAV8CCQCbt2WrJa/ewzANBgkqhkiG9w0BAQUFADAmMQ4wDAYDVQQDEwVw
+ZXRhbDEUMBIGCSqGSIb3DQEJARYFcGV0YWwwHhcNMTMwMTE3MTE1MjQ1WhcNMzIx
+MDA0MTE1MjQ1WjAZMRcwFQYDVQQDEw51bmJvdW5kLWFuY2hvcjCB3zANBgkqhkiG
+9w0BAQEFAAOBzQAwgckCgcEAtqdDE1VRH7zqWlpSOqyyhsWh38P+CVMVwsAx0ZJM
+gdIZCEkTMfIpgfoqNGmNlHJPc5dAU4D2irRXgNPpbpGZO+ZHjrgEzxWcGwhrPuk8
+eQKDePjcyGlWsuQLjvBNbugFXZnAKgcj/kfdss+X90/d/3ErGM6j2emNcDvbGm7a
+5Bk2MJ3zIJ0rbcr5QSIUQ1mxDvq1i9ggotCba56YivLGtsrEAqvWOmYho0/TxFiG
+cJMUOsuUyFlbcoraJJ6Q4XmXAgMBAAEwDQYJKoZIhvcNAQEFBQADgcEAhc3wYcbD
+Uu9Osbu3bhbxLCkhedq/3weEO8RDU3AyB8diioAikagIOb99UeVE3WIds+JIPD6J
+mK5UvS+lPR8SEOMRd0H91bEEp1Zn+gHAS/Z7k/x9t38Xk1N0jOnElc6n4vl42KLO
+z2laJWcte7YXjzFjaNxP9fsGgEx1vRxcjtpXQWSY+oj+RVm5kRs5WKX5MCyD/p+y
+Xitg7/a0ITKbW1GpVwaX6nPaeoze68m3qmy64l080XCna3igbhi3h2ay
+-----END CERTIFICATE-----
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound_server.key b/testdata/10-unbound-anchor.tdir/keys/unbound_server.key
new file mode 100644
index 000000000000..6614e498fcd2
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_server.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
+RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
+QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
+O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
+J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
+Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
+mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
+qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
+6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
+lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
+Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
+XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
+Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
+C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
+EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
+3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
+F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
+kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
+berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/10-unbound-anchor.tdir/keys/unbound_server.pem b/testdata/10-unbound-anchor.tdir/keys/unbound_server.pem
new file mode 100644
index 000000000000..19c8b895ba86
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/keys/unbound_server.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
+ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
+BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
+OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
+/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
+67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
+PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
+9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
+ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
+mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
+bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
+q7miNnkO8vd0maw=
+-----END CERTIFICATE-----
diff --git a/testdata/10-unbound-anchor.tdir/petal.key b/testdata/10-unbound-anchor.tdir/petal.key
new file mode 100644
index 000000000000..6614e498fcd2
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/petal.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
+RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
+QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
+O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
+J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
+Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
+mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
+qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
+6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
+lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
+Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
+XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
+Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
+C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
+EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
+3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
+F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
+kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
+berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/10-unbound-anchor.tdir/petal.pem b/testdata/10-unbound-anchor.tdir/petal.pem
new file mode 100644
index 000000000000..19c8b895ba86
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/petal.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
+ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
+BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
+OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
+/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
+67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
+PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
+9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
+ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
+mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
+bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
+q7miNnkO8vd0maw=
+-----END CERTIFICATE-----
diff --git a/testdata/10-unbound-anchor.tdir/signit b/testdata/10-unbound-anchor.tdir/signit
new file mode 100644
index 000000000000..dd60205223fb
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/signit
@@ -0,0 +1,10 @@
+# PKCS7 sign it
+#infile=127.0.0.1/no_more_keys.xml
+#outfile=127.0.0.1/no_more_keys.p7s
+infile=127.0.0.1/root.xml
+outfile=127.0.0.1/root.p7s
+set -v
+
+openssl smime -sign -in $infile -out $outfile -inkey test_cert.key -signer test_cert.pem -outform DER -binary || echo "could not sign"
+openssl smime -verify -content $infile -in $outfile -inform DER -CAfile test_cert.pem || echo "could not verify"
+openssl pkcs7 -print_certs -inform der -in $outfile -text
diff --git a/testdata/10-unbound-anchor.tdir/test_cert.key b/testdata/10-unbound-anchor.tdir/test_cert.key
new file mode 100644
index 000000000000..b860b1b298e6
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/test_cert.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfAIBAAKBwQC48GhhmIU66TZKc3QiyF4L5bsm8Aly/y2SzLP+GACepK0OcOtD
+i2sXrTtoJDvGOPZ9ICqmIy8u/Q/cK26txNEeZFcClLcYF/U+NaqjEwrwkHEIgc3g
+8qnKrhzM61I8foAWVT7cqxFHDKYuClNITXk1i//Yzpnf9wvVKQ51W9UOtm/WA7g4
+IDHCuAjocyyNC3B7XqYawFDOsdMI4ZW7hC0hIRQOvBkvbvY8WxmsSkdd30u1KmoI
+Sg4y6OvnikrEEQkCAwEAAQKBwQC3hQlv37RF82sGkm8qnP6Ge+AuEYCu9v44cJ4k
+hZkH1I5OiEtN6anKAwOyolIWsCwZmrP3zW5jCIiWiRr5oReLOzMEwqK2a//XTdYY
+oSr38b3ZHUY59VP8Zq75woMGuNed35kAmGxzDRP1gI/TmvTvaHlqYyvxBtxnZJij
+Za1CrT+a9JvR6hI8xXrE33CF0T6JO1v3v0HeBuve5+83cCHKo+GyqIBjL3FJgefZ
+EsPz6rGnPDKTYgMyaljFV3LI5ikCYQDlaBnyiWk1C7tYO5x3CRoHoiuiiREZCncK
+QkSxjiDoSP0rc+3BQp2kG3yy6S9mN4qMQPELEtBa6bORogxNK+Pxg8TRI/+xgeFt
+bod5Bd4pfl6Y5hXm21JwELFlOzPI3PMCYQDOYK6Z7vegiOJyyAJXMjcI07H8S0Gr
+SZW8f4tHRzO+RrRpR5ANzarELX7nF/Qj5mPXiZNiiMDGocxqkNzIa5HFLOqBhRkv
+o7yC1Cj582dUBFHyEbsZxR6UMTPLdE3UaRMCYACC1Nv3dmaJ2ib+KwEQ4h/2Ooao
+K4OUxGMfdqu2l1gtIXNBVNxDW7qL3SFA57wgj4x0cJUHu7MYJjBC3igl2uIk2wFk
+RSOOGIR35JFec/o/r9JDYPUcs/hP8TU6hokCBQJgHbH/rZqa+vh3TPjGjXFmRdjg
+JWNWwaTG7OaVTd5K7bgSwYtQiQvs5Gl/dxUVRg0ilKLxGB6BTpN9bGAHxLbltK9v
+1s8l/praxyBr/PsvBQHSILi4aU7ZxY0G3OGRSV0NAmBx28Msdgc0yHh3qSkbwVEr
+gr7av1iOH73ee+o4CmMWXYUBHOMW5Su0s0QHjNGDMiRiRoCvzYqdLcJj9/sFJxOT
+CM35WGGeKDMNubX7C6YroQ91q7kUmhi7HHY3QOyhCDU=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/10-unbound-anchor.tdir/test_cert.pem b/testdata/10-unbound-anchor.tdir/test_cert.pem
new file mode 100644
index 000000000000..6e588a4abc8f
--- /dev/null
+++ b/testdata/10-unbound-anchor.tdir/test_cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWTCCAYKgAwIBAgIJAN5YIkuCvJf5MA0GCSqGSIb3DQEBBQUAMCYxDjAMBgNV
+BAMTBXBldGFsMRQwEgYJKoZIhvcNAQkBFgVwZXRhbDAeFw0xMzAxMTcxMTUyNDVa
+Fw0zMjEwMDQxMTUyNDVaMCYxDjAMBgNVBAMTBXBldGFsMRQwEgYJKoZIhvcNAQkB
+FgVwZXRhbDCB3zANBgkqhkiG9w0BAQEFAAOBzQAwgckCgcEAuPBoYZiFOuk2SnN0
+IsheC+W7JvAJcv8tksyz/hgAnqStDnDrQ4trF607aCQ7xjj2fSAqpiMvLv0P3Ctu
+rcTRHmRXApS3GBf1PjWqoxMK8JBxCIHN4PKpyq4czOtSPH6AFlU+3KsRRwymLgpT
+SE15NYv/2M6Z3/cL1SkOdVvVDrZv1gO4OCAxwrgI6HMsjQtwe16mGsBQzrHTCOGV
+u4QtISEUDrwZL272PFsZrEpHXd9LtSpqCEoOMujr54pKxBEJAgMBAAGjDzANMAsG
+A1UdDwQEAwIChDANBgkqhkiG9w0BAQUFAAOBwQCaA3ys5hDPMNV1oXIxH6u2KfAX
+C9tYJId/SR0x8whsZuNaSEZAgImdM5dnyWdjey8Pio772E9/F2aUBGFkdadZx4My
+d7hBfEi/NECEKs86k9g0ijbin41NKtnajb6GwyNQ9vDx7Z5FS8BZ3CD0BZIdCQUE
+gKuDSWBROQU3tqrjdk2QTwGQkj2mgzT871Jn1MwZw0mczPjS1y469Ejym8wi3uCd
+EboDOoGBCpmUQbxBv6JI75cUCdmNNEwjQjZ0XQw=
+-----END CERTIFICATE-----
diff --git a/testdata/10-unbound-anchor.tpkg b/testdata/10-unbound-anchor.tpkg
deleted file mode 100644
index db8680a647aa..000000000000
--- a/testdata/10-unbound-anchor.tpkg
+++ /dev/null
diff --git a/testdata/common.sh b/testdata/common.sh
index 2a8ec7bb34bf..f6d72c2f046a 100755
--- a/testdata/common.sh
+++ b/testdata/common.sh
@@ -6,7 +6,7 @@
 # 2011-02-18: ports check on BSD,Solaris. wait_nsd_up.
 # 2011-02-11: first version.
 #
-# include this file from a tpkg script with
+# include this file from a tdir script with
 #   . ../common.sh
 #
 # overview of functions available:
diff --git a/testdata/ctrl_itr.tdir/bad_control.key b/testdata/ctrl_itr.tdir/bad_control.key
new file mode 100644
index 000000000000..d29cdbc91b37
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/bad_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDti51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4G
+SLOE02/hKDkdkOvaUG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtO
+DWc3tXPT1IlSEN0xnAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQAB
+AoGAG3w/DatfMCu/nS5OdQx9BSqPgNbnUSqux9xA0fhgPTlN0T3oRtPcqa7JUDUW
+PryI/a62ry+zGkw98N2AxolCZg3N7Z3vuRx2FMcKKNwpTzDmcZW7TmMk5FPof6gE
+PnYl/ff0w+kxqA+L2EexH3Xi6ApLSZcjyzKWj+dL2AuT9gkCQQD3dPitwITxgCAD
+IaHw23e3FRkM/hw1Gp8bt6nbuxitVxxpO96q1EQ+fCy/mf0bMEJDp3xzMEIfP3r4
+GmNbaxa1AkEA9b8LeBLbQ2cm2+UMeUgygBsRirdUQ786auqH38Jbvi/j6S9sDl2x
+q1vRtikEBZJWfkhsOzrzwFDKe1bI/EEn9wJAAzOwRA9JqRZPU7sLrWIpmmTbfh+L
+neRKSsGFoSI6n4ORCouLxgoZF/XjXldPvxpQwS9ZnOPy9xSLMsqknno0QQJAeDtA
+IT8Yh6GwIWWu9KeeDY8wxe1sDLlCm4yjbZZpzGMh3rSU6XJtuqjxsW3fydoO9zn3
+ugLdvvnIFxAexUwbgQJBANyM13xcObfUJOj9rjlGCh0CDh/04ONl8SH8HBnM8guA
+RJI5S6vBHweVRopEZcF1sQm6wMf3ej/sGkyyNvJxRkY=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_itr.tdir/bad_control.pem b/testdata/ctrl_itr.tdir/bad_control.pem
new file mode 100644
index 000000000000..e06b847208e3
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/bad_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQDd5/rocjG5vDANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0NFoXDTI4MDYxMzEyMjQ0NFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDt
+i51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4GSLOE02/hKDkdkOva
+UG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtODWc3tXPT1IlSEN0x
+nAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAHpvcKqY48X9WsqogV16L+zT7iXhZ4tySA9EBk1a+0gud/iDPKSBi7mK
+4rzphVfb4S207dVmTG+1WNpa6l3pTGML6XLElxqIu/kr7w4cF0rKvZxWPsBRqYjH
+5HrK8CrQ0+YvUHXiu7IaACLGvKXY4Tqa3HQyvEtzLWJ4HhOrGx8F
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_itr.tdir/bad_server.key b/testdata/ctrl_itr.tdir/bad_server.key
new file mode 100644
index 000000000000..0dbb134b5be7
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/bad_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC9hurNHBtB7QFEuPJOnCylUWUF2/US3v9yQQQXnstuXMQXRaq1
+1uviLmwaGurV9tngX59HITsBT74NQrtFKfEDLViLrm2arAM9Ozsn4tnv30HXPRDj
+UOc1M05Q7UzjaSrOv+TkPEqyhtUyaP1DYo0bcmbxtSkYc2ZEWCwhPklUwQIDAQAB
+AoGATjzZxN4ramWaNnJapJTX4U7eczK/0pB3xwSL2exVcjOdRzYdKH+WVIJxYb1m
+3/jNLFCNAeH356yxeevoPr73nG75YJ9I1ZWQWTnS3SDK6JD1+3pmAD0bQWFoitpf
+FoSH9H4X5gFB5vCZ99YVoYH1UXWPcgvUHwxz0voImt6lCKECQQD4YQ4A3M0+Ki8v
+Hl+5FKULnS0UtBkweCvkF/X1zZRjjYr6hLnqldFkkgTBKWe17pUXX0nwRMbP1YZX
+i+vDq5JNAkEAw1eYsmC0nVAMawo57N6LYavGv/n5u1cvpTpKDtn4cXH0Uqq13Kyu
+2FUTzan2NhCEK78UzbWaeewBJmxYda1+RQJAdShKk6uTAEyjnwUjv8h2JWlJN2fQ
+LeWxRlDrCruiz+aW9J4gl/99GoQpy/c83TshhjnDRZsbcDNWv/rXBZ/rTQJAFQva
+CtX6f7yBKgM3DHtJvyM3zbVMH9Ab9QxbsE/xwZ9KeKGl6Hm+eNZpxM3cFiUfaGs0
+/ZjkZOB1m0MvILaplQJAXC3PJ/E+87banGZRJl5qtS6/HoX5lH9TPkL8Essy7ANO
+2BT2OTQawD1A+VKIrQHXs085Of8tQUfrfHHt7s3Kqg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_itr.tdir/bad_server.pem b/testdata/ctrl_itr.tdir/bad_server.pem
new file mode 100644
index 000000000000..983247ac73bd
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/bad_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQCDugnhq8B6LzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0M1oXDTI4MDYxMzEyMjQ0M1owEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYbqzRwbQe0B
+RLjyTpwspVFlBdv1Et7/ckEEF57LblzEF0Wqtdbr4i5sGhrq1fbZ4F+fRyE7AU++
+DUK7RSnxAy1Yi65tmqwDPTs7J+LZ799B1z0Q41DnNTNOUO1M42kqzr/k5DxKsobV
+Mmj9Q2KNG3Jm8bUpGHNmRFgsIT5JVMECAwEAATANBgkqhkiG9w0BAQUFAAOBgQCy
+zGMW35/9xXoEWsuLFWUOaEKVq5DXuXtXbcMpDW6k2ELoraa305vh7Zwhj5JSqfcm
+O0xyqIzXvz/cYdyOTgEkdMDZ/EvQsxKTwvj6eA4614yB1r3Ju5eZd4Gpo6BHhSpu
+oqsrr0duJ+JOANTyaBplIxM1sjHbR4FGtmrFknBYBQ==
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_itr.tdir/ctrl_itr.conf b/testdata/ctrl_itr.tdir/ctrl_itr.conf
new file mode 100644
index 000000000000..8ee1dffb73eb
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/ctrl_itr.conf
@@ -0,0 +1,26 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	# disabled validator
+	module-config: "iterator"
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/ctrl_itr.tdir/ctrl_itr.dsc b/testdata/ctrl_itr.tdir/ctrl_itr.dsc
new file mode 100644
index 000000000000..246ae60d3572
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/ctrl_itr.dsc
@@ -0,0 +1,16 @@
+BaseName: ctrl_itr
+Version: 1.0
+Description: iterator only test unbound-control
+CreationDate: Thu Jan 16 14:08:12 CET 2014
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: ctrl_itr.pre
+Post: ctrl_itr.post
+Test: ctrl_itr.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/ctrl_itr.tdir/ctrl_itr.post b/testdata/ctrl_itr.tdir/ctrl_itr.post
new file mode 100644
index 000000000000..6c6d35d4a3e2
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/ctrl_itr.post
@@ -0,0 +1,13 @@
+# #-- ctrl_itr.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+# it was stopped with unbound-control (if the test succeeded)
+kill $UNBOUND_PID >/dev/null 2>&1
+kill $UNBOUND_PID >/dev/null 2>&1
+exit 0
diff --git a/testdata/ctrl_itr.tdir/ctrl_itr.pre b/testdata/ctrl_itr.tdir/ctrl_itr.pre
new file mode 100644
index 000000000000..0ce1b653a460
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/ctrl_itr.pre
@@ -0,0 +1,33 @@
+# #-- ctrl_itr.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT ctrl_itr.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ctrl_itr.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/ctrl_itr.tdir/ctrl_itr.test b/testdata/ctrl_itr.tdir/ctrl_itr.test
new file mode 100644
index 000000000000..dadd365826d3
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/ctrl_itr.test
@@ -0,0 +1,39 @@
+# #-- ctrl_itr.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# exit value is 1 on usage
+$PRE/unbound-control -c ub.conf forward_add +i bla bla
+if test $? -ne 0; then
+	echo "wrong exit value."
+	cat fwd.log 
+	cat unbound.log
+	exit 1
+else
+	echo "exit value: OK"
+fi
+
+
+# test if the server is up.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> OK"
+exit 0
diff --git a/testdata/ctrl_itr.tdir/ctrl_itr.testns b/testdata/ctrl_itr.tdir/ctrl_itr.testns
new file mode 100644
index 000000000000..0c911ca5b30e
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/ctrl_itr.testns
@@ -0,0 +1,22 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA SERVFAIL
+ADJUST copy_id
+SECTION QUESTION
+www.example.net.	IN	A
+ENTRY_END
+
diff --git a/testdata/ctrl_itr.tdir/unbound_control.key b/testdata/ctrl_itr.tdir/unbound_control.key
new file mode 100644
index 000000000000..d7c43a06bb58
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_itr.tdir/unbound_control.pem b/testdata/ctrl_itr.tdir/unbound_control.pem
new file mode 100644
index 000000000000..8f1ba87f1cdd
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_itr.tdir/unbound_server.key b/testdata/ctrl_itr.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_itr.tdir/unbound_server.pem b/testdata/ctrl_itr.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/ctrl_itr.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_itr.tpkg b/testdata/ctrl_itr.tpkg
deleted file mode 100644
index dadf0a307c9f..000000000000
--- a/testdata/ctrl_itr.tpkg
+++ /dev/null
diff --git a/testdata/ctrl_pipe.tdir/._bad_control.key b/testdata/ctrl_pipe.tdir/._bad_control.key
new file mode 100644
index 000000000000..a2faa6f81771
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._bad_control.key
diff --git a/testdata/ctrl_pipe.tdir/._bad_control.pem b/testdata/ctrl_pipe.tdir/._bad_control.pem
new file mode 100644
index 000000000000..2d09cd410113
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._bad_control.pem
diff --git a/testdata/ctrl_pipe.tdir/._bad_server.key b/testdata/ctrl_pipe.tdir/._bad_server.key
new file mode 100644
index 000000000000..0a2ee41f724a
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._bad_server.key
diff --git a/testdata/ctrl_pipe.tdir/._bad_server.pem b/testdata/ctrl_pipe.tdir/._bad_server.pem
new file mode 100644
index 000000000000..cf59a782f5b9
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._bad_server.pem
diff --git a/testdata/ctrl_pipe.tdir/._ctrl_pipe.conf b/testdata/ctrl_pipe.tdir/._ctrl_pipe.conf
new file mode 100644
index 000000000000..e588caa9e75f
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._ctrl_pipe.conf
diff --git a/testdata/ctrl_pipe.tdir/._ctrl_pipe.dsc b/testdata/ctrl_pipe.tdir/._ctrl_pipe.dsc
new file mode 100644
index 000000000000..e2ab56651f6a
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._ctrl_pipe.dsc
diff --git a/testdata/ctrl_pipe.tdir/._ctrl_pipe.post b/testdata/ctrl_pipe.tdir/._ctrl_pipe.post
new file mode 100644
index 000000000000..d3208b6f365e
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._ctrl_pipe.post
diff --git a/testdata/ctrl_pipe.tdir/._ctrl_pipe.pre b/testdata/ctrl_pipe.tdir/._ctrl_pipe.pre
new file mode 100644
index 000000000000..6e1c42c83888
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._ctrl_pipe.pre
diff --git a/testdata/ctrl_pipe.tdir/._ctrl_pipe.test b/testdata/ctrl_pipe.tdir/._ctrl_pipe.test
new file mode 100644
index 000000000000..bc0ab5a70460
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._ctrl_pipe.test
diff --git a/testdata/ctrl_pipe.tdir/._ctrl_pipe.testns b/testdata/ctrl_pipe.tdir/._ctrl_pipe.testns
new file mode 100644
index 000000000000..89263e353937
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._ctrl_pipe.testns
diff --git a/testdata/ctrl_pipe.tdir/._unbound_control.key b/testdata/ctrl_pipe.tdir/._unbound_control.key
new file mode 100644
index 000000000000..474e6f1a3321
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._unbound_control.key
diff --git a/testdata/ctrl_pipe.tdir/._unbound_control.pem b/testdata/ctrl_pipe.tdir/._unbound_control.pem
new file mode 100644
index 000000000000..6eafa2b1748d
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._unbound_control.pem
diff --git a/testdata/ctrl_pipe.tdir/._unbound_server.key b/testdata/ctrl_pipe.tdir/._unbound_server.key
new file mode 100644
index 000000000000..9096da07aa24
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._unbound_server.key
diff --git a/testdata/ctrl_pipe.tdir/._unbound_server.pem b/testdata/ctrl_pipe.tdir/._unbound_server.pem
new file mode 100644
index 000000000000..0bd1053ef994
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/._unbound_server.pem
diff --git a/testdata/ctrl_pipe.tdir/bad_control.key b/testdata/ctrl_pipe.tdir/bad_control.key
new file mode 100644
index 000000000000..d29cdbc91b37
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/bad_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDti51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4G
+SLOE02/hKDkdkOvaUG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtO
+DWc3tXPT1IlSEN0xnAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQAB
+AoGAG3w/DatfMCu/nS5OdQx9BSqPgNbnUSqux9xA0fhgPTlN0T3oRtPcqa7JUDUW
+PryI/a62ry+zGkw98N2AxolCZg3N7Z3vuRx2FMcKKNwpTzDmcZW7TmMk5FPof6gE
+PnYl/ff0w+kxqA+L2EexH3Xi6ApLSZcjyzKWj+dL2AuT9gkCQQD3dPitwITxgCAD
+IaHw23e3FRkM/hw1Gp8bt6nbuxitVxxpO96q1EQ+fCy/mf0bMEJDp3xzMEIfP3r4
+GmNbaxa1AkEA9b8LeBLbQ2cm2+UMeUgygBsRirdUQ786auqH38Jbvi/j6S9sDl2x
+q1vRtikEBZJWfkhsOzrzwFDKe1bI/EEn9wJAAzOwRA9JqRZPU7sLrWIpmmTbfh+L
+neRKSsGFoSI6n4ORCouLxgoZF/XjXldPvxpQwS9ZnOPy9xSLMsqknno0QQJAeDtA
+IT8Yh6GwIWWu9KeeDY8wxe1sDLlCm4yjbZZpzGMh3rSU6XJtuqjxsW3fydoO9zn3
+ugLdvvnIFxAexUwbgQJBANyM13xcObfUJOj9rjlGCh0CDh/04ONl8SH8HBnM8guA
+RJI5S6vBHweVRopEZcF1sQm6wMf3ej/sGkyyNvJxRkY=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_pipe.tdir/bad_control.pem b/testdata/ctrl_pipe.tdir/bad_control.pem
new file mode 100644
index 000000000000..e06b847208e3
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/bad_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQDd5/rocjG5vDANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0NFoXDTI4MDYxMzEyMjQ0NFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDt
+i51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4GSLOE02/hKDkdkOva
+UG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtODWc3tXPT1IlSEN0x
+nAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAHpvcKqY48X9WsqogV16L+zT7iXhZ4tySA9EBk1a+0gud/iDPKSBi7mK
+4rzphVfb4S207dVmTG+1WNpa6l3pTGML6XLElxqIu/kr7w4cF0rKvZxWPsBRqYjH
+5HrK8CrQ0+YvUHXiu7IaACLGvKXY4Tqa3HQyvEtzLWJ4HhOrGx8F
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_pipe.tdir/bad_server.key b/testdata/ctrl_pipe.tdir/bad_server.key
new file mode 100644
index 000000000000..0dbb134b5be7
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/bad_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC9hurNHBtB7QFEuPJOnCylUWUF2/US3v9yQQQXnstuXMQXRaq1
+1uviLmwaGurV9tngX59HITsBT74NQrtFKfEDLViLrm2arAM9Ozsn4tnv30HXPRDj
+UOc1M05Q7UzjaSrOv+TkPEqyhtUyaP1DYo0bcmbxtSkYc2ZEWCwhPklUwQIDAQAB
+AoGATjzZxN4ramWaNnJapJTX4U7eczK/0pB3xwSL2exVcjOdRzYdKH+WVIJxYb1m
+3/jNLFCNAeH356yxeevoPr73nG75YJ9I1ZWQWTnS3SDK6JD1+3pmAD0bQWFoitpf
+FoSH9H4X5gFB5vCZ99YVoYH1UXWPcgvUHwxz0voImt6lCKECQQD4YQ4A3M0+Ki8v
+Hl+5FKULnS0UtBkweCvkF/X1zZRjjYr6hLnqldFkkgTBKWe17pUXX0nwRMbP1YZX
+i+vDq5JNAkEAw1eYsmC0nVAMawo57N6LYavGv/n5u1cvpTpKDtn4cXH0Uqq13Kyu
+2FUTzan2NhCEK78UzbWaeewBJmxYda1+RQJAdShKk6uTAEyjnwUjv8h2JWlJN2fQ
+LeWxRlDrCruiz+aW9J4gl/99GoQpy/c83TshhjnDRZsbcDNWv/rXBZ/rTQJAFQva
+CtX6f7yBKgM3DHtJvyM3zbVMH9Ab9QxbsE/xwZ9KeKGl6Hm+eNZpxM3cFiUfaGs0
+/ZjkZOB1m0MvILaplQJAXC3PJ/E+87banGZRJl5qtS6/HoX5lH9TPkL8Essy7ANO
+2BT2OTQawD1A+VKIrQHXs085Of8tQUfrfHHt7s3Kqg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_pipe.tdir/bad_server.pem b/testdata/ctrl_pipe.tdir/bad_server.pem
new file mode 100644
index 000000000000..983247ac73bd
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/bad_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQCDugnhq8B6LzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0M1oXDTI4MDYxMzEyMjQ0M1owEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYbqzRwbQe0B
+RLjyTpwspVFlBdv1Et7/ckEEF57LblzEF0Wqtdbr4i5sGhrq1fbZ4F+fRyE7AU++
+DUK7RSnxAy1Yi65tmqwDPTs7J+LZ799B1z0Q41DnNTNOUO1M42kqzr/k5DxKsobV
+Mmj9Q2KNG3Jm8bUpGHNmRFgsIT5JVMECAwEAATANBgkqhkiG9w0BAQUFAAOBgQCy
+zGMW35/9xXoEWsuLFWUOaEKVq5DXuXtXbcMpDW6k2ELoraa305vh7Zwhj5JSqfcm
+O0xyqIzXvz/cYdyOTgEkdMDZ/EvQsxKTwvj6eA4614yB1r3Ju5eZd4Gpo6BHhSpu
+oqsrr0duJ+JOANTyaBplIxM1sjHbR4FGtmrFknBYBQ==
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_pipe.tdir/ctrl_pipe.conf b/testdata/ctrl_pipe.tdir/ctrl_pipe.conf
new file mode 100644
index 000000000000..d7c68197ce53
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/ctrl_pipe.conf
@@ -0,0 +1,23 @@
+server:
+	verbosity: 4
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+remote-control:
+	control-enable: yes
+	control-interface: @PATH@/controlpipe.@PID@
+	control-use-cert: no
+	#server-key-file: "unbound_server.key"
+	#server-cert-file: "unbound_server.pem"
+	#control-key-file: "unbound_control.key"
+	#control-cert-file: "unbound_control.pem"
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/ctrl_pipe.tdir/ctrl_pipe.dsc b/testdata/ctrl_pipe.tdir/ctrl_pipe.dsc
new file mode 100644
index 000000000000..c618f1d67313
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/ctrl_pipe.dsc
@@ -0,0 +1,16 @@
+BaseName: ctrl_pipe
+Version: 1.0
+Description: unix pipe test unbound-control
+CreationDate: Fri 16 Jan 13:25:48 CET 2015
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: ctrl_pipe.pre
+Post: ctrl_pipe.post
+Test: ctrl_pipe.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/ctrl_pipe.tdir/ctrl_pipe.post b/testdata/ctrl_pipe.tdir/ctrl_pipe.post
new file mode 100644
index 000000000000..5e3cc6dacc52
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/ctrl_pipe.post
@@ -0,0 +1,15 @@
+# #-- ctrl_pipe.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+# it was stopped with unbound-control (if the test succeeded)
+kill $UNBOUND_PID >/dev/null 2>&1
+kill $UNBOUND_PID >/dev/null 2>&1
+
+rm -f $CONTROL_PATH/controlpipe.$CONTROL_PID
+exit 0
diff --git a/testdata/ctrl_pipe.tdir/ctrl_pipe.pre b/testdata/ctrl_pipe.tdir/ctrl_pipe.pre
new file mode 100644
index 000000000000..e9f2124b1880
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/ctrl_pipe.pre
@@ -0,0 +1,35 @@
+# #-- ctrl_pipe.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT ctrl_pipe.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+CONTROL_PATH=/tmp
+CONTROL_PID=$$
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's?@PATH\@?'$CONTROL_PATH'?' -e 's/@PID@/'$CONTROL_PID'/' < ctrl_pipe.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+echo "CONTROL_PATH=$CONTROL_PATH" >> .tpkg.var.test
+echo "CONTROL_PID=$CONTROL_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/ctrl_pipe.tdir/ctrl_pipe.test b/testdata/ctrl_pipe.tdir/ctrl_pipe.test
new file mode 100644
index 000000000000..70dfdcac47f0
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/ctrl_pipe.test
@@ -0,0 +1,61 @@
+# #-- ctrl_pipe.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# exit value is 1 on usage
+$PRE/unbound-control -c ub.conf status
+if test $? -ne 0; then
+	echo "wrong exit value."
+	cat fwd.log 
+	cat unbound.log
+	exit 1
+else
+	echo "exit value: OK"
+fi
+$PRE/unbound-control -c ub.conf local_data froob.example.net A 192.0.2.1
+if test $? -ne 0; then
+	echo "wrong exit value."
+	cat fwd.log 
+	cat unbound.log
+	exit 1
+else
+	echo "exit value: OK"
+fi
+
+
+# test if the server is up.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig froob.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT froob.example.net. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> OK"
+exit 0
diff --git a/testdata/ctrl_pipe.tdir/ctrl_pipe.testns b/testdata/ctrl_pipe.tdir/ctrl_pipe.testns
new file mode 100644
index 000000000000..0c911ca5b30e
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/ctrl_pipe.testns
@@ -0,0 +1,22 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA SERVFAIL
+ADJUST copy_id
+SECTION QUESTION
+www.example.net.	IN	A
+ENTRY_END
+
diff --git a/testdata/ctrl_pipe.tdir/unbound_control.key b/testdata/ctrl_pipe.tdir/unbound_control.key
new file mode 100644
index 000000000000..d7c43a06bb58
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_pipe.tdir/unbound_control.pem b/testdata/ctrl_pipe.tdir/unbound_control.pem
new file mode 100644
index 000000000000..8f1ba87f1cdd
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_pipe.tdir/unbound_server.key b/testdata/ctrl_pipe.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ctrl_pipe.tdir/unbound_server.pem b/testdata/ctrl_pipe.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/ctrl_pipe.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/ctrl_pipe.tpkg b/testdata/ctrl_pipe.tpkg
deleted file mode 100644
index 877fcf9010d9..000000000000
--- a/testdata/ctrl_pipe.tpkg
+++ /dev/null
diff --git a/testdata/dnscrypt_cert.tdir/1.cert b/testdata/dnscrypt_cert.tdir/1.cert
new file mode 100644
index 000000000000..fbc529bfa3ab
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/1.cert
diff --git a/testdata/dnscrypt_cert.tdir/1.key b/testdata/dnscrypt_cert.tdir/1.key
new file mode 100644
index 000000000000..165262c86e53
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/1.key
@@ -0,0 +1 @@
+®öÝìK¬‡#‘€4ùsŽ	pèÖôÁæÀx!¹»AŠ"mM
\ No newline at end of file
diff --git a/testdata/dnscrypt_cert.tdir/1_chacha.cert b/testdata/dnscrypt_cert.tdir/1_chacha.cert
new file mode 100644
index 000000000000..3da5c612d060
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/1_chacha.cert
diff --git a/testdata/dnscrypt_cert.tdir/1_salsa.cert b/testdata/dnscrypt_cert.tdir/1_salsa.cert
new file mode 100644
index 000000000000..17e447fc339b
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/1_salsa.cert
diff --git a/testdata/dnscrypt_cert.tdir/2.cert b/testdata/dnscrypt_cert.tdir/2.cert
new file mode 100644
index 000000000000..ebf8ac108d14
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/2.cert
diff --git a/testdata/dnscrypt_cert.tdir/2.key b/testdata/dnscrypt_cert.tdir/2.key
new file mode 100644
index 000000000000..c299f550ae95
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/2.key
@@ -0,0 +1 @@
+m7Ÿñâƒx;‘%׸õ�é*•ÜR¯äÓ¯¹mDªñ
\ No newline at end of file
diff --git a/testdata/dnscrypt_cert.tdir/2_chacha.cert b/testdata/dnscrypt_cert.tdir/2_chacha.cert
new file mode 100644
index 000000000000..ed4ec26065a6
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/2_chacha.cert
diff --git a/testdata/dnscrypt_cert.tdir/2_salsa.cert b/testdata/dnscrypt_cert.tdir/2_salsa.cert
new file mode 100644
index 000000000000..6e71fe97864d
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/2_salsa.cert
diff --git a/testdata/dnscrypt_cert.tdir/dnscrypt_cert.conf b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.conf
new file mode 100644
index 000000000000..355d4ff13595
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.conf
@@ -0,0 +1,26 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	port: @PORT@
+    interface: 0.0.0.0
+    interface: 0.0.0.0@@DNSCRYPT_PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
+dnscrypt:
+    dnscrypt-enable: yes
+    dnscrypt-port: @DNSCRYPT_PORT@
+    dnscrypt-provider: 2.dnscrypt-cert.example.com.
+    dnscrypt-secret-key: 1.key
+    dnscrypt-secret-key: 2.key
+    dnscrypt-provider-cert: 1_salsa.cert
+    dnscrypt-provider-cert: 2_salsa.cert
+
diff --git a/testdata/dnscrypt_cert.tdir/dnscrypt_cert.dsc b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.dsc
new file mode 100644
index 000000000000..f0ec882f2b84
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.dsc
@@ -0,0 +1,16 @@
+BaseName: dnscrypt_cert
+Version: 1.0
+Description: dnscrypt cert retrieval.
+CreationDate: Fri Mar 03 10:08:08 CEST 2017
+Maintainer: Emmanuel Bretelle
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: dnscrypt_cert.pre
+Post: dnscrypt_cert.post
+Test: dnscrypt_cert.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/dnscrypt_cert.tdir/dnscrypt_cert.post b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.post
new file mode 100644
index 000000000000..0346d3f84a61
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.post
@@ -0,0 +1,16 @@
+# #-- dnscrypt_cert.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+
+# Check if we can run the test.
+. ./precheck.sh
+
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/dnscrypt_cert.tdir/dnscrypt_cert.pre b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.pre
new file mode 100644
index 000000000000..bee9e8ac63ca
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.pre
@@ -0,0 +1,38 @@
+# #-- dnscrypt_cert.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+# Check if we can run the test.
+. ./precheck.sh
+
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+DNSCRYPT_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "DNSCRYPT_PORT=$DNSCRYPT_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT dnscrypt_cert.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' \
+    -e 's/@DNSCRYPT_PORT\@/'$DNSCRYPT_PORT'/' < dnscrypt_cert.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/dnscrypt_cert.tdir/dnscrypt_cert.test b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.test
new file mode 100644
index 000000000000..f09753792696
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.test
@@ -0,0 +1,108 @@
+# #-- dnscrypt_cert.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+# Check if we can run the test.
+. ./precheck.sh
+
+# do the test
+
+# Query plain request over DNSCrypt channel get closed
+# We use TCP to avoid hanging on waiting for UDP.
+# We expect `outfile` to contain no DNS payload
+echo "> dig TCP www.example.com. DNSCrypt port"
+dig +tcp @127.0.0.1 -p $DNSCRYPT_PORT www.example.com. A | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "QUESTION SECTION" outfile; then
+	echo "NOK"
+	exit 1
+else
+	echo "OK"
+fi
+
+
+# Plaintext query on unbound port works correctly.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# Plaintext query on unbound port works correctly with TCP.
+echo "> dig TCP www.example.com."
+dig +tcp @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+for opt in '' '+tcp'
+do
+    # Plaintext query on dnscrypt port returns cert when asking for providername/TXT.
+    # Check that it returns 1.cert.
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 1_salsa.CERT. DNSCrypt plaintext ${opt}"
+    dig ${opt} @127.0.0.1 -p $DNSCRYPT_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    if grep -F 'DNSC\000\001\000\000i\230\177hg\210 \172>\1438\247\174\154U\216\188\152\145y\000U\254\208\183qBQ\158\019S\189\180\150\013K\160\220\248\236\028`\131\174\214!\017Xk\202\152\189\026T\224\180)'"'"'9u\026\143\004\002\195\027\1912\203\176D\016\180e\198h\136{\216s;Sd2^\154\225\005<\016C\205+S\219A\195\027\1912\203\176D\016Y\160\203\009Y\160\203\009u\210\207\137' outfile; then
+        echo "OK"
+    else
+        echo "Not OK"
+        exit 1
+    fi
+
+    # Plaintext query on dnscrypt port returns cert when asking for providername/TXT.
+    # Check that it returns 2.cert.
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 2_salsa.CERT. DNSCrypt plaintext ${opt}"
+    dig ${opt} @127.0.0.1 -p $DNSCRYPT_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    if grep -F 'DNSC\000\001\000\000AX\031\201\243\201LI<-\146]LU\247LY\2376\014K\194$D\151&\008\236\008\220\143We\029\227\030\233\015[4\\\146\174\166`{}\161W\209\228\215\002\205|\207*\011\162$\175\210[\006\245\243W\191\189Z\216\210x\025\204\247\173\227t\138\018\162~\152\253\211\031z\\\002m5\008\254\2244\245\243W\191\189Z\216\210Y\160\203\009Y\160\203\009u\210\207\137' outfile; then
+        echo "OK"
+    else
+        echo "NOK"
+        exit 1
+    fi
+
+    # Certificates are local-data for unbound. We can also retrieve them from unbound
+    # port.
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 1_salsa.CERT. Unbound ${opt}"
+    dig ${opt} @127.0.0.1 -p $UNBOUND_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    if grep -F 'DNSC\000\001\000\000i\230\177hg\210 \172>\1438\247\174\154U\216\188\152\145y\000U\254\208\183qBQ\158\019S\189\180\150\013K\160\220\248\236\028`\131\174\214!\017Xk\202\152\189\026T\224\180)'"'"'9u\026\143\004\002\195\027\1912\203\176D\016\180e\198h\136{\216s;Sd2^\154\225\005<\016C\205+S\219A\195\027\1912\203\176D\016Y\160\203\009Y\160\203\009u\210\207\137' outfile; then
+        echo "OK"
+    else
+        echo "Not OK"
+        exit 1
+    fi
+done
+
+exit 0
diff --git a/testdata/dnscrypt_cert.tdir/dnscrypt_cert.testns b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.testns
new file mode 100644
index 000000000000..0af820e01deb
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/dnscrypt_cert.testns
@@ -0,0 +1,26 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA TC NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname TCP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/dnscrypt_cert.tdir/precheck.sh b/testdata/dnscrypt_cert.tdir/precheck.sh
new file mode 100644
index 000000000000..00fa4bc76067
--- /dev/null
+++ b/testdata/dnscrypt_cert.tdir/precheck.sh
@@ -0,0 +1,16 @@
+# dnscrypt precheck.sh
+
+# if no dnscrypt; exit
+if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
+        echo "have dnscrypt"
+else
+        echo "no dnscrypt"
+        exit 0
+fi
+
+# if no xchacha20 support in unbound; exit
+if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then
+        xchacha20=1
+else
+        xchacha20=0
+fi
diff --git a/testdata/dnscrypt_cert.tpkg b/testdata/dnscrypt_cert.tpkg
deleted file mode 100644
index 4263b9347e08..000000000000
--- a/testdata/dnscrypt_cert.tpkg
+++ /dev/null
diff --git a/testdata/dnscrypt_cert_chacha.tdir/1.cert b/testdata/dnscrypt_cert_chacha.tdir/1.cert
new file mode 100644
index 000000000000..fbc529bfa3ab
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/1.cert
diff --git a/testdata/dnscrypt_cert_chacha.tdir/1.key b/testdata/dnscrypt_cert_chacha.tdir/1.key
new file mode 100644
index 000000000000..165262c86e53
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/1.key
@@ -0,0 +1 @@
+®öÝìK¬‡#‘€4ùsŽ	pèÖôÁæÀx!¹»AŠ"mM
\ No newline at end of file
diff --git a/testdata/dnscrypt_cert_chacha.tdir/1_chacha.cert b/testdata/dnscrypt_cert_chacha.tdir/1_chacha.cert
new file mode 100644
index 000000000000..3da5c612d060
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/1_chacha.cert
diff --git a/testdata/dnscrypt_cert_chacha.tdir/1_salsa.cert b/testdata/dnscrypt_cert_chacha.tdir/1_salsa.cert
new file mode 100644
index 000000000000..17e447fc339b
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/1_salsa.cert
diff --git a/testdata/dnscrypt_cert_chacha.tdir/2.cert b/testdata/dnscrypt_cert_chacha.tdir/2.cert
new file mode 100644
index 000000000000..ebf8ac108d14
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/2.cert
diff --git a/testdata/dnscrypt_cert_chacha.tdir/2.key b/testdata/dnscrypt_cert_chacha.tdir/2.key
new file mode 100644
index 000000000000..c299f550ae95
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/2.key
@@ -0,0 +1 @@
+m7Ÿñâƒx;‘%׸õ�é*•ÜR¯äÓ¯¹mDªñ
\ No newline at end of file
diff --git a/testdata/dnscrypt_cert_chacha.tdir/2_chacha.cert b/testdata/dnscrypt_cert_chacha.tdir/2_chacha.cert
new file mode 100644
index 000000000000..ed4ec26065a6
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/2_chacha.cert
diff --git a/testdata/dnscrypt_cert_chacha.tdir/2_salsa.cert b/testdata/dnscrypt_cert_chacha.tdir/2_salsa.cert
new file mode 100644
index 000000000000..6e71fe97864d
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/2_salsa.cert
diff --git a/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.conf b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.conf
new file mode 100644
index 000000000000..44b0ca880c6b
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.conf
@@ -0,0 +1,27 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	port: @PORT@
+    interface: 0.0.0.0
+    interface: 0.0.0.0@@DNSCRYPT_PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
+dnscrypt:
+    dnscrypt-enable: yes
+    dnscrypt-port: @DNSCRYPT_PORT@
+    dnscrypt-provider: 2.dnscrypt-cert.example.com.
+    dnscrypt-secret-key: 1.key
+    dnscrypt-secret-key: 2.key
+    dnscrypt-provider-cert: 1_salsa.cert
+    dnscrypt-provider-cert: 2_chacha.cert
+    dnscrypt-provider-cert: 2_salsa.cert
+
diff --git a/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.dsc b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.dsc
new file mode 100644
index 000000000000..a5ed1da0da2d
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.dsc
@@ -0,0 +1,16 @@
+BaseName: dnscrypt_cert_chacha
+Version: 1.0
+Description: dnscrypt cert retrieval.
+CreationDate: Fri Mar 03 10:08:08 CEST 2017
+Maintainer: Emmanuel Bretelle
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: dnscrypt_cert_chacha.pre
+Post: dnscrypt_cert_chacha.post
+Test: dnscrypt_cert_chacha.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.post b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.post
new file mode 100644
index 000000000000..54337df67d55
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.post
@@ -0,0 +1,17 @@
+# #-- dnscrypt_cert_chacha.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+
+# Check if we can run the test.
+. ./precheck.sh
+
+kill_pid $FWD_PID
+if [ $xchacha20 -ne 0 ]; then
+    kill_pid $UNBOUND_PID
+fi
diff --git a/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.pre b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.pre
new file mode 100644
index 000000000000..c77290a8ab7d
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.pre
@@ -0,0 +1,43 @@
+# #-- dnscrypt_cert_chacha.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+# Check if we can run the test.
+. ./precheck.sh
+
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+DNSCRYPT_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "DNSCRYPT_PORT=$DNSCRYPT_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT dnscrypt_cert_chacha.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' \
+    -e 's/@DNSCRYPT_PORT\@/'$DNSCRYPT_PORT'/' < dnscrypt_cert_chacha.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+if [ $xchacha20 -eq 0 ]; then
+    # no xchacha20 support, we expect unbound to exit with an error message.
+    wait_server_up unbound.log "Certificate for XChacha20 but libsodium does not support it"
+else
+    wait_unbound_up unbound.log
+fi
+
diff --git a/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.test b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.test
new file mode 100644
index 000000000000..4ef6942be6fb
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.test
@@ -0,0 +1,130 @@
+# #-- dnscrypt_cert_chacha.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# Check if we can run the test.
+. ./precheck.sh
+
+# do the test
+
+if [ $xchacha20 -eq 0 ]; then
+    # Unbound would exit before we can attempt any tests.
+    echo "OK"
+    exit 0
+fi
+
+# Query plain request over DNSCrypt channel get closed
+# We use TCP to avoid hanging on waiting for UDP.
+# We expect `outfile` to contain no DNS payload
+echo "> dig TCP www.example.com. DNSCrypt port"
+dig +tcp @127.0.0.1 -p $DNSCRYPT_PORT www.example.com. A | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "QUESTION SECTION" outfile; then
+	echo "NOK"
+	exit 1
+else
+	echo "OK"
+fi
+
+
+# Plaintext query on unbound port works correctly.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# Plaintext query on unbound port works correctly with TCP.
+echo "> dig TCP www.example.com."
+dig +tcp @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> cat logfiles"
+cat fwd.log
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+for opt in '' '+tcp'
+do
+    # Plaintext query on dnscrypt port returns cert when asking for providername/TXT.
+    # Check that it returns 1.cert.
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 1_salsa.CERT. DNSCrypt plaintext ${opt}"
+    dig ${opt} @127.0.0.1 -p $DNSCRYPT_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    if grep -F 'DNSC\000\001\000\000i\230\177hg\210 \172>\1438\247\174\154U\216\188\152\145y\000U\254\208\183qBQ\158\019S\189\180\150\013K\160\220\248\236\028`\131\174\214!\017Xk\202\152\189\026T\224\180)'"'"'9u\026\143\004\002\195\027\1912\203\176D\016\180e\198h\136{\216s;Sd2^\154\225\005<\016C\205+S\219A\195\027\1912\203\176D\016Y\160\203\009Y\160\203\009u\210\207\137' outfile; then
+        echo "OK"
+    else
+        echo "Not OK"
+        exit 1
+    fi
+
+    # Plaintext query on dnscrypt port returns cert when asking for providername/TXT.
+    # Check that it returns 2.cert.
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 2_salsa.CERT. DNSCrypt plaintext ${opt}"
+    dig ${opt} @127.0.0.1 -p $DNSCRYPT_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    if grep -F 'DNSC\000\001\000\000AX\031\201\243\201LI<-\146]LU\247LY\2376\014K\194$D\151&\008\236\008\220\143We\029\227\030\233\015[4\\\146\174\166`{}\161W\209\228\215\002\205|\207*\011\162$\175\210[\006\245\243W\191\189Z\216\210x\025\204\247\173\227t\138\018\162~\152\253\211\031z\\\002m5\008\254\2244\245\243W\191\189Z\216\210Y\160\203\009Y\160\203\009u\210\207\137' outfile; then
+        echo "OK"
+    else
+        echo "NOK"
+        exit 1
+    fi
+
+    # Plaintext query on dnscrypt port returns cert when asking for providername/TXT.
+    # Check that it returns 2_chacha.cert
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 2_CHACHA.CERT. DNSCrypt plaintext ${opt}"
+    dig ${opt} @127.0.0.1 -p $DNSCRYPT_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    grep -F 'DNSC\000\002\000\000\1716\226\255*\244\002L\177g\025_\127tR\151\246R\203\178\153\248\006\137\"\138\173|G/,\160\152\015\010\172\184\220`\175\217\255,\162\018\178-d\007\246k0\003I[\205w\026)\204B\002\161\010\245\243W\191\189Z\216\210x\025\204\247\173\227t\138\018\162~\152\253\211\031z\\\002m5\008\254\2244\246\243W\191\189Z\216\210Y\160\2158Y\160\2158u\210\219\184' outfile
+    cert_found=$?
+    if [ \( $cert_found -eq 0 -a $xchacha20 -eq 1 \)  -o \( $cert_found -ne 0 -a $xchacha20 -eq 0 \) ]; then
+        echo "OK"
+    else
+        echo "Not OK"
+        exit 1
+    fi
+
+    # Certificates are local-data for unbound. We can also retrieve them from unbound
+    # port.
+    echo "> dig TXT 2.dnscrypt-cert.example.com. 1_salsa.CERT. Unbound ${opt}"
+    dig ${opt} @127.0.0.1 -p $UNBOUND_PORT 2.dnscrypt-cert.example.com. TXT | tee outfile
+    echo "> cat logfiles"
+    cat fwd.log
+    cat unbound.log
+    echo "> check answer"
+    if grep -F 'DNSC\000\001\000\000i\230\177hg\210 \172>\1438\247\174\154U\216\188\152\145y\000U\254\208\183qBQ\158\019S\189\180\150\013K\160\220\248\236\028`\131\174\214!\017Xk\202\152\189\026T\224\180)'"'"'9u\026\143\004\002\195\027\1912\203\176D\016\180e\198h\136{\216s;Sd2^\154\225\005<\016C\205+S\219A\195\027\1912\203\176D\016Y\160\203\009Y\160\203\009u\210\207\137' outfile; then
+        echo "OK"
+    else
+        echo "Not OK"
+        exit 1
+    fi
+done
+
+exit 0
diff --git a/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.testns b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.testns
new file mode 100644
index 000000000000..0af820e01deb
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.testns
@@ -0,0 +1,26 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA TC NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname TCP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/dnscrypt_cert_chacha.tdir/precheck.sh b/testdata/dnscrypt_cert_chacha.tdir/precheck.sh
new file mode 100644
index 000000000000..00fa4bc76067
--- /dev/null
+++ b/testdata/dnscrypt_cert_chacha.tdir/precheck.sh
@@ -0,0 +1,16 @@
+# dnscrypt precheck.sh
+
+# if no dnscrypt; exit
+if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
+        echo "have dnscrypt"
+else
+        echo "no dnscrypt"
+        exit 0
+fi
+
+# if no xchacha20 support in unbound; exit
+if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then
+        xchacha20=1
+else
+        xchacha20=0
+fi
diff --git a/testdata/dnscrypt_cert_chacha.tpkg b/testdata/dnscrypt_cert_chacha.tpkg
deleted file mode 100644
index 4df461f03eac..000000000000
--- a/testdata/dnscrypt_cert_chacha.tpkg
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/1.cert b/testdata/dnscrypt_queries.tdir/1.cert
new file mode 100644
index 000000000000..fbc529bfa3ab
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/1.cert
diff --git a/testdata/dnscrypt_queries.tdir/1.key b/testdata/dnscrypt_queries.tdir/1.key
new file mode 100644
index 000000000000..165262c86e53
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/1.key
@@ -0,0 +1 @@
+®öÝìK¬‡#‘€4ùsŽ	pèÖôÁæÀx!¹»AŠ"mM
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries.tdir/1_chacha.cert b/testdata/dnscrypt_queries.tdir/1_chacha.cert
new file mode 100644
index 000000000000..3da5c612d060
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/1_chacha.cert
diff --git a/testdata/dnscrypt_queries.tdir/1_salsa.cert b/testdata/dnscrypt_queries.tdir/1_salsa.cert
new file mode 100644
index 000000000000..17e447fc339b
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/1_salsa.cert
diff --git a/testdata/dnscrypt_queries.tdir/2.cert b/testdata/dnscrypt_queries.tdir/2.cert
new file mode 100644
index 000000000000..ebf8ac108d14
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/2.cert
diff --git a/testdata/dnscrypt_queries.tdir/2.key b/testdata/dnscrypt_queries.tdir/2.key
new file mode 100644
index 000000000000..c299f550ae95
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/2.key
@@ -0,0 +1 @@
+m7Ÿñâƒx;‘%׸õ�é*•ÜR¯äÓ¯¹mDªñ
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries.tdir/2_chacha.cert b/testdata/dnscrypt_queries.tdir/2_chacha.cert
new file mode 100644
index 000000000000..ed4ec26065a6
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/2_chacha.cert
diff --git a/testdata/dnscrypt_queries.tdir/2_salsa.cert b/testdata/dnscrypt_queries.tdir/2_salsa.cert
new file mode 100644
index 000000000000..6e71fe97864d
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/2_salsa.cert
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.conf b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.conf
new file mode 100644
index 000000000000..355d4ff13595
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.conf
@@ -0,0 +1,26 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	port: @PORT@
+    interface: 0.0.0.0
+    interface: 0.0.0.0@@DNSCRYPT_PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
+dnscrypt:
+    dnscrypt-enable: yes
+    dnscrypt-port: @DNSCRYPT_PORT@
+    dnscrypt-provider: 2.dnscrypt-cert.example.com.
+    dnscrypt-secret-key: 1.key
+    dnscrypt-secret-key: 2.key
+    dnscrypt-provider-cert: 1_salsa.cert
+    dnscrypt-provider-cert: 2_salsa.cert
+
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.dsc b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.dsc
new file mode 100644
index 000000000000..e1e653e57117
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.dsc
@@ -0,0 +1,16 @@
+BaseName: dnscrypt_queries
+Version: 1.0
+Description: dnscrypt queries.
+CreationDate: Fri Mar 03 10:08:08 CEST 2017
+Maintainer: Emmanuel Bretelle
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: dnscrypt_queries.pre
+Post: dnscrypt_queries.post
+Test: dnscrypt_queries.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.post b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.post
new file mode 100644
index 000000000000..b61480616892
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.post
@@ -0,0 +1,20 @@
+# #-- dnscrypt_queries.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+# if no dnscrypt; exit
+if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
+        echo "have dnscrypt"
+else
+        echo "no dnscrypt"
+        exit 0
+fi
+
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+kill_pid $PROXY_PID
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.pre b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.pre
new file mode 100644
index 000000000000..288a66541a34
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.pre
@@ -0,0 +1,53 @@
+# #-- dnscrypt_queries.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# if no dnscrypt; exit
+if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
+        echo "have dnscrypt"
+else
+        echo "no dnscrypt"
+        exit 0
+fi
+
+get_random_port 4
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+DNSCRYPT_PORT=$(($RND_PORT + 2))
+PROXY_PORT=$(($RND_PORT + 3))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "DNSCRYPT_PORT=$DNSCRYPT_PORT" >> .tpkg.var.test
+echo "PROXY_PORT=$PROXY_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT dnscrypt_queries.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+dnscrypt-proxy --local-address=127.0.0.1:${PROXY_PORT} \
+    --resolver-address=127.0.0.1:${DNSCRYPT_PORT} \
+    --provider-name=2.dnscrypt-cert.example.com \
+    --provider-key=B85F:41A1:4F23:F7DB:C866:F397:CC6F:44B6:5F9D:65C5:B629:7C27:5403:A6E9:DCF2:4F9D \
+    -m 32 \
+    >dnscryptproxy.log 2>&1 &
+PROXY_PID=$!
+echo "PROXY_PID=$PROXY_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' \
+    -e 's/@DNSCRYPT_PORT\@/'$DNSCRYPT_PORT'/' < dnscrypt_queries.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+wait_server_up dnscryptproxy.log "Proxying from"
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.test b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.test
new file mode 100644
index 000000000000..5614a444da05
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.test
@@ -0,0 +1,107 @@
+# #-- dnscrypt_queries.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# if no dnscrypt; exit
+if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
+        echo "have dnscrypt"
+else
+        echo "no dnscrypt"
+        exit 0
+fi
+
+
+# do the test
+for opt in '' '+tcp'
+do
+    echo "> do queries ${opt}"
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www1.example.com. >outfile1 &
+    digpid1=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www2.example.com. >outfile2 &
+    digpid2=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www3.example.com. >outfile3 &
+    digpid3=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www4.example.com. >outfile4 &
+    digpid4=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www5.example.com. >outfile5 &
+    digpid5=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www6.example.com. >outfile6 &
+    digpid6=$!
+    sleep 1
+    kill -9 $digpid1
+    kill -9 $digpid2
+    kill -9 $digpid3
+    kill -9 $digpid4
+    kill -9 $digpid5
+    kill -9 $digpid6
+
+    echo "> cat outfile1"
+    cat outfile1 
+    echo "> cat outfile2"
+    cat outfile2 
+    echo "> cat outfile3"
+    cat outfile3
+    echo "> cat outfile4"
+    cat outfile4
+    echo "> cat outfile5"
+    cat outfile5
+    echo "> cat outfile6"
+    cat outfile6
+    echo "> cat logfiles"
+    cat fwd.log 
+    cat unbound.log
+
+    echo "> check for ID bit collisions"
+    grep "pending reply" unbound.log > ids
+    numsend=`cat ids | wc -l`
+    cat ids | awk '{print $8};' | sort -u > ids2
+    numuniq=`cat ids2 | wc -l`
+    if test $numuniq -ne $numsend; then
+        echo "got a ID number clash. could not do test, sorry"
+        exit 0
+    fi
+
+    echo "> check answers for queries"
+    if grep "10.20.30.40" outfile1; then
+        echo "1 is OK"
+    else
+        echo "1 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.50" outfile2; then
+        echo "2 is OK"
+    else
+        echo "2 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.60" outfile3; then
+        echo "3 is OK"
+    else
+        echo "3 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.70" outfile4; then
+        echo "4 is OK"
+    else
+        echo "4 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.80" outfile5; then
+        echo "5 is OK"
+    else
+        echo "5 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.90" outfile6; then
+        echo "6 is OK"
+    else
+        echo "6 is not OK"
+        exit 1
+    fi
+done
+
+exit 0
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.testns b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.testns
new file mode 100644
index 000000000000..f03c15f764ca
--- /dev/null
+++ b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.testns
@@ -0,0 +1,63 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.70
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.80
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.90
+ENTRY_END
diff --git a/testdata/dnscrypt_queries.tpkg b/testdata/dnscrypt_queries.tpkg
deleted file mode 100644
index c856303cd284..000000000000
--- a/testdata/dnscrypt_queries.tpkg
+++ /dev/null
diff --git a/testdata/dnscrypt_queries_chacha.tdir/1.key b/testdata/dnscrypt_queries_chacha.tdir/1.key
new file mode 100644
index 000000000000..165262c86e53
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/1.key
@@ -0,0 +1 @@
+®öÝìK¬‡#‘€4ùsŽ	pèÖôÁæÀx!¹»AŠ"mM
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries_chacha.tdir/1_chacha.cert b/testdata/dnscrypt_queries_chacha.tdir/1_chacha.cert
new file mode 100644
index 000000000000..3da5c612d060
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/1_chacha.cert
diff --git a/testdata/dnscrypt_queries_chacha.tdir/1_salsa.cert b/testdata/dnscrypt_queries_chacha.tdir/1_salsa.cert
new file mode 100644
index 000000000000..17e447fc339b
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/1_salsa.cert
diff --git a/testdata/dnscrypt_queries_chacha.tdir/2.key b/testdata/dnscrypt_queries_chacha.tdir/2.key
new file mode 100644
index 000000000000..c299f550ae95
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/2.key
@@ -0,0 +1 @@
+m7Ÿñâƒx;‘%׸õ�é*•ÜR¯äÓ¯¹mDªñ
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries_chacha.tdir/2_chacha.cert b/testdata/dnscrypt_queries_chacha.tdir/2_chacha.cert
new file mode 100644
index 000000000000..ed4ec26065a6
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/2_chacha.cert
diff --git a/testdata/dnscrypt_queries_chacha.tdir/2_salsa.cert b/testdata/dnscrypt_queries_chacha.tdir/2_salsa.cert
new file mode 100644
index 000000000000..6e71fe97864d
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/2_salsa.cert
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.conf b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.conf
new file mode 100644
index 000000000000..9e269ba60ce3
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.conf
@@ -0,0 +1,24 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	port: @PORT@
+    interface: 0.0.0.0
+    interface: 0.0.0.0@@DNSCRYPT_PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
+dnscrypt:
+    dnscrypt-enable: yes
+    dnscrypt-port: @DNSCRYPT_PORT@
+    dnscrypt-provider: 2.dnscrypt-cert.example.com.
+    dnscrypt-secret-key: 2.key
+    dnscrypt-provider-cert: 2_salsa.cert
+    dnscrypt-provider-cert: 2_chacha.cert
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.dsc b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.dsc
new file mode 100644
index 000000000000..372126bc3e41
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.dsc
@@ -0,0 +1,16 @@
+BaseName: dnscrypt_queries_chacha
+Version: 1.0
+Description: dnscrypt queries using xchacha
+CreationDate: Thu Jun 01 10:08:08 CEST 2017
+Maintainer: Emmanuel Bretelle
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: dnscrypt_queries_chacha.pre
+Post: dnscrypt_queries_chacha.post
+Test: dnscrypt_queries_chacha.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.post b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.post
new file mode 100644
index 000000000000..1ca6a7e3f1de
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.post
@@ -0,0 +1,17 @@
+# #-- dnscrypt_queries_chacha.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+
+# Check if we can run the test.
+. ./precheck.sh
+
+
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+kill_pid $PROXY_PID
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.pre b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.pre
new file mode 100644
index 000000000000..6474c540dd6e
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.pre
@@ -0,0 +1,52 @@
+# #-- dnscrypt_queries_chacha.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# Check if we can run the test.
+. ./precheck.sh
+
+get_random_port 4
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+DNSCRYPT_PORT=$(($RND_PORT + 2))
+PROXY_PORT=$(($RND_PORT + 3))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "DNSCRYPT_PORT=$DNSCRYPT_PORT" >> .tpkg.var.test
+echo "PROXY_PORT=$PROXY_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT dnscrypt_queries_chacha.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+dnscrypt-proxy --local-address=127.0.0.1:${PROXY_PORT} \
+    --resolver-address=127.0.0.1:${DNSCRYPT_PORT} \
+    --provider-name=2.dnscrypt-cert.example.com \
+    --provider-key=C352:1F20:F2D2:FD65:B5F4:7BF6:6C1A:88C1:4BCB:80CE:1E3A:3572:5CB1:7D4B:12D3:E783 \
+    -m 32 \
+    >dnscryptproxy.log 2>&1 &
+PROXY_PID=$!
+echo "PROXY_PID=$PROXY_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' \
+    -e 's/@DNSCRYPT_PORT\@/'$DNSCRYPT_PORT'/' < dnscrypt_queries_chacha.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+wait_server_up dnscryptproxy.log "Proxying from"
+if ! grep 'Using version 2.0 of the DNSCrypt protocol' dnscryptproxy.log; then
+    echo "Failed to select xchacha cert"
+    exit 1
+fi
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.test b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.test
new file mode 100644
index 000000000000..455c506a0d49
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.test
@@ -0,0 +1,101 @@
+# #-- dnscrypt_queries_chacha.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# Check if we can run the test.
+. ./precheck.sh
+
+# do the test
+for opt in '' '+tcp'
+do
+    echo "> do queries ${opt}"
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www1.example.com. >outfile1 &
+    digpid1=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www2.example.com. >outfile2 &
+    digpid2=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www3.example.com. >outfile3 &
+    digpid3=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www4.example.com. >outfile4 &
+    digpid4=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www5.example.com. >outfile5 &
+    digpid5=$!
+    dig @127.0.0.1 ${opt} -p $PROXY_PORT www6.example.com. >outfile6 &
+    digpid6=$!
+    sleep 1
+    kill -9 $digpid1
+    kill -9 $digpid2
+    kill -9 $digpid3
+    kill -9 $digpid4
+    kill -9 $digpid5
+    kill -9 $digpid6
+
+    echo "> cat outfile1"
+    cat outfile1 
+    echo "> cat outfile2"
+    cat outfile2 
+    echo "> cat outfile3"
+    cat outfile3
+    echo "> cat outfile4"
+    cat outfile4
+    echo "> cat outfile5"
+    cat outfile5
+    echo "> cat outfile6"
+    cat outfile6
+    echo "> cat logfiles"
+    cat fwd.log 
+    cat unbound.log
+
+    echo "> check for ID bit collisions"
+    grep "pending reply" unbound.log > ids
+    numsend=`cat ids | wc -l`
+    cat ids | awk '{print $8};' | sort -u > ids2
+    numuniq=`cat ids2 | wc -l`
+    if test $numuniq -ne $numsend; then
+        echo "got a ID number clash. could not do test, sorry"
+        exit 0
+    fi
+
+    echo "> check answers for queries"
+    if grep "10.20.30.40" outfile1; then
+        echo "1 is OK"
+    else
+        echo "1 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.50" outfile2; then
+        echo "2 is OK"
+    else
+        echo "2 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.60" outfile3; then
+        echo "3 is OK"
+    else
+        echo "3 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.70" outfile4; then
+        echo "4 is OK"
+    else
+        echo "4 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.80" outfile5; then
+        echo "5 is OK"
+    else
+        echo "5 is not OK"
+        exit 1
+    fi
+    if grep "10.20.30.90" outfile6; then
+        echo "6 is OK"
+    else
+        echo "6 is not OK"
+        exit 1
+    fi
+done
+
+exit 0
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.testns b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.testns
new file mode 100644
index 000000000000..f03c15f764ca
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.testns
@@ -0,0 +1,63 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.70
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.80
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.90
+ENTRY_END
diff --git a/testdata/dnscrypt_queries_chacha.tdir/precheck.sh b/testdata/dnscrypt_queries_chacha.tdir/precheck.sh
new file mode 100644
index 000000000000..8288d9516eb1
--- /dev/null
+++ b/testdata/dnscrypt_queries_chacha.tdir/precheck.sh
@@ -0,0 +1,27 @@
+# dnscrypt precheck.sh
+
+# if no dnscrypt; exit
+if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
+        echo "have dnscrypt"
+else
+        echo "no dnscrypt"
+        exit 0
+fi
+
+# if no xchacha20 support in unbound; exit
+if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then
+        echo "have xchacha20"
+        xchacha20=1
+else
+        echo "no xchacha20"
+        xchacha20=0
+        exit 0
+fi
+
+# if dnscrypt-proxy does not support xchacha20; exit
+if (dnscrypt-proxy -h 2>&1 | grep -q 'XChaCha20-Poly1305 cipher: present'); then
+		echo "dnscrypt-proxy has xchacha20"
+else
+		echo "dnscrypt-proxy does not have xchacha20"
+		exit 0
+fi
diff --git a/testdata/dnscrypt_queries_chacha.tpkg b/testdata/dnscrypt_queries_chacha.tpkg
deleted file mode 100644
index 8cb39dc2c2f5..000000000000
--- a/testdata/dnscrypt_queries_chacha.tpkg
+++ /dev/null
diff --git a/testdata/edns_cache.tdir/edns_cache.conf b/testdata/edns_cache.tdir/edns_cache.conf
new file mode 100644
index 000000000000..101b9751ffc6
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.conf
@@ -0,0 +1,21 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: ::1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+stub-zone:
+	name: "example.net"
+	stub-addr: "127.0.0.1@@STUB2_PORT@"
+stub-zone:
+	name: "example.com"
+	stub-addr: "127.0.0.1@@STUB2_PORT@"
+# a k a root hints
+stub-zone:
+	name: "."
+	stub-addr: "::1@@STUB1_PORT@"
diff --git a/testdata/edns_cache.tdir/edns_cache.dsc b/testdata/edns_cache.tdir/edns_cache.dsc
new file mode 100644
index 000000000000..57f47dc0dc3d
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.dsc
@@ -0,0 +1,16 @@
+BaseName: edns_cache
+Version: 1.0
+Description: Server does not support EDNS and cache this.
+CreationDate: Tue Nov 30 12:34:37 CET 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: edns_cache.pre
+Post: edns_cache.post
+Test: edns_cache.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/edns_cache.tdir/edns_cache.post b/testdata/edns_cache.tdir/edns_cache.post
new file mode 100644
index 000000000000..0c3ed4ca7895
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.post
@@ -0,0 +1,11 @@
+# #-- edns_cache.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $STUB1_PID
+kill_pid $STUB2_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/edns_cache.tdir/edns_cache.pre b/testdata/edns_cache.tdir/edns_cache.pre
new file mode 100644
index 000000000000..93d521362209
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.pre
@@ -0,0 +1,43 @@
+# #-- edns_cache.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+STUB1_PORT=$(($RND_PORT + 1))
+STUB2_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "STUB1_PORT=$STUB1_PORT" >> .tpkg.var.test
+echo "STUB2_PORT=$STUB2_PORT" >> .tpkg.var.test
+
+# start stub1
+get_ldns_testns
+$LDNS_TESTNS -6 -p $STUB1_PORT edns_cache.stub1 >stub1.log 2>&1 &
+STUB1_PID=$!
+echo "STUB1_PID=$STUB1_PID" >> .tpkg.var.test
+
+# start stub2
+$LDNS_TESTNS -p $STUB2_PORT edns_cache.stub2 >stub2.log 2>&1 &
+STUB2_PID=$!
+echo "STUB2_PID=$STUB2_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@STUB1_PORT\@/'$STUB1_PORT'/' -e 's/@STUB2_PORT\@/'$STUB2_PORT'/' < edns_cache.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+
+# wait for stubs to come up
+wait_ldns_testns_up stub1.log
+wait_ldns_testns_up stub2.log
+
+# wait for unbound to come up
+wait_unbound_up unbound.log
+
diff --git a/testdata/edns_cache.tdir/edns_cache.stub1 b/testdata/edns_cache.tdir/edns_cache.stub1
new file mode 100644
index 000000000000..23653c3b3d53
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.stub1
@@ -0,0 +1,43 @@
+; nameserver test file
+; this is ::1 and the EDNS working server.
+$ORIGIN .
+$TTL 3600
+
+; root prime
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+. 	IN 	NS 	root.server.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+root.server.	IN	A	127.0.0.1
+ENTRY_END
+
+; referral to example.com
+ENTRY_BEGIN
+MATCH opcode subdomain
+REPLY QR NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+example.com.	IN	A
+SECTION AUTHORITY
+example.com.	IN 	NS	netdns.example.net.
+ENTRY_END
+
+; referral to example.net
+ENTRY_BEGIN
+MATCH opcode subdomain
+REPLY QR NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+example.net.	IN	A
+SECTION AUTHORITY
+example.net.	IN 	NS	netdns.example.net.
+SECTION ADDITIONAL
+netdns.example.net. IN A 127.0.0.1
+ENTRY_END
+
diff --git a/testdata/edns_cache.tdir/edns_cache.stub2 b/testdata/edns_cache.tdir/edns_cache.stub2
new file mode 100644
index 000000000000..f70eb98e7456
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.stub2
@@ -0,0 +1,33 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname noedns
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www.example.com.	IN	A
+SECTION ANSWER
+www.example.com.	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname noedns
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+netdns.example.net.	IN	A
+SECTION ANSWER
+netdns.example.net.	IN	A	127.0.0.1
+ENTRY_END
+
+; fail EDNS queries for netdns.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA FORMERR
+ADJUST copy_id
+SECTION QUESTION
+netdns.example.net.	IN	A
+ENTRY_END
+
diff --git a/testdata/edns_cache.tdir/edns_cache.test b/testdata/edns_cache.tdir/edns_cache.test
new file mode 100644
index 000000000000..53931ded2eb7
--- /dev/null
+++ b/testdata/edns_cache.tdir/edns_cache.test
@@ -0,0 +1,30 @@
+# #-- edns_cache.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+# notice that we use one stub server on IPv6 ::1 that supports EDNS that
+# gives referrals to the other server on IPv4 127.0.0.1 that is nonEDNS.
+
+PRE="../.."
+# do the test
+echo "> dig netdns.example.net."
+dig @::1 -p $UNBOUND_PORT netdns.example.net. | tee outfile
+echo "> dig www.example.com."
+dig @::1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat stub1.log"
+cat stub1.log 
+echo "> cat stub2.log"
+cat stub2.log 
+echo "> cat unbound.log"
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/edns_cache.tpkg b/testdata/edns_cache.tpkg
deleted file mode 100644
index 63756410856c..000000000000
--- a/testdata/edns_cache.tpkg
+++ /dev/null
diff --git a/testdata/edns_lame.tdir/edns_lame.conf b/testdata/edns_lame.tdir/edns_lame.conf
new file mode 100644
index 000000000000..9cd19c0d9d1c
--- /dev/null
+++ b/testdata/edns_lame.tdir/edns_lame.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/edns_lame.tdir/edns_lame.dsc b/testdata/edns_lame.tdir/edns_lame.dsc
new file mode 100644
index 000000000000..83f972562b6b
--- /dev/null
+++ b/testdata/edns_lame.tdir/edns_lame.dsc
@@ -0,0 +1,16 @@
+BaseName: edns_lame
+Version: 1.0
+Description: Forward UDP but EDNS packets time out
+CreationDate: Mon Sep 29 16:39:15 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: edns_lame.pre
+Post: edns_lame.post
+Test: edns_lame.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/edns_lame.tdir/edns_lame.post b/testdata/edns_lame.tdir/edns_lame.post
new file mode 100644
index 000000000000..f71e3c4246e6
--- /dev/null
+++ b/testdata/edns_lame.tdir/edns_lame.post
@@ -0,0 +1,10 @@
+# #-- edns_lame.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/edns_lame.tdir/edns_lame.pre b/testdata/edns_lame.tdir/edns_lame.pre
new file mode 100644
index 000000000000..d8c2c076f470
--- /dev/null
+++ b/testdata/edns_lame.tdir/edns_lame.pre
@@ -0,0 +1,30 @@
+# #-- edns_lame.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -v edns_lame.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < edns_lame.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -vvvv -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
diff --git a/testdata/edns_lame.tdir/edns_lame.test b/testdata/edns_lame.tdir/edns_lame.test
new file mode 100644
index 000000000000..92d669267402
--- /dev/null
+++ b/testdata/edns_lame.tdir/edns_lame.test
@@ -0,0 +1,24 @@
+# #-- edns_lame.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/edns_lame.tdir/edns_lame.testns b/testdata/edns_lame.tdir/edns_lame.testns
new file mode 100644
index 000000000000..cd248c3b37eb
--- /dev/null
+++ b/testdata/edns_lame.tdir/edns_lame.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname noedns
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/edns_lame.tpkg b/testdata/edns_lame.tpkg
deleted file mode 100644
index 643fe0c61298..000000000000
--- a/testdata/edns_lame.tpkg
+++ /dev/null
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.conf b/testdata/fwd_ancil.tdir/fwd_ancil.conf
new file mode 100644
index 000000000000..022e10f717c4
--- /dev/null
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 1
+	# num-threads: 1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	interface-automatic: yes
+	access-control: 0.0.0.0/0 allow
+	access-control: ::0/0 allow
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.dsc b/testdata/fwd_ancil.tdir/fwd_ancil.dsc
new file mode 100644
index 000000000000..eac1c8f12b08
--- /dev/null
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_ancil
+Version: 1.0
+Description: Test if ip6 ancillary recvmsg and sendmsg work.
+CreationDate: Tue Jan 15 10:47:37 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_ancil.pre
+Post: fwd_ancil.post
+Test: fwd_ancil.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.post b/testdata/fwd_ancil.tdir/fwd_ancil.post
new file mode 100644
index 000000000000..a74ba856e3b6
--- /dev/null
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.post
@@ -0,0 +1,18 @@
+# #-- fwd_ancil.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+if test `hostname`"" = "dicht.nlnetlabs.nl"; then
+	echo "In jail, no ::1, skip test"
+	exit 0
+fi
+
+kill_pid $FWD_PID
+if fgrep "service stopped" unbound.log; then
+	exit 0
+fi      
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.pre b/testdata/fwd_ancil.tdir/fwd_ancil.pre
new file mode 100644
index 000000000000..e1ce37a7fcca
--- /dev/null
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.pre
@@ -0,0 +1,44 @@
+# #-- fwd_ancil.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+. ../common.sh
+
+if test `hostname`"" = "dicht.nlnetlabs.nl"; then
+	echo "In jail, no ::1, skip test"
+	exit 0
+fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_ancil.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_ancil.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+
+wait_ldns_testns_up fwd.log
+
+# wait for unbound to come up
+# string 'Start of service' in log.
+wait_server_up_or_fail unbound.log "start of service" "disable interface-automatic"
+if fgrep "disable interface-automatic" unbound.log; then
+	echo "skip test"
+	exit 1
+fi
+
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.test b/testdata/fwd_ancil.tdir/fwd_ancil.test
new file mode 100644
index 000000000000..b90360fb8b4d
--- /dev/null
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.test
@@ -0,0 +1,101 @@
+# #-- fwd_ancil.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+if test `hostname`"" = "dicht.nlnetlabs.nl"; then
+	echo "In jail, no ::1, skip test"
+	exit 0
+fi
+
+if fgrep "disable interface-automatic" unbound.log; then
+	echo "skip test"
+	exit 0
+fi
+
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# detect platform support first
+echo "> streamtcp -n -u -f 127.0.0.1 www.example.com. A IN"
+$PRE/streamtcp -n -u -f 127.0.0.1@$UNBOUND_PORT www.example.com. A IN | tee outfile
+sleep 2
+echo "> check answer"
+if ! grep "Please disable interface-automatic" unbound.log; then
+	echo "OK"
+else
+	echo "No platform support for ancillary data"
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK - but ignore test"
+	exit 0
+fi
+rm outfile
+
+
+# do the test
+echo "> streamtcp -f 127.0.0.1 www.example.com. A IN"
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www.example.com. A IN | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+rm outfile
+
+echo "> streamtcp -f ::1 www.example.com. A IN"
+$PRE/streamtcp -f ::1@$UNBOUND_PORT www.example.com. A IN | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+rm outfile
+
+echo "> streamtcp -u -f ::1 www.example.com. A IN"
+$PRE/streamtcp -u -f ::1@$UNBOUND_PORT www.example.com. A IN | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+rm outfile
+
+echo "> streamtcp -u -f 127.0.0.1 www.example.com. A IN"
+$PRE/streamtcp -u -f 127.0.0.1@$UNBOUND_PORT www.example.com. A IN | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+rm outfile
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+exit 0
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.testns b/testdata/fwd_ancil.tdir/fwd_ancil.testns
new file mode 100644
index 000000000000..f2a700cc7daf
--- /dev/null
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_ancil.tpkg b/testdata/fwd_ancil.tpkg
deleted file mode 100644
index 34021180e7a9..000000000000
--- a/testdata/fwd_ancil.tpkg
+++ /dev/null
diff --git a/testdata/fwd_bogus.tdir/fwd_bogus.conf b/testdata/fwd_bogus.tdir/fwd_bogus.conf
new file mode 100644
index 000000000000..04ec5aacd559
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/fwd_bogus.conf
@@ -0,0 +1,26 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	trust-anchor: "example.com.	3600	IN	DS	30899 5 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
+	fake-sha1: yes
+remote-control:
+        control-enable: yes
+	control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_bogus.tdir/fwd_bogus.dsc b/testdata/fwd_bogus.tdir/fwd_bogus.dsc
new file mode 100644
index 000000000000..a578d22af2bd
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/fwd_bogus.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_bogus
+Version: 1.0
+Description: Forward and check bogus TTL in the cache.
+CreationDate: Thu Sep 10 10:14:57 CEST 2009
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_bogus.pre
+Post: fwd_bogus.post
+Test: fwd_bogus.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_bogus.tdir/fwd_bogus.post b/testdata/fwd_bogus.tdir/fwd_bogus.post
new file mode 100644
index 000000000000..ec91bc7cad11
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/fwd_bogus.post
@@ -0,0 +1,10 @@
+# #-- fwd_bogus.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_bogus.tdir/fwd_bogus.pre b/testdata/fwd_bogus.tdir/fwd_bogus.pre
new file mode 100644
index 000000000000..b4cf2a0fd1b0
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/fwd_bogus.pre
@@ -0,0 +1,32 @@
+# #-- fwd_bogus.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_bogus.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < fwd_bogus.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
diff --git a/testdata/fwd_bogus.tdir/fwd_bogus.test b/testdata/fwd_bogus.tdir/fwd_bogus.test
new file mode 100644
index 000000000000..743b4e66a694
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/fwd_bogus.test
@@ -0,0 +1,48 @@
+# #-- fwd_bogus.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+# servfail.
+if grep "SERVFAIL" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# now check the cache.
+$PRE/unbound-control -c ub.conf dump_cache > cachedump
+if test $? -ne 0; then
+	echo "unbound-control failed"
+	cat cachedump
+	exit 1
+else
+	echo "unbound-control ok"
+fi
+
+# bad cache entry looks like this
+# msg www.example.com. IN A 32896 1 1252576696 1 1 0 0
+cat cachedump
+
+ttl=`grep "msg www.example.com" cachedump | awk '{print $7}'`
+echo TTL $ttl
+# must be smaller than bogus ttl of 60.
+if test $ttl -gt 61; then
+	echo "failed: TTL too big!"
+	exit 1
+else
+	echo "TTL OK"
+fi
+
+exit 0
diff --git a/testdata/fwd_bogus.tdir/fwd_bogus.testns b/testdata/fwd_bogus.tdir/fwd_bogus.testns
new file mode 100644
index 000000000000..258c0e938f20
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/fwd_bogus.testns
@@ -0,0 +1,25 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+; give unsigned answers!
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+@	IN	DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_bogus.tdir/unbound_control.key b/testdata/fwd_bogus.tdir/unbound_control.key
new file mode 100644
index 000000000000..d7c43a06bb58
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/fwd_bogus.tdir/unbound_control.pem b/testdata/fwd_bogus.tdir/unbound_control.pem
new file mode 100644
index 000000000000..8f1ba87f1cdd
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----
diff --git a/testdata/fwd_bogus.tdir/unbound_server.key b/testdata/fwd_bogus.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/fwd_bogus.tdir/unbound_server.pem b/testdata/fwd_bogus.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/fwd_bogus.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/fwd_bogus.tpkg b/testdata/fwd_bogus.tpkg
deleted file mode 100644
index 3a49d1f7558d..000000000000
--- a/testdata/fwd_bogus.tpkg
+++ /dev/null
diff --git a/testdata/fwd_capsid.tdir/fwd_capsid.conf b/testdata/fwd_capsid.tdir/fwd_capsid.conf
new file mode 100644
index 000000000000..dbb2eb8887fc
--- /dev/null
+++ b/testdata/fwd_capsid.tdir/fwd_capsid.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 4
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	use-caps-for-id: yes
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_capsid.tdir/fwd_capsid.dsc b/testdata/fwd_capsid.tdir/fwd_capsid.dsc
new file mode 100644
index 000000000000..0899dc5e2d53
--- /dev/null
+++ b/testdata/fwd_capsid.tdir/fwd_capsid.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_capsid
+Version: 1.0
+Description: Forward and check 0x20 bits.
+CreationDate: Mon Oct  6 16:25:09 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_capsid.pre
+Post: fwd_capsid.post
+Test: fwd_capsid.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_capsid.tdir/fwd_capsid.post b/testdata/fwd_capsid.tdir/fwd_capsid.post
new file mode 100644
index 000000000000..6ecf9125547d
--- /dev/null
+++ b/testdata/fwd_capsid.tdir/fwd_capsid.post
@@ -0,0 +1,10 @@
+# #-- fwd_capsid.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_capsid.tdir/fwd_capsid.pre b/testdata/fwd_capsid.tdir/fwd_capsid.pre
new file mode 100644
index 000000000000..16365a46e872
--- /dev/null
+++ b/testdata/fwd_capsid.tdir/fwd_capsid.pre
@@ -0,0 +1,31 @@
+# #-- fwd_capsid.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_capsid.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_capsid.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_capsid.tdir/fwd_capsid.test b/testdata/fwd_capsid.tdir/fwd_capsid.test
new file mode 100644
index 000000000000..8b49691e5fd5
--- /dev/null
+++ b/testdata/fwd_capsid.tdir/fwd_capsid.test
@@ -0,0 +1,22 @@
+# #-- fwd_capsid.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_capsid.tdir/fwd_capsid.testns b/testdata/fwd_capsid.tdir/fwd_capsid.testns
new file mode 100644
index 000000000000..8bb1b9deb22b
--- /dev/null
+++ b/testdata/fwd_capsid.tdir/fwd_capsid.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_capsid.tpkg b/testdata/fwd_capsid.tpkg
deleted file mode 100644
index 3f50639cb215..000000000000
--- a/testdata/fwd_capsid.tpkg
+++ /dev/null
diff --git a/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.conf b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.conf
new file mode 100644
index 000000000000..dbb2eb8887fc
--- /dev/null
+++ b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 4
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	use-caps-for-id: yes
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.dsc b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.dsc
new file mode 100644
index 000000000000..3b873458210b
--- /dev/null
+++ b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_capsid_fallback
+Version: 1.0
+Description: Forward and do 0x20 fallback.
+CreationDate: Mon Oct  6 16:30:15 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_capsid_fallback.pre
+Post: fwd_capsid_fallback.post
+Test: fwd_capsid_fallback.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.post b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.post
new file mode 100644
index 000000000000..81c334a74cc2
--- /dev/null
+++ b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.post
@@ -0,0 +1,10 @@
+# #-- fwd_capsid_fallback.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.pre b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.pre
new file mode 100644
index 000000000000..0558bea5e05e
--- /dev/null
+++ b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.pre
@@ -0,0 +1,30 @@
+# #-- fwd_capsid_fallback.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_capsid_fallback.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_capsid_fallback.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
diff --git a/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.test b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.test
new file mode 100644
index 000000000000..eba834f14dfd
--- /dev/null
+++ b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.test
@@ -0,0 +1,22 @@
+# #-- fwd_capsid_fallback.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT wwwabcdefghijklmnopqrstuvwxyzwww.example.com | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.testns b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.testns
new file mode 100644
index 000000000000..f0d809e06ca5
--- /dev/null
+++ b/testdata/fwd_capsid_fallback.tdir/fwd_capsid_fallback.testns
@@ -0,0 +1,15 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+; WEIRD CAPS! ; probably not the query!
+WwWabcdefghijklmnopqrstuvwxyzWwW.ExAMPLE.CoM. 	IN	A
+SECTION ANSWER
+wWwABCDEFGHIJKLMNopqrstuvwxyzWwW.ExAMPLE.CoM.	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_capsid_fallback.tpkg b/testdata/fwd_capsid_fallback.tpkg
deleted file mode 100644
index fed74134cfb4..000000000000
--- a/testdata/fwd_capsid_fallback.tpkg
+++ /dev/null
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.conf b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.conf
new file mode 100644
index 000000000000..8d077d13629c
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 4
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	use-caps-for-id: yes
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+	forward-addr: "127.0.0.1@@TOPORT2@"
+
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.dsc b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.dsc
new file mode 100644
index 000000000000..b40a5403f36d
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_capsid_strip
+Version: 1.0
+Description: Forward and do 0x20 fallback that needs stripping.
+CreationDate: Fri 30 Jan 10:41:33 CET 2015
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_capsid_strip.pre
+Post: fwd_capsid_strip.post
+Test: fwd_capsid_strip.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.post b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.post
new file mode 100644
index 000000000000..7ca39f5547a6
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.post
@@ -0,0 +1,11 @@
+# #-- fwd_capsid_strip.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $FWD_PID2
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.pre b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.pre
new file mode 100644
index 000000000000..e761d11b51c0
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.pre
@@ -0,0 +1,38 @@
+# #-- fwd_capsid_strip.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+FWD2_PORT=$(($FWD_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "FWD2_PORT=$FWD2_PORT" >> .tpkg.var.test
+
+# start forwarder 1
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_capsid_strip.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start forwarder 2
+$LDNS_TESTNS -p $FWD2_PORT fwd_capsid_strip.testns2 >fwd2.log 2>&1 &
+FWD_PID2=$!
+echo "FWD_PID2=$FWD_PID2" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@TOPORT2\@/'$FWD2_PORT'/' < fwd_capsid_strip.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_ldns_testns_up fwd2.log
+wait_unbound_up unbound.log
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.test b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.test
new file mode 100644
index 000000000000..a74f89f79af2
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.test
@@ -0,0 +1,23 @@
+# #-- fwd_capsid_strip.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT wwwabcdefghijklmnopqrstuvwxyzwww.example.com | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat fwd2.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.testns b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.testns
new file mode 100644
index 000000000000..e1d82a038f9b
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.testns
@@ -0,0 +1,20 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+; WEIRD CAPS! ; probably not the query!
+WwWabcdefghijklmnopqrstuvwxyzWwW.ExAMPLE.CoM. 	IN	A
+SECTION ANSWER
+wWwABCDEFGHIJKLMNopqrstuvwxyzWwW.ExAMPLE.CoM.	IN	A	10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns1.example.com.
+example.com. IN NS ns2.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 1.2.3.4
+ENTRY_END
+
diff --git a/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.testns2 b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.testns2
new file mode 100644
index 000000000000..77213abc22fd
--- /dev/null
+++ b/testdata/fwd_capsid_strip.tdir/fwd_capsid_strip.testns2
@@ -0,0 +1,18 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+; WEIRD CAPS! ; probably not the query!
+WwWabcdefghijklmnopqrstuvwxyzWwW.ExAMPLE.CoM. 	IN	A
+SECTION ANSWER
+wWwABCDEFGHIJKLMNopqrstuvwxyzWwW.ExAMPLE.CoM.	IN	A	10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ns2.example.com. IN A 1.2.3.5
+ENTRY_END
+
diff --git a/testdata/fwd_capsid_strip.tpkg b/testdata/fwd_capsid_strip.tpkg
deleted file mode 100644
index c0be8a3c5dd6..000000000000
--- a/testdata/fwd_capsid_strip.tpkg
+++ /dev/null
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.conf b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.conf
new file mode 100644
index 000000000000..65552c85bd68
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.conf
@@ -0,0 +1,18 @@
+server:
+	verbosity: 4
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	use-caps-for-id: yes
+	caps-whitelist: "example.com"
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+	forward-addr: "127.0.0.1@@TOPORT2@"
+
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.dsc b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.dsc
new file mode 100644
index 000000000000..3c9f042e8f47
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_capsid_white
+Version: 1.0
+Description: Forward and and test 0x20 whitelist.
+CreationDate: Fri  1 May 14:25:04 CEST 2015
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_capsid_white.pre
+Post: fwd_capsid_white.post
+Test: fwd_capsid_white.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.post b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.post
new file mode 100644
index 000000000000..c68987276e47
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.post
@@ -0,0 +1,11 @@
+# #-- fwd_capsid_white.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $FWD_PID2
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.pre b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.pre
new file mode 100644
index 000000000000..18e801c18207
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.pre
@@ -0,0 +1,38 @@
+# #-- fwd_capsid_white.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+FWD2_PORT=$(($FWD_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "FWD2_PORT=$FWD2_PORT" >> .tpkg.var.test
+
+# start forwarder 1
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_capsid_white.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start forwarder 2
+$LDNS_TESTNS -p $FWD2_PORT fwd_capsid_white.testns2 >fwd2.log 2>&1 &
+FWD_PID2=$!
+echo "FWD_PID2=$FWD_PID2" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@TOPORT2\@/'$FWD2_PORT'/' < fwd_capsid_white.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_ldns_testns_up fwd2.log
+wait_unbound_up unbound.log
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.test b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.test
new file mode 100644
index 000000000000..d287259e045b
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.test
@@ -0,0 +1,23 @@
+# #-- fwd_capsid_white.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT wwwabcdefghijklmnopqrstuvwxyzwww.example.com | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat fwd2.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.testns b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.testns
new file mode 100644
index 000000000000..f0d809e06ca5
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.testns
@@ -0,0 +1,15 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+; WEIRD CAPS! ; probably not the query!
+WwWabcdefghijklmnopqrstuvwxyzWwW.ExAMPLE.CoM. 	IN	A
+SECTION ANSWER
+wWwABCDEFGHIJKLMNopqrstuvwxyzWwW.ExAMPLE.CoM.	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_capsid_white.tdir/fwd_capsid_white.testns2 b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.testns2
new file mode 100644
index 000000000000..766043596241
--- /dev/null
+++ b/testdata/fwd_capsid_white.tdir/fwd_capsid_white.testns2
@@ -0,0 +1,17 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+; WEIRD CAPS! ; probably not the query!
+WwWabcdefghijklmnopqrstuvwxyzWwW.ExAMPLE.CoM. 	IN	A
+SECTION ANSWER
+wWwABCDEFGHIJKLMNopqrstuvwxyzWwW.ExAMPLE.CoM.	IN	A	10.20.30.44
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
diff --git a/testdata/fwd_capsid_white.tpkg b/testdata/fwd_capsid_white.tpkg
deleted file mode 100644
index 199befb56871..000000000000
--- a/testdata/fwd_capsid_white.tpkg
+++ /dev/null
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
new file mode 100644
index 000000000000..39bd9f5cb23d
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.dsc b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.dsc
new file mode 100644
index 000000000000..6446e612f807
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_compress_c00c
+Version: 1.0
+Description: Forward and check compression of answer to query name.
+CreationDate: Mon Oct 15 15:57:03 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_compress_c00c.pre
+Post: fwd_compress_c00c.post
+Test: fwd_compress_c00c.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.good b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.good
new file mode 100644
index 000000000000..527895a560d8
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.good
@@ -0,0 +1,7 @@
+0000000: 006c eb41 8180 0001 0001 0003 0000 0a6f  .l.A...........o
+0000010: 7665 7265 696e 6465 7203 6e65 7400 0001  vereinder.net...
+0000020: 0001 c00c 0001 0001 0000 0384 0004 5038  ..............P8
+0000030: dfcd c00c 0002 0001 0001 5180 0010 0161  ..........Q....a
+0000040: 026e 7305 6a6f 6b65 7203 636f 6d00 c00c  .ns.joker.com...
+0000050: 0002 0001 0001 5180 0004 0162 c03e c00c  ......Q....b.>..
+0000060: 0002 0001 0001 5180 0004 0163 c03e       ......Q....c.>
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post
new file mode 100644
index 000000000000..e6dda048d77d
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post
@@ -0,0 +1,10 @@
+# #-- fwd_compress_c00c.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.pre b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.pre
new file mode 100644
index 000000000000..48dc75794192
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.pre
@@ -0,0 +1,31 @@
+# #-- fwd_compress_c00c.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_compress_c00c.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_compress_c00c.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test
new file mode 100644
index 000000000000..67354d014fff
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test
@@ -0,0 +1,49 @@
+# #-- fwd_compress_c00c.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+# check what sort of netcat we have
+if nc -h 2>&1 | grep "q secs"; then
+	ncopt="-q 3 -w 2"
+else
+	ncopt="-w 2"
+fi
+
+PRE="../.."
+# do the test
+echo "> query overeinder.net | nc $ncopt tcp | xxd."
+echo "0020eb41010000010000000000000a6f76657265696e646572036e65740000010001" | xxd -r -p | nc $ncopt 127.0.0.1 $UNBOUND_PORT | xxd | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> cat outfile"
+cat outfile
+echo "> check answer"
+if grep "0000000: 007a" outfile; then
+	echo "too big!"
+	exit 1
+fi
+if grep "0000000: 006c" outfile; then
+	echo "OK"
+else	
+	echo "bad size, not OK"
+	exit 1
+fi
+
+if grep "^00000000: 006c" outfile; then
+	echo "fixup xxd with long file positions"
+	sed -e 's/^0//' < outfile > outfile2
+	mv outfile2 outfile
+	cat outfile
+fi
+
+if diff fwd_compress_c00c.good outfile; then
+	echo "Diff OK"
+else
+	echo "Diff in output"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.testns b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.testns
new file mode 100644
index 000000000000..e9574a6ee87e
--- /dev/null
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.testns
@@ -0,0 +1,18 @@
+; nameserver test file
+$ORIGIN overeinder.net.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+overeinder.net.      IN      A
+SECTION ANSWER
+overeinder.net. 900     IN      A       80.56.223.205
+SECTION AUTHORITY
+overeinder.net. 86400   IN      NS      a.ns.joker.com.
+overeinder.net. 86400   IN      NS      b.ns.joker.com.
+overeinder.net. 86400   IN      NS      c.ns.joker.com.
+ENTRY_END
+
diff --git a/testdata/fwd_compress_c00c.tpkg b/testdata/fwd_compress_c00c.tpkg
deleted file mode 100644
index a75a56a7d6e6..000000000000
--- a/testdata/fwd_compress_c00c.tpkg
+++ /dev/null
diff --git a/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.conf b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.conf
new file mode 100644
index 000000000000..b4d62a2f6e91
--- /dev/null
+++ b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.conf
@@ -0,0 +1,23 @@
+server:
+	verbosity: 5
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: UPORT
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	# key +005+30899
+	trust-anchor: "example.com.	3600	IN	DS	30899 5 1 d4bf9d2e10f6d76840d42ef5913022abcd0bf512"
+	# validation time
+	val-override-date: "20100406005004"
+	fake-sha1: yes
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@TOPORT"
+stub-zone:
+	name: "example.com"
+	stub-addr: "127.0.0.1@TOPORT"
diff --git a/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.dsc b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.dsc
new file mode 100644
index 000000000000..7a2727588cec
--- /dev/null
+++ b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_edns_bksec
+Version: 1.0
+Description: Forward EDNS backoff for DNSSEC domain
+CreationDate: Tue Apr  6 08:45:57 CEST 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_edns_bksec.pre
+Post: fwd_edns_bksec.post
+Test: fwd_edns_bksec.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.post b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.post
new file mode 100644
index 000000000000..c43b038679be
--- /dev/null
+++ b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.post
@@ -0,0 +1,10 @@
+# #-- fwd_edns_bksec.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.pre b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.pre
new file mode 100644
index 000000000000..d24f92d73a10
--- /dev/null
+++ b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.pre
@@ -0,0 +1,31 @@
+# #-- fwd_edns_bksec.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -v -p $FWD_PORT fwd_edns_bksec.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/UPORT/'$UNBOUND_PORT'/' -e 's/TOPORT/'$FWD_PORT'/' < fwd_edns_bksec.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.test b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.test
new file mode 100644
index 000000000000..4acd01e88dd1
--- /dev/null
+++ b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.test
@@ -0,0 +1,42 @@
+# #-- fwd_edns_bksec.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+#
+# First the nasty name.
+# The server should not have performed EDNS fallback and cached it.
+echo "> dig nasty.example.com."
+dig @localhost -p $UNBOUND_PORT nasty.example.com. | tee outfile
+
+# no answer possible for it.
+echo "> check backed-off"
+if grep "10.20.30.77" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# Then the www name.
+# See if we can still get the EDNS data.
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.testns b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.testns
new file mode 100644
index 000000000000..d54f2b0bec0b
--- /dev/null
+++ b/testdata/fwd_edns_bksec.tdir/fwd_edns_bksec.testns
@@ -0,0 +1,73 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+; DNSKEY lookup works.
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP DO
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+example.com.	IN	DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+example.com.	3600	IN	RRSIG	DNSKEY 5 2 3600 20100429005004 20100401005004 30899 example.com. CcIIAhvwMsSnPzJdT1onlMK8jgQnKzYoklOsm8ab644jhQfWo/BIXyJ1l9ImK4J2+quIHdrXESTMHJ5KNRs2Sw== ;{id = 30899}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+example.com.	IN	DNSKEY
+SECTION ANSWER
+example.com.	3600	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+;example.com.	3600	IN	RRSIG	DNSKEY 5 2 3600 20100429005004 20100401005004 30899 example.com. CcIIAhvwMsSnPzJdT1onlMK8jgQnKzYoklOsm8ab644jhQfWo/BIXyJ1l9ImK4J2+quIHdrXESTMHJ5KNRs2Sw== ;{id = 30899}
+ENTRY_END
+
+; the first part has nasty having a 'timeout'.
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP DO
+REPLY QR FORMERR
+ADJUST copy_id
+SECTION QUESTION
+nasty	IN	A
+ENTRY_END
+
+; the next part has nasty recover (with timing to be exactly during noEDNS).
+; therefore we return the signature to make our test run fast.
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+nasty	IN	A
+SECTION ANSWER
+nasty	IN	A	10.20.30.77
+nasty.example.com.	3600	IN	RRSIG	A 5 3 3600 20100429005004 20100401005004 30899 example.com. nV1rzF6ow8sp5k315hczuO1xRQT5MrS14BEZ0Md71/EoCfVtjD+WK63w2MnPzqLIw3YRyfC1S/bMc3B7cVZv5A== ;{id = 30899}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP DO
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+www.example.com.	3600	IN	RRSIG	A 5 3 3600 20100429005004 20100401005004 30899 example.com. gM9dI2Ew/zsRMD8ZrqetGo4xYts51quV4/CaOemUPAx8LOvGNJMGrHpJ1Q+CW7CWTauqNscFLlgUcmUQ2+RIlA== ;{id = 30899}
+ENTRY_END
+
+; fake answer so we can distinguish it
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_edns_bksec.tpkg b/testdata/fwd_edns_bksec.tpkg
deleted file mode 100644
index dc8ac739d626..000000000000
--- a/testdata/fwd_edns_bksec.tpkg
+++ /dev/null
diff --git a/testdata/fwd_edns_probe.tdir/fwd_edns_probe.conf b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.conf
new file mode 100644
index 000000000000..4756b4bbb3bd
--- /dev/null
+++ b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.conf
@@ -0,0 +1,14 @@
+server:
+	verbosity: 5
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: UPORT
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@TOPORT"
diff --git a/testdata/fwd_edns_probe.tdir/fwd_edns_probe.dsc b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.dsc
new file mode 100644
index 000000000000..17a102c55ef7
--- /dev/null
+++ b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_edns_probe
+Version: 1.0
+Description: Forward with EDNS probing
+CreationDate: Wed Jan  6 09:45:50 CET 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_edns_probe.pre
+Post: fwd_edns_probe.post
+Test: fwd_edns_probe.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_edns_probe.tdir/fwd_edns_probe.post b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.post
new file mode 100644
index 000000000000..0f66815231a5
--- /dev/null
+++ b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.post
@@ -0,0 +1,10 @@
+# #-- fwd_edns_probe.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_edns_probe.tdir/fwd_edns_probe.pre b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.pre
new file mode 100644
index 000000000000..fe31c8fddf74
--- /dev/null
+++ b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.pre
@@ -0,0 +1,31 @@
+# #-- fwd_edns_probe.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_edns_probe.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/UPORT/'$UNBOUND_PORT'/' -e 's/TOPORT/'$FWD_PORT'/' < fwd_edns_probe.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_edns_probe.tdir/fwd_edns_probe.test b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.test
new file mode 100644
index 000000000000..225120421cb0
--- /dev/null
+++ b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.test
@@ -0,0 +1,42 @@
+# #-- fwd_edns_probe.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+#
+# First the nasty name.
+# The server should not have performed EDNS fallback and cached it.
+echo "> dig nasty.example.com."
+dig @localhost -p $UNBOUND_PORT nasty.example.com. | tee outfile
+
+# no answer possible for it.
+echo "> check no-answer"
+if grep "SERVFAIL" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# Then the www name.
+# See if we can still get the EDNS data.
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_edns_probe.tdir/fwd_edns_probe.testns b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.testns
new file mode 100644
index 000000000000..5197eafe8c55
--- /dev/null
+++ b/testdata/fwd_edns_probe.tdir/fwd_edns_probe.testns
@@ -0,0 +1,42 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP DO
+REPLY QR FORMERR
+ADJUST copy_id
+SECTION QUESTION
+nasty	IN	A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR FORMERR
+ADJUST copy_id
+SECTION QUESTION
+nasty	IN	A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP DO
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_edns_probe.tpkg b/testdata/fwd_edns_probe.tpkg
deleted file mode 100644
index c92689797df8..000000000000
--- a/testdata/fwd_edns_probe.tpkg
+++ /dev/null
diff --git a/testdata/fwd_malformed.tdir/fwd_malformed.conf b/testdata/fwd_malformed.tdir/fwd_malformed.conf
new file mode 100644
index 000000000000..50cf6404f34d
--- /dev/null
+++ b/testdata/fwd_malformed.tdir/fwd_malformed.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 5
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	use-caps-for-id: yes
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_malformed.tdir/fwd_malformed.dsc b/testdata/fwd_malformed.tdir/fwd_malformed.dsc
new file mode 100644
index 000000000000..b778c564dba2
--- /dev/null
+++ b/testdata/fwd_malformed.tdir/fwd_malformed.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_malformed
+Version: 1.0
+Description: Check authority that returns malformed packet.
+CreationDate: Tue 13 Jun 09:35:40 CEST 2017
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_malformed.pre
+Post: fwd_malformed.post
+Test: fwd_malformed.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_malformed.tdir/fwd_malformed.post b/testdata/fwd_malformed.tdir/fwd_malformed.post
new file mode 100644
index 000000000000..690b04cf0953
--- /dev/null
+++ b/testdata/fwd_malformed.tdir/fwd_malformed.post
@@ -0,0 +1,10 @@
+# #-- fwd_malformed.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_malformed.tdir/fwd_malformed.pre b/testdata/fwd_malformed.tdir/fwd_malformed.pre
new file mode 100644
index 000000000000..dec7e0c5a7b2
--- /dev/null
+++ b/testdata/fwd_malformed.tdir/fwd_malformed.pre
@@ -0,0 +1,31 @@
+# #-- fwd_malformed.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_malformed.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_malformed.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_malformed.tdir/fwd_malformed.test b/testdata/fwd_malformed.tdir/fwd_malformed.test
new file mode 100644
index 000000000000..621605daeee8
--- /dev/null
+++ b/testdata/fwd_malformed.tdir/fwd_malformed.test
@@ -0,0 +1,22 @@
+# #-- fwd_malformed.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "SERVFAIL" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_malformed.tdir/fwd_malformed.testns b/testdata/fwd_malformed.tdir/fwd_malformed.testns
new file mode 100644
index 000000000000..52b4cfa8a5e7
--- /dev/null
+++ b/testdata/fwd_malformed.tdir/fwd_malformed.testns
@@ -0,0 +1,23 @@
+; malformed packet created
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id
+HEX_ANSWER_BEGIN
+        03b8 0800 4500 0042 b40d 0000 
+	e4c2 d1e3 d2f8 d48c b5df  
+        1b93 0800 4500           
+HEX_ANSWER_END
+ENTRY_END
+
+; malformed packet from reporter
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id
+HEX_ANSWER_BEGIN
+        03b8 0800 4500 0042 b40d 0000 7211 548a  ; ....E..B....r.T.
+        8ccd 5119 d857 89d5 0035 6b80 002e 0000  ; ..Q..W...5k.....
+        cdb2 8015 0001 0000 0000 0001 0558 7a6a  ; .............Xzj
+        7051 0378 797a e4c2 d1e3 d2f8 d48c b5df  ; pQ.xyz..........
+        1b93 0800 4500                           ; ....E.
+HEX_ANSWER_END
+ENTRY_END
diff --git a/testdata/fwd_malformed.tpkg b/testdata/fwd_malformed.tpkg
deleted file mode 100644
index 82a11ac23d88..000000000000
--- a/testdata/fwd_malformed.tpkg
+++ /dev/null
diff --git a/testdata/fwd_no_edns.tdir/fwd_no_edns.conf b/testdata/fwd_no_edns.tdir/fwd_no_edns.conf
new file mode 100644
index 000000000000..9367e282a376
--- /dev/null
+++ b/testdata/fwd_no_edns.tdir/fwd_no_edns.conf
@@ -0,0 +1,14 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: UPORT
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@TOPORT"
diff --git a/testdata/fwd_no_edns.tdir/fwd_no_edns.dsc b/testdata/fwd_no_edns.tdir/fwd_no_edns.dsc
new file mode 100644
index 000000000000..167d358394e9
--- /dev/null
+++ b/testdata/fwd_no_edns.tdir/fwd_no_edns.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_no_edns
+Version: 1.0
+Description: Forward retry with no EDNS
+CreationDate: Tue May 22 15:17:45 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_no_edns.pre
+Post: fwd_no_edns.post
+Test: fwd_no_edns.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_no_edns.tdir/fwd_no_edns.post b/testdata/fwd_no_edns.tdir/fwd_no_edns.post
new file mode 100644
index 000000000000..c88b8f5b70ad
--- /dev/null
+++ b/testdata/fwd_no_edns.tdir/fwd_no_edns.post
@@ -0,0 +1,11 @@
+# #-- fwd_no_edns.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/fwd_no_edns.tdir/fwd_no_edns.pre b/testdata/fwd_no_edns.tdir/fwd_no_edns.pre
new file mode 100644
index 000000000000..1d775b48d478
--- /dev/null
+++ b/testdata/fwd_no_edns.tdir/fwd_no_edns.pre
@@ -0,0 +1,31 @@
+# #-- fwd_no_edns.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_no_edns.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/UPORT/'$UNBOUND_PORT'/' -e 's/TOPORT/'$FWD_PORT'/' < fwd_no_edns.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_no_edns.tdir/fwd_no_edns.test b/testdata/fwd_no_edns.tdir/fwd_no_edns.test
new file mode 100644
index 000000000000..bc209ea09c50
--- /dev/null
+++ b/testdata/fwd_no_edns.tdir/fwd_no_edns.test
@@ -0,0 +1,22 @@
+# #-- fwd_no_edns.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_no_edns.tdir/fwd_no_edns.testns b/testdata/fwd_no_edns.tdir/fwd_no_edns.testns
new file mode 100644
index 000000000000..b3742e4a89f1
--- /dev/null
+++ b/testdata/fwd_no_edns.tdir/fwd_no_edns.testns
@@ -0,0 +1,26 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP DO
+REPLY QR AA FORMERR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/fwd_no_edns.tpkg b/testdata/fwd_no_edns.tpkg
deleted file mode 100644
index 9de545d164d0..000000000000
--- a/testdata/fwd_no_edns.tpkg
+++ /dev/null
diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.conf b/testdata/fwd_oneport.tdir/fwd_oneport.conf
new file mode 100644
index 000000000000..f3427fece2c5
--- /dev/null
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.conf
@@ -0,0 +1,18 @@
+server:
+	verbosity: 4
+	num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	outgoing-range: 2
+	outgoing-port-avoid: 0-65535
+	outgoing-port-permit: 20675
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	num-queries-per-thread: 1024
+	use-syslog: no
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.dsc b/testdata/fwd_oneport.tdir/fwd_oneport.dsc
new file mode 100644
index 000000000000..566aed9a7ba6
--- /dev/null
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_oneport
+Version: 1.0
+Description: Forward udp over one port with 2 fds
+CreationDate: Mon Apr 14 10:39:27 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_oneport.pre
+Post: fwd_oneport.post
+Test: fwd_oneport.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.post b/testdata/fwd_oneport.tdir/fwd_oneport.post
new file mode 100644
index 000000000000..8aafab7ca9bd
--- /dev/null
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.post
@@ -0,0 +1,18 @@
+# #-- fwd_oneport.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+
+# find all extra forked testns and kill them.
+pidlist=`fgrep "forked pid:" fwd.log | sed -e 's/forked pid: //'`
+for p in $pidlist; do
+	kill_pid $p
+done
+
+# kill unbound
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.pre b/testdata/fwd_oneport.tdir/fwd_oneport.pre
new file mode 100644
index 000000000000..eeb5238a9334
--- /dev/null
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.pre
@@ -0,0 +1,31 @@
+# #-- fwd_oneport.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -f 9 fwd_oneport.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_oneport.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.test b/testdata/fwd_oneport.tdir/fwd_oneport.test
new file mode 100644
index 000000000000..f6dfcea91f71
--- /dev/null
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.test
@@ -0,0 +1,111 @@
+# #-- fwd_oneport.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+
+# skip the single query test
+# so that all three queries get timeouts during the later test.
+#
+#echo "> dig www1.example.com."
+#dig @localhost -p $UNBOUND_PORT www1.example.com. | tee outfile
+#echo "> cat logfiles"
+#cat fwd.log 
+#cat unbound.log
+#echo "> check answer for single query"
+#if grep "10.20.30.40" outfile; then
+	#echo "OK"
+#else
+	#echo "Not OK"
+	#exit 1
+#fi
+
+echo "> do queries"
+dig @localhost -p $UNBOUND_PORT www1.example.com. >outfile1 &
+digpid1=$!
+dig @localhost -p $UNBOUND_PORT www2.example.com. >outfile2 &
+digpid2=$!
+dig @localhost -p $UNBOUND_PORT www3.example.com. >outfile3 &
+digpid3=$!
+dig @localhost -p $UNBOUND_PORT www4.example.com. >outfile4 &
+digpid4=$!
+dig @localhost -p $UNBOUND_PORT www5.example.com. >outfile5 &
+digpid5=$!
+dig @localhost -p $UNBOUND_PORT www6.example.com. >outfile6 &
+digpid6=$!
+sleep 6
+kill -9 $digpid1
+kill -9 $digpid2
+kill -9 $digpid3
+kill -9 $digpid4
+kill -9 $digpid5
+kill -9 $digpid6
+
+echo "> cat outfile1"
+cat outfile1 
+echo "> cat outfile2"
+cat outfile2 
+echo "> cat outfile3"
+cat outfile3
+echo "> cat outfile4"
+cat outfile4
+echo "> cat outfile5"
+cat outfile5
+echo "> cat outfile6"
+cat outfile6
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+
+echo "> check for ID bit collisions"
+grep "pending reply" unbound.log > ids
+numsend=`cat ids | wc -l`
+cat ids | awk '{print $8};' | sort -u > ids2
+numuniq=`cat ids2 | wc -l`
+if test $numuniq -ne $numsend; then
+	echo "got a ID number clash. could not do test, sorry"
+	exit 0
+fi
+
+echo "> check answers for queries"
+if grep "10.20.30.40" outfile1; then
+	echo "1 is OK"
+else
+	echo "1 is not OK"
+	exit 1
+fi
+if grep "10.20.30.50" outfile2; then
+	echo "2 is OK"
+else
+	echo "2 is not OK"
+	exit 1
+fi
+if grep "10.20.30.60" outfile3; then
+	echo "3 is OK"
+else
+	echo "3 is not OK"
+	exit 1
+fi
+if grep "10.20.30.70" outfile4; then
+	echo "4 is OK"
+else
+	echo "4 is not OK"
+	exit 1
+fi
+if grep "10.20.30.80" outfile5; then
+	echo "5 is OK"
+else
+	echo "5 is not OK"
+	exit 1
+fi
+if grep "10.20.30.90" outfile6; then
+	echo "6 is OK"
+else
+	echo "6 is not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.testns b/testdata/fwd_oneport.tdir/fwd_oneport.testns
new file mode 100644
index 000000000000..e6ce8824af9a
--- /dev/null
+++ b/testdata/fwd_oneport.tdir/fwd_oneport.testns
@@ -0,0 +1,64 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.70
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.80
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.90
+ENTRY_END
+
diff --git a/testdata/fwd_oneport.tpkg b/testdata/fwd_oneport.tpkg
deleted file mode 100644
index 02f5182d39bf..000000000000
--- a/testdata/fwd_oneport.tpkg
+++ /dev/null
diff --git a/testdata/fwd_tcp.tdir/fwd_tcp.conf b/testdata/fwd_tcp.tdir/fwd_tcp.conf
new file mode 100644
index 000000000000..2b900640e764
--- /dev/null
+++ b/testdata/fwd_tcp.tdir/fwd_tcp.conf
@@ -0,0 +1,14 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/fwd_tcp.tdir/fwd_tcp.dsc b/testdata/fwd_tcp.tdir/fwd_tcp.dsc
new file mode 100644
index 000000000000..cf024b60cbe3
--- /dev/null
+++ b/testdata/fwd_tcp.tdir/fwd_tcp.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_tcp
+Version: 1.0
+Description: Forward a TCP packet and return reply.
+CreationDate: Thu Feb  8 12:57:38 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_tcp.pre
+Post: fwd_tcp.post
+Test: fwd_tcp.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_tcp.tdir/fwd_tcp.post b/testdata/fwd_tcp.tdir/fwd_tcp.post
new file mode 100644
index 000000000000..28477b01a7ef
--- /dev/null
+++ b/testdata/fwd_tcp.tdir/fwd_tcp.post
@@ -0,0 +1,10 @@
+# #-- fwd_tcp.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_tcp.tdir/fwd_tcp.pre b/testdata/fwd_tcp.tdir/fwd_tcp.pre
new file mode 100644
index 000000000000..96279b3d2489
--- /dev/null
+++ b/testdata/fwd_tcp.tdir/fwd_tcp.pre
@@ -0,0 +1,31 @@
+# #-- fwd_tcp.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_tcp.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_tcp.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_tcp.tdir/fwd_tcp.test b/testdata/fwd_tcp.tdir/fwd_tcp.test
new file mode 100644
index 000000000000..9ecc5df153e9
--- /dev/null
+++ b/testdata/fwd_tcp.tdir/fwd_tcp.test
@@ -0,0 +1,22 @@
+# #-- fwd_tcp.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost +vc -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_tcp.tdir/fwd_tcp.testns b/testdata/fwd_tcp.tdir/fwd_tcp.testns
new file mode 100644
index 000000000000..2ca3c1533314
--- /dev/null
+++ b/testdata/fwd_tcp.tdir/fwd_tcp.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_tcp.tpkg b/testdata/fwd_tcp.tpkg
deleted file mode 100644
index e85b93b90334..000000000000
--- a/testdata/fwd_tcp.tpkg
+++ /dev/null
diff --git a/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.conf b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.conf
new file mode 100644
index 000000000000..ad0a1a9cabd1
--- /dev/null
+++ b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.dsc b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.dsc
new file mode 100644
index 000000000000..4e729dd2fb7a
--- /dev/null
+++ b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_tcp_tc
+Version: 1.0
+Description: Forward retry in TCP mode
+CreationDate: Wed May  9 09:11:32 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_tcp_tc.pre
+Post: fwd_tcp_tc.post
+Test: fwd_tcp_tc.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.post b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.post
new file mode 100644
index 000000000000..9906e374c16a
--- /dev/null
+++ b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.post
@@ -0,0 +1,11 @@
+# #-- fwd_tcp_tc.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.pre b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.pre
new file mode 100644
index 000000000000..f316faf3762b
--- /dev/null
+++ b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.pre
@@ -0,0 +1,31 @@
+# #-- fwd_tcp_tc.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_tcp_tc.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_tcp_tc.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.test b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.test
new file mode 100644
index 000000000000..1a8f9edc1e64
--- /dev/null
+++ b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.test
@@ -0,0 +1,22 @@
+# #-- fwd_tcp_tc.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.testns b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.testns
new file mode 100644
index 000000000000..0af820e01deb
--- /dev/null
+++ b/testdata/fwd_tcp_tc.tdir/fwd_tcp_tc.testns
@@ -0,0 +1,26 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA TC NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname TCP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/fwd_tcp_tc.tpkg b/testdata/fwd_tcp_tc.tpkg
deleted file mode 100644
index 3f2c423385ca..000000000000
--- a/testdata/fwd_tcp_tc.tpkg
+++ /dev/null
diff --git a/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.conf b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.conf
new file mode 100644
index 000000000000..53871fbec0b2
--- /dev/null
+++ b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	port: @PORT@
+	use-syslog: no
+	do-ip4: no
+	do-ip6: yes
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "::1@@TOPORT@"
+
diff --git a/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.dsc b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.dsc
new file mode 100644
index 000000000000..896e38141359
--- /dev/null
+++ b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_tcp_tc6
+Version: 1.0
+Description: Forward retry in TCP IP6 mode.
+CreationDate: Mon Oct 15 10:08:08 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_tcp_tc6.pre
+Post: fwd_tcp_tc6.post
+Test: fwd_tcp_tc6.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.post b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.post
new file mode 100644
index 000000000000..8d7a6e2b5cdb
--- /dev/null
+++ b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.post
@@ -0,0 +1,11 @@
+# #-- fwd_tcp_tc6.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.pre b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.pre
new file mode 100644
index 000000000000..618b55ac7c66
--- /dev/null
+++ b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.pre
@@ -0,0 +1,31 @@
+# #-- fwd_tcp_tc6.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -6 fwd_tcp_tc6.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_tcp_tc6.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.test b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.test
new file mode 100644
index 000000000000..81dbea6c2419
--- /dev/null
+++ b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.test
@@ -0,0 +1,26 @@
+# #-- fwd_tcp_tc6.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# do the test
+echo "> streamtcp www.example.com."
+$PRE/streamtcp -u -f ::1@$UNBOUND_PORT www.example.com. A IN | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.testns b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.testns
new file mode 100644
index 000000000000..0af820e01deb
--- /dev/null
+++ b/testdata/fwd_tcp_tc6.tdir/fwd_tcp_tc6.testns
@@ -0,0 +1,26 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname UDP
+REPLY QR AA TC NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname TCP
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+www	IN	A	10.20.30.41
+www	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/fwd_tcp_tc6.tpkg b/testdata/fwd_tcp_tc6.tpkg
deleted file mode 100644
index 44348201894b..000000000000
--- a/testdata/fwd_tcp_tc6.tpkg
+++ /dev/null
diff --git a/testdata/fwd_three.tdir/fwd_three.conf b/testdata/fwd_three.tdir/fwd_three.conf
new file mode 100644
index 000000000000..f25ceb54ce63
--- /dev/null
+++ b/testdata/fwd_three.tdir/fwd_three.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 4 # old 2
+	num-threads: 5
+	interface: 127.0.0.1
+	port: @PORT@
+	outgoing-range: 2
+	outgoing-num-tcp: 2
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	num-queries-per-thread: 1
+	use-syslog: no
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/fwd_three.tdir/fwd_three.dsc b/testdata/fwd_three.tdir/fwd_three.dsc
new file mode 100644
index 000000000000..804697dd4886
--- /dev/null
+++ b/testdata/fwd_three.tdir/fwd_three.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_three
+Version: 1.0
+Description: Forward three queries at once, using threads.
+CreationDate: Tue Feb 27 14:11:44 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_three.pre
+Post: fwd_three.post
+Test: fwd_three.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_three.tdir/fwd_three.post b/testdata/fwd_three.tdir/fwd_three.post
new file mode 100644
index 000000000000..7b2971d625f6
--- /dev/null
+++ b/testdata/fwd_three.tdir/fwd_three.post
@@ -0,0 +1,21 @@
+# #-- fwd_three.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+
+. ../common.sh
+# kill fwder
+kill_pid $FWD_PID
+
+# find all extra forked testns and kill them.
+pidlist=`fgrep "forked pid:" fwd.log | sed -e 's/forked pid: //'`
+for p in $pidlist; do
+	kill_pid $p
+done
+
+# kill unbound
+kill_pid $UNBOUND_PID
+exit 0
diff --git a/testdata/fwd_three.tdir/fwd_three.pre b/testdata/fwd_three.tdir/fwd_three.pre
new file mode 100644
index 000000000000..7d522d958d89
--- /dev/null
+++ b/testdata/fwd_three.tdir/fwd_three.pre
@@ -0,0 +1,31 @@
+# #-- fwd_three.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -f 9 fwd_three.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_three.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_three.tdir/fwd_three.test b/testdata/fwd_three.tdir/fwd_three.test
new file mode 100644
index 000000000000..962d0bf1c12b
--- /dev/null
+++ b/testdata/fwd_three.tdir/fwd_three.test
@@ -0,0 +1,63 @@
+# #-- fwd_three.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www1.example.com."
+dig @localhost -p $UNBOUND_PORT www1.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer for single query"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> do three queries"
+dig @localhost -p $UNBOUND_PORT +retry=10 +time=1 www1.example.com. >outfile1 &
+digpid1=$!
+dig @localhost -p $UNBOUND_PORT +retry=10 +time=1 www2.example.com. >outfile2 &
+digpid2=$!
+dig @localhost -p $UNBOUND_PORT +retry=10 +time=1 www3.example.com. >outfile3 &
+digpid3=$!
+sleep 5
+kill -9 $digpid1
+kill -9 $digpid2
+kill -9 $digpid3
+
+echo "> cat outfile1"
+cat outfile1 
+echo "> cat outfile2"
+cat outfile2 
+echo "> cat outfile3"
+cat outfile3
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answers for three queries"
+if grep "10.20.30.40" outfile1; then
+	echo "1 is OK"
+else
+	echo "1 is not OK"
+	exit 1
+fi
+if grep "10.20.30.50" outfile2; then
+	echo "2 is OK"
+else
+	echo "2 is not OK"
+	exit 1
+fi
+if grep "10.20.30.60" outfile3; then
+	echo "3 is OK"
+else
+	echo "3 is not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_three.tdir/fwd_three.testns b/testdata/fwd_three.tdir/fwd_three.testns
new file mode 100644
index 000000000000..b0b5e748bd53
--- /dev/null
+++ b/testdata/fwd_three.tdir/fwd_three.testns
@@ -0,0 +1,34 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
diff --git a/testdata/fwd_three.tpkg b/testdata/fwd_three.tpkg
deleted file mode 100644
index 24771698daf1..000000000000
--- a/testdata/fwd_three.tpkg
+++ /dev/null
diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.conf b/testdata/fwd_three_service.tdir/fwd_three_service.conf
new file mode 100644
index 000000000000..05fafe015c49
--- /dev/null
+++ b/testdata/fwd_three_service.tdir/fwd_three_service.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 2
+	num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	outgoing-range: 2
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	num-queries-per-thread: 1024
+	use-syslog: no
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.dsc b/testdata/fwd_three_service.tdir/fwd_three_service.dsc
new file mode 100644
index 000000000000..039e9631acc8
--- /dev/null
+++ b/testdata/fwd_three_service.tdir/fwd_three_service.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_three_service
+Version: 1.0
+Description: Forward three queries at once, using one thread.
+CreationDate: Wed Mar 28 15:26:21 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_three_service.pre
+Post: fwd_three_service.post
+Test: fwd_three_service.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.post b/testdata/fwd_three_service.tdir/fwd_three_service.post
new file mode 100644
index 000000000000..1d7a8daaebe0
--- /dev/null
+++ b/testdata/fwd_three_service.tdir/fwd_three_service.post
@@ -0,0 +1,20 @@
+# #-- fwd_three_service.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+
+# kill fwder
+kill_pid $FWD_PID
+
+# find all extra forked testns and kill them.
+pidlist=`fgrep "forked pid:" fwd.log | sed -e 's/forked pid: //'`
+for p in $pidlist; do
+	kill_pid $p
+done
+
+# kill unbound
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.pre b/testdata/fwd_three_service.tdir/fwd_three_service.pre
new file mode 100644
index 000000000000..9c6a3edf0827
--- /dev/null
+++ b/testdata/fwd_three_service.tdir/fwd_three_service.pre
@@ -0,0 +1,31 @@
+# #-- fwd_three_service.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -f 9 fwd_three_service.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_three_service.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.test b/testdata/fwd_three_service.tdir/fwd_three_service.test
new file mode 100644
index 000000000000..6c5e34a7c305
--- /dev/null
+++ b/testdata/fwd_three_service.tdir/fwd_three_service.test
@@ -0,0 +1,63 @@
+# #-- fwd_three_service.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www1.example.com."
+dig @localhost -p $UNBOUND_PORT www1.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer for single query"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> do three queries"
+dig @localhost -p $UNBOUND_PORT www1.example.com. >outfile1 &
+digpid1=$!
+dig @localhost -p $UNBOUND_PORT www2.example.com. >outfile2 &
+digpid2=$!
+dig @localhost -p $UNBOUND_PORT www3.example.com. >outfile3 &
+digpid3=$!
+sleep 5
+kill -9 $digpid1
+kill -9 $digpid2
+kill -9 $digpid3
+
+echo "> cat outfile1"
+cat outfile1 
+echo "> cat outfile2"
+cat outfile2 
+echo "> cat outfile3"
+cat outfile3
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answers for three queries"
+if grep "10.20.30.40" outfile1; then
+	echo "1 is OK"
+else
+	echo "1 is not OK"
+	exit 1
+fi
+if grep "10.20.30.50" outfile2; then
+	echo "2 is OK"
+else
+	echo "2 is not OK"
+	exit 1
+fi
+if grep "10.20.30.60" outfile3; then
+	echo "3 is OK"
+else
+	echo "3 is not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.testns b/testdata/fwd_three_service.tdir/fwd_three_service.testns
new file mode 100644
index 000000000000..787e25f608c2
--- /dev/null
+++ b/testdata/fwd_three_service.tdir/fwd_three_service.testns
@@ -0,0 +1,34 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
diff --git a/testdata/fwd_three_service.tpkg b/testdata/fwd_three_service.tpkg
deleted file mode 100644
index 949cdcefa232..000000000000
--- a/testdata/fwd_three_service.tpkg
+++ /dev/null
diff --git a/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.conf b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.conf
new file mode 100644
index 000000000000..9cd19c0d9d1c
--- /dev/null
+++ b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.dsc b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.dsc
new file mode 100644
index 000000000000..da67fda12144
--- /dev/null
+++ b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_ttlexpire
+Version: 1.0
+Description: forward UDP and TTL expires in the cache
+CreationDate: Wed May  9 11:08:02 CEST 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_ttlexpire.pre
+Post: fwd_ttlexpire.post
+Test: fwd_ttlexpire.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.post b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.post
new file mode 100644
index 000000000000..3cc0061c8f2a
--- /dev/null
+++ b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.post
@@ -0,0 +1,11 @@
+# #-- fwd_ttlexpire.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.pre b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.pre
new file mode 100644
index 000000000000..99e096ca5a2e
--- /dev/null
+++ b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.pre
@@ -0,0 +1,31 @@
+# #-- fwd_ttlexpire.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_ttlexpire.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_ttlexpire.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.test b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.test
new file mode 100644
index 000000000000..41ea3953ccb6
--- /dev/null
+++ b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.test
@@ -0,0 +1,35 @@
+# #-- fwd_ttlexpire.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+# wait for query to expire.
+sleep 4
+# query again
+rm outfile
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+
+exit 0
diff --git a/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.testns b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.testns
new file mode 100644
index 000000000000..38fbfa58ced1
--- /dev/null
+++ b/testdata/fwd_ttlexpire.tdir/fwd_ttlexpire.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	2	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_ttlexpire.tpkg b/testdata/fwd_ttlexpire.tpkg
deleted file mode 100644
index 1111d8e52aee..000000000000
--- a/testdata/fwd_ttlexpire.tpkg
+++ /dev/null
diff --git a/testdata/fwd_udp.tdir/fwd_udp.conf b/testdata/fwd_udp.tdir/fwd_udp.conf
new file mode 100644
index 000000000000..781eebc29c2f
--- /dev/null
+++ b/testdata/fwd_udp.tdir/fwd_udp.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 5
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_udp.tdir/fwd_udp.dsc b/testdata/fwd_udp.tdir/fwd_udp.dsc
new file mode 100644
index 000000000000..741ad3480186
--- /dev/null
+++ b/testdata/fwd_udp.tdir/fwd_udp.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_udp
+Version: 1.0
+Description: Forward an UDP packet and return reply.
+CreationDate: Wed Feb  7 09:01:25 CET 2007
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_udp.pre
+Post: fwd_udp.post
+Test: fwd_udp.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_udp.tdir/fwd_udp.post b/testdata/fwd_udp.tdir/fwd_udp.post
new file mode 100644
index 000000000000..87cf28085bc3
--- /dev/null
+++ b/testdata/fwd_udp.tdir/fwd_udp.post
@@ -0,0 +1,10 @@
+# #-- fwd_udp.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_udp.tdir/fwd_udp.pre b/testdata/fwd_udp.tdir/fwd_udp.pre
new file mode 100644
index 000000000000..b0e08314656c
--- /dev/null
+++ b/testdata/fwd_udp.tdir/fwd_udp.pre
@@ -0,0 +1,31 @@
+# #-- fwd_udp.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_udp.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_udp.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_udp.tdir/fwd_udp.test b/testdata/fwd_udp.tdir/fwd_udp.test
new file mode 100644
index 000000000000..9bd37adb3a7a
--- /dev/null
+++ b/testdata/fwd_udp.tdir/fwd_udp.test
@@ -0,0 +1,22 @@
+# #-- fwd_udp.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_udp.tdir/fwd_udp.testns b/testdata/fwd_udp.tdir/fwd_udp.testns
new file mode 100644
index 000000000000..f2a700cc7daf
--- /dev/null
+++ b/testdata/fwd_udp.tdir/fwd_udp.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_udp.tpkg b/testdata/fwd_udp.tpkg
deleted file mode 100644
index 4fd67469978d..000000000000
--- a/testdata/fwd_udp.tpkg
+++ /dev/null
diff --git a/testdata/fwd_udptmout.tdir/fwd_udptmout.conf b/testdata/fwd_udptmout.tdir/fwd_udptmout.conf
new file mode 100644
index 000000000000..d5135a1f7137
--- /dev/null
+++ b/testdata/fwd_udptmout.tdir/fwd_udptmout.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 4
+	num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	outgoing-range: 3
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	num-queries-per-thread: 1024
+	use-syslog: no
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/fwd_udptmout.tdir/fwd_udptmout.dsc b/testdata/fwd_udptmout.tdir/fwd_udptmout.dsc
new file mode 100644
index 000000000000..77f05d227f59
--- /dev/null
+++ b/testdata/fwd_udptmout.tdir/fwd_udptmout.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_udptmout
+Version: 1.0
+Description: Forward udp queries with timeouts and multiple fds
+CreationDate: Mon Apr 14 10:26:48 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_udptmout.pre
+Post: fwd_udptmout.post
+Test: fwd_udptmout.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_udptmout.tdir/fwd_udptmout.post b/testdata/fwd_udptmout.tdir/fwd_udptmout.post
new file mode 100644
index 000000000000..f2138b9ec8ac
--- /dev/null
+++ b/testdata/fwd_udptmout.tdir/fwd_udptmout.post
@@ -0,0 +1,19 @@
+# #-- fwd_udptmout.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+# kill fwder
+kill_pid $FWD_PID
+
+# find all extra forked testns and kill them.
+pidlist=`fgrep "forked pid:" fwd.log | sed -e 's/forked pid: //'`
+for p in $pidlist; do
+	kill_pid $p
+done
+
+# kill unbound
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_udptmout.tdir/fwd_udptmout.pre b/testdata/fwd_udptmout.tdir/fwd_udptmout.pre
new file mode 100644
index 000000000000..5b4cacdbeccc
--- /dev/null
+++ b/testdata/fwd_udptmout.tdir/fwd_udptmout.pre
@@ -0,0 +1,31 @@
+# #-- fwd_udptmout.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -f 9 fwd_udptmout.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_udptmout.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_udptmout.tdir/fwd_udptmout.test b/testdata/fwd_udptmout.tdir/fwd_udptmout.test
new file mode 100644
index 000000000000..8d89961047bc
--- /dev/null
+++ b/testdata/fwd_udptmout.tdir/fwd_udptmout.test
@@ -0,0 +1,110 @@
+# #-- fwd_udptmout.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+
+# skip the single query test
+# so that all three queries get timeouts during the later test.
+#
+#echo "> dig www1.example.com."
+#dig @localhost -p $UNBOUND_PORT www1.example.com. | tee outfile
+#echo "> cat logfiles"
+#cat fwd.log 
+#cat unbound.log
+#echo "> check answer for single query"
+#if grep "10.20.30.40" outfile; then
+	#echo "OK"
+#else
+	#echo "Not OK"
+	#exit 1
+#fi
+
+echo "> do queries"
+dig @localhost -p $UNBOUND_PORT www1.example.com. >outfile1 &
+digpid1=$!
+dig @localhost -p $UNBOUND_PORT www2.example.com. >outfile2 &
+digpid2=$!
+dig @localhost -p $UNBOUND_PORT www3.example.com. >outfile3 &
+digpid3=$!
+dig @localhost -p $UNBOUND_PORT www4.example.com. >outfile4 &
+digpid4=$!
+dig @localhost -p $UNBOUND_PORT www5.example.com. >outfile5 &
+digpid5=$!
+dig @localhost -p $UNBOUND_PORT www6.example.com. >outfile6 &
+digpid6=$!
+
+sleep 15
+
+# some slow systems need more for processing
+if grep "10.20.30.40" outfile1 >/dev/null; then :; else sleep 2; fi
+if grep "10.20.30.50" outfile2 >/dev/null; then :; else sleep 2; fi
+if grep "10.20.30.60" outfile3 >/dev/null; then :; else sleep 2; fi
+if grep "10.20.30.70" outfile4 >/dev/null; then :; else sleep 2; fi
+if grep "10.20.30.80" outfile5 >/dev/null; then :; else sleep 2; fi
+if grep "10.20.30.90" outfile6 >/dev/null; then :; else sleep 2; fi
+
+kill -9 $digpid1
+kill -9 $digpid2
+kill -9 $digpid3
+kill -9 $digpid4
+kill -9 $digpid5
+kill -9 $digpid6
+
+echo "> cat outfile1"
+cat outfile1 
+echo "> cat outfile2"
+cat outfile2 
+echo "> cat outfile3"
+cat outfile3
+echo "> cat outfile4"
+cat outfile4
+echo "> cat outfile5"
+cat outfile5
+echo "> cat outfile6"
+cat outfile6
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answers for queries"
+if grep "10.20.30.40" outfile1; then
+	echo "1 is OK"
+else
+	echo "1 is not OK"
+	exit 1
+fi
+if grep "10.20.30.50" outfile2; then
+	echo "2 is OK"
+else
+	echo "2 is not OK"
+	exit 1
+fi
+if grep "10.20.30.60" outfile3; then
+	echo "3 is OK"
+else
+	echo "3 is not OK"
+	exit 1
+fi
+if grep "10.20.30.70" outfile4; then
+	echo "4 is OK"
+else
+	echo "4 is not OK"
+	exit 1
+fi
+if grep "10.20.30.80" outfile5; then
+	echo "5 is OK"
+else
+	echo "5 is not OK"
+	exit 1
+fi
+if grep "10.20.30.90" outfile6; then
+	echo "6 is OK"
+else
+	echo "6 is not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_udptmout.tdir/fwd_udptmout.testns b/testdata/fwd_udptmout.tdir/fwd_udptmout.testns
new file mode 100644
index 000000000000..bfccf9d71567
--- /dev/null
+++ b/testdata/fwd_udptmout.tdir/fwd_udptmout.testns
@@ -0,0 +1,64 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.70
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.80
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.90
+ENTRY_END
+
diff --git a/testdata/fwd_udptmout.tpkg b/testdata/fwd_udptmout.tpkg
deleted file mode 100644
index 0c476320098e..000000000000
--- a/testdata/fwd_udptmout.tpkg
+++ /dev/null
diff --git a/testdata/fwd_waitudp.tdir/fwd_waitudp.conf b/testdata/fwd_waitudp.tdir/fwd_waitudp.conf
new file mode 100644
index 000000000000..91eaf7d06f0c
--- /dev/null
+++ b/testdata/fwd_waitudp.tdir/fwd_waitudp.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 4
+	num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	outgoing-range: 1
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	num-queries-per-thread: 1024
+	use-syslog: no
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/fwd_waitudp.tdir/fwd_waitudp.dsc b/testdata/fwd_waitudp.tdir/fwd_waitudp.dsc
new file mode 100644
index 000000000000..5c310ac1a03d
--- /dev/null
+++ b/testdata/fwd_waitudp.tdir/fwd_waitudp.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_waitudp
+Version: 1.0
+Description: Forward 3 queries, 1thr, 1fd and force a udp wait list.
+CreationDate: Mon Apr 14 10:03:28 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_waitudp.pre
+Post: fwd_waitudp.post
+Test: fwd_waitudp.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_waitudp.tdir/fwd_waitudp.post b/testdata/fwd_waitudp.tdir/fwd_waitudp.post
new file mode 100644
index 000000000000..fedf97a41641
--- /dev/null
+++ b/testdata/fwd_waitudp.tdir/fwd_waitudp.post
@@ -0,0 +1,21 @@
+# #-- fwd_waitudp.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+
+# kill fwder
+kill_pid $FWD_PID
+
+# find all extra forked testns and kill them.
+pidlist=`fgrep "forked pid:" fwd.log | sed -e 's/forked pid: //'`
+for p in $pidlist; do
+	kill_pid $p
+done
+
+# kill unbound
+kill_pid $UNBOUND_PID
+exit 0
diff --git a/testdata/fwd_waitudp.tdir/fwd_waitudp.pre b/testdata/fwd_waitudp.tdir/fwd_waitudp.pre
new file mode 100644
index 000000000000..ab7a886eeb88
--- /dev/null
+++ b/testdata/fwd_waitudp.tdir/fwd_waitudp.pre
@@ -0,0 +1,31 @@
+# #-- fwd_waitudp.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT -f 9 fwd_waitudp.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_waitudp.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_waitudp.tdir/fwd_waitudp.test b/testdata/fwd_waitudp.tdir/fwd_waitudp.test
new file mode 100644
index 000000000000..1247885348ac
--- /dev/null
+++ b/testdata/fwd_waitudp.tdir/fwd_waitudp.test
@@ -0,0 +1,67 @@
+# #-- fwd_waitudp.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+
+# skip the single query test
+# so that all three queries get timeouts during the later test.
+#
+#echo "> dig www1.example.com."
+#dig @localhost -p $UNBOUND_PORT www1.example.com. | tee outfile
+#echo "> cat logfiles"
+#cat fwd.log 
+#cat unbound.log
+#echo "> check answer for single query"
+#if grep "10.20.30.40" outfile; then
+	#echo "OK"
+#else
+	#echo "Not OK"
+	#exit 1
+#fi
+
+echo "> do three queries"
+dig @localhost -p $UNBOUND_PORT www1.example.com. >outfile1 &
+digpid1=$!
+dig @localhost -p $UNBOUND_PORT www2.example.com. >outfile2 &
+digpid2=$!
+dig @localhost -p $UNBOUND_PORT www3.example.com. >outfile3 &
+digpid3=$!
+sleep 15
+kill -9 $digpid1
+kill -9 $digpid2
+kill -9 $digpid3
+
+echo "> cat outfile1"
+cat outfile1 
+echo "> cat outfile2"
+cat outfile2 
+echo "> cat outfile3"
+cat outfile3
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answers for three queries"
+if grep "10.20.30.40" outfile1; then
+	echo "1 is OK"
+else
+	echo "1 is not OK"
+	exit 1
+fi
+if grep "10.20.30.50" outfile2; then
+	echo "2 is OK"
+else
+	echo "2 is not OK"
+	exit 1
+fi
+if grep "10.20.30.60" outfile3; then
+	echo "3 is OK"
+else
+	echo "3 is not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_waitudp.tdir/fwd_waitudp.testns b/testdata/fwd_waitudp.tdir/fwd_waitudp.testns
new file mode 100644
index 000000000000..e1e1ea8c4e01
--- /dev/null
+++ b/testdata/fwd_waitudp.tdir/fwd_waitudp.testns
@@ -0,0 +1,34 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www1	IN	A
+SECTION ANSWER
+www1	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.60
+ENTRY_END
+
diff --git a/testdata/fwd_waitudp.tpkg b/testdata/fwd_waitudp.tpkg
deleted file mode 100644
index db3cd8ea67da..000000000000
--- a/testdata/fwd_waitudp.tpkg
+++ /dev/null
diff --git a/testdata/fwd_zero.tdir/fwd_zero.conf b/testdata/fwd_zero.tdir/fwd_zero.conf
new file mode 100644
index 000000000000..9cd19c0d9d1c
--- /dev/null
+++ b/testdata/fwd_zero.tdir/fwd_zero.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/fwd_zero.tdir/fwd_zero.dsc b/testdata/fwd_zero.tdir/fwd_zero.dsc
new file mode 100644
index 000000000000..acacf3809e68
--- /dev/null
+++ b/testdata/fwd_zero.tdir/fwd_zero.dsc
@@ -0,0 +1,16 @@
+BaseName: fwd_zero
+Version: 1.0
+Description: Test for zero byte UDP reply assertion fail
+CreationDate: Tue Jan  6 10:39:28 CET 2009
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: fwd_zero.pre
+Post: fwd_zero.post
+Test: fwd_zero.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/fwd_zero.tdir/fwd_zero.post b/testdata/fwd_zero.tdir/fwd_zero.post
new file mode 100644
index 000000000000..b22a0b7af1b4
--- /dev/null
+++ b/testdata/fwd_zero.tdir/fwd_zero.post
@@ -0,0 +1,10 @@
+# #-- fwd_zero.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/fwd_zero.tdir/fwd_zero.pre b/testdata/fwd_zero.tdir/fwd_zero.pre
new file mode 100644
index 000000000000..eaa7262e47dd
--- /dev/null
+++ b/testdata/fwd_zero.tdir/fwd_zero.pre
@@ -0,0 +1,31 @@
+# #-- fwd_zero.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT fwd_zero.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_zero.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/fwd_zero.tdir/fwd_zero.test b/testdata/fwd_zero.tdir/fwd_zero.test
new file mode 100644
index 000000000000..87a2dec9c323
--- /dev/null
+++ b/testdata/fwd_zero.tdir/fwd_zero.test
@@ -0,0 +1,32 @@
+# #-- fwd_zero.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+OPT="-i"
+if nc -h 2>&1 | grep -- "-w secs" >/dev/null; then
+        OPT="-w"
+fi
+
+# send query with qname but not qtype , qclass (malformed query)
+echo "> nc www.example.com. (malformed)"
+echo "b4380100000100000000000003777777076578616d706c6503636f6d00" | xxd -r -p | nc -un $OPT 2 127.0.0.1 $UNBOUND_PORT 2>/dev/null | xxd | tee outfile
+
+# now test that server is still up
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/fwd_zero.tdir/fwd_zero.testns b/testdata/fwd_zero.tdir/fwd_zero.testns
new file mode 100644
index 000000000000..f2a700cc7daf
--- /dev/null
+++ b/testdata/fwd_zero.tdir/fwd_zero.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/fwd_zero.tpkg b/testdata/fwd_zero.tpkg
deleted file mode 100644
index bff17baa99d3..000000000000
--- a/testdata/fwd_zero.tpkg
+++ /dev/null
diff --git a/testdata/hostsfileosx.tdir/hostsfileosx.dsc b/testdata/hostsfileosx.tdir/hostsfileosx.dsc
new file mode 100644
index 000000000000..78ba2de0b16c
--- /dev/null
+++ b/testdata/hostsfileosx.tdir/hostsfileosx.dsc
@@ -0,0 +1,16 @@
+BaseName: hostsfileosx
+Version: 1.0
+Description: Test lookup using libunbound with osx hosts file
+CreationDate: Fri May 16 13:29:39 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: hostsfileosx.pre
+Post: hostsfileosx.post
+Test: hostsfileosx.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/hostsfileosx.tdir/hostsfileosx.hosts b/testdata/hostsfileosx.tdir/hostsfileosx.hosts
new file mode 100644
index 000000000000..2bf277584abf
--- /dev/null
+++ b/testdata/hostsfileosx.tdir/hostsfileosx.hosts
@@ -0,0 +1,15 @@
+# Host Database
+#
+# This file should contain the addresses and aliases for local hosts that
+# share this file.  Replace 'my.domain' below with the domainname of your
+# machine.
+#
+::1                     localhost localhost.my.domain
+127.0.0.1               localhost localhost.my.domain
+# from MacOSX.
+fe80::1%lo0 localhost
+255.255.255.255 broadcasthost
+# Imaginary network.
+10.0.0.2               myname.my.domain myname
+10.0.0.3               myfriend.my.domain myfriend
+10.20.30.40		virtual.virtual.virtual.local
diff --git a/testdata/hostsfileosx.tdir/hostsfileosx.post b/testdata/hostsfileosx.tdir/hostsfileosx.post
new file mode 100644
index 000000000000..50e72ebd88cd
--- /dev/null
+++ b/testdata/hostsfileosx.tdir/hostsfileosx.post
@@ -0,0 +1,9 @@
+# #-- hostsfileosx.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
diff --git a/testdata/hostsfileosx.tdir/hostsfileosx.pre b/testdata/hostsfileosx.tdir/hostsfileosx.pre
new file mode 100644
index 000000000000..94432206afa4
--- /dev/null
+++ b/testdata/hostsfileosx.tdir/hostsfileosx.pre
@@ -0,0 +1,20 @@
+# #-- hostsfileosx.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+FWD_PORT=$(($RND_PORT + 1))
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT hostsfileosx.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+
diff --git a/testdata/hostsfileosx.tdir/hostsfileosx.test b/testdata/hostsfileosx.tdir/hostsfileosx.test
new file mode 100644
index 000000000000..96606094ab43
--- /dev/null
+++ b/testdata/hostsfileosx.tdir/hostsfileosx.test
@@ -0,0 +1,63 @@
+# #-- hostsfileosx.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+# test if fwder is up
+echo "> dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile"
+dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile
+if grep "10.20.30.40" outfile; then
+	echo "fwder is up"
+else
+	cat fwd.log
+	echo "fwder not up"
+	exit 1
+fi
+rm outfile
+
+# create asynclook
+get_make
+echo "> (cd $PRE ; $MAKE asynclook)"
+(cd $PRE ; $MAKE asynclook)
+if test ! -x $PRE/asynclook; then
+	echo "cannot build asynclook test program"
+	exit 1
+fi
+(cd $PRE ; $MAKE lock-verify)
+
+# check the locks.
+function locktest() {
+	if test -x $PRE/lock-verify -a -f ublocktrace.0; then
+		$PRE/lock-verify ublocktrace.*
+		if test $? -ne 0; then
+			echo "lock-verify error"
+			exit 1
+		fi
+	fi
+}
+
+
+THR=""
+if grep "undef HAVE_FORK" $PRE/config.h; then
+	THR="-t"
+fi
+
+# test hosts reading (directed at local auth info)
+echo '> $PRE/asynclook $THR -H hostsfileosx.hosts virtual.virtual.virtual.local 2>&1 | tee outfile'
+$PRE/asynclook $THR -H hostsfileosx.hosts virtual.virtual.virtual.local 2>&1 | tee outfile
+if grep "virtual.virtual.virtual.local: 10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+locktest
+rm outfile
+
+echo "> cat logfiles"
+cat fwd.log 
+exit 0
diff --git a/testdata/hostsfileosx.tdir/hostsfileosx.testns b/testdata/hostsfileosx.tdir/hostsfileosx.testns
new file mode 100644
index 000000000000..6245ae164172
--- /dev/null
+++ b/testdata/hostsfileosx.tdir/hostsfileosx.testns
@@ -0,0 +1,35 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+; for priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+@	IN	NS
+SECTION ANSWER
+@	IN	NS	127.0.0.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/hostsfileosx.tpkg b/testdata/hostsfileosx.tpkg
deleted file mode 100644
index 05ab7c233985..000000000000
--- a/testdata/hostsfileosx.tpkg
+++ /dev/null
diff --git a/testdata/local_ds.rpl b/testdata/local_ds.rpl
new file mode 100644
index 000000000000..58b3e2236d1b
--- /dev/null
+++ b/testdata/local_ds.rpl
@@ -0,0 +1,103 @@
+; config options
+; The island of trust is at example.com
+server:
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test local data for as112 zone with DS lookup.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+arpa. IN NS
+SECTION ANSWER
+SECTION AUTHORITY
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+in-addr.arpa. IN NS
+SECTION ANSWER
+SECTION AUTHORITY
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+10.in-addr.arpa. IN DS
+SECTION ANSWER
+SECTION AUTHORITY
+10.in-addr.arpa. IN NSEC 11.in-addr.arpa NSEC RRSIG
+. IN SOA invalid. invalid. 1 2 3 4 5
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+40.30.20.10.in-addr.arpa. IN PTR
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA DO NXDOMAIN
+SECTION QUESTION
+40.30.20.10.in-addr.arpa. IN PTR
+SECTION ANSWER
+SECTION AUTHORITY
+10.in-addr.arpa.	10800	IN	SOA	localhost. nobody.invalid. 1 3600 1200 604800 10800
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+10.in-addr.arpa. IN DS
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO NOERROR
+SECTION QUESTION
+10.in-addr.arpa. IN DS
+SECTION ANSWER
+SECTION AUTHORITY
+10.in-addr.arpa. IN NSEC 11.in-addr.arpa NSEC RRSIG
+. IN SOA invalid. invalid. 1 2 3 4 5
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/local_nodefault.rpl b/testdata/local_nodefault.rpl
index 91243d19fb6d..794196244829 100644
--- a/testdata/local_nodefault.rpl
+++ b/testdata/local_nodefault.rpl
@@ -30,7 +30,7 @@ MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA NXDOMAIN
 SECTION QUESTION
-40.30.20.10.in-addr-arpa. IN PTR
+40.30.20.10.in-addr.arpa. IN PTR
 SECTION ANSWER
 SECTION AUTHORITY
 . IN SOA invalid. invalid. 1 2 3 4 5
@@ -41,7 +41,7 @@ STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
-40.30.20.10.in-addr-arpa. IN PTR
+40.30.20.10.in-addr.arpa. IN PTR
 ENTRY_END
 ; not blocked!
 
@@ -51,7 +51,7 @@ ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA DO NXDOMAIN
 SECTION QUESTION
-40.30.20.10.in-addr-arpa. IN PTR
+40.30.20.10.in-addr.arpa. IN PTR
 SECTION ANSWER
 SECTION AUTHORITY
 . IN SOA invalid. invalid. 1 2 3 4 5
diff --git a/testdata/local_nodefault.tdir/local_nodefault.conf b/testdata/local_nodefault.tdir/local_nodefault.conf
new file mode 100644
index 000000000000..b245c0373469
--- /dev/null
+++ b/testdata/local_nodefault.tdir/local_nodefault.conf
@@ -0,0 +1,27 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	# trailing .
+	local-zone: "30.172.in-addr.arpa." nodefault
+	# no trailing .
+	local-zone: "29.172.in-addr.arpa" nodefault
+
+forward-zone:
+	name: "."
+	# invalid address to be sure it fails.
+	forward-addr: "127.0.0.5@@TOPORT@"
+forward-zone:
+	name: "30.172.in-addr.arpa"
+	forward-addr: "127.0.0.1@@TOPORT@"
+forward-zone:
+	name: "29.172.in-addr.arpa"
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/local_nodefault.tdir/local_nodefault.dsc b/testdata/local_nodefault.tdir/local_nodefault.dsc
new file mode 100644
index 000000000000..43133eec9425
--- /dev/null
+++ b/testdata/local_nodefault.tdir/local_nodefault.dsc
@@ -0,0 +1,16 @@
+BaseName: local_nodefault
+Version: 1.0
+Description: Create a stub zone to replace a default local zone
+CreationDate: Tue Jun  3 14:08:00 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: local_nodefault.pre
+Post: local_nodefault.post
+Test: local_nodefault.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/local_nodefault.tdir/local_nodefault.post b/testdata/local_nodefault.tdir/local_nodefault.post
new file mode 100644
index 000000000000..af955a1e546c
--- /dev/null
+++ b/testdata/local_nodefault.tdir/local_nodefault.post
@@ -0,0 +1,11 @@
+# #-- local_nodefault.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/local_nodefault.tdir/local_nodefault.pre b/testdata/local_nodefault.tdir/local_nodefault.pre
new file mode 100644
index 000000000000..48e8d25a4456
--- /dev/null
+++ b/testdata/local_nodefault.tdir/local_nodefault.pre
@@ -0,0 +1,31 @@
+# #-- local_nodefault.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT local_nodefault.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < local_nodefault.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/local_nodefault.tdir/local_nodefault.test b/testdata/local_nodefault.tdir/local_nodefault.test
new file mode 100644
index 000000000000..01e0ac042717
--- /dev/null
+++ b/testdata/local_nodefault.tdir/local_nodefault.test
@@ -0,0 +1,53 @@
+# #-- local_nodefault.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# this one should have NXDOMAIN builtin
+#
+echo "> dig 1.0.31.172.in-addr.arpa."
+dig @localhost -p $UNBOUND_PORT 1.0.31.172.in-addr.arpa. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "NXDOMAIN" outfile; then
+	echo "OK for a blocked by default zone"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# this one should give our own data as the reply
+echo "> dig 1.0.30.172.in-addr.arpa."
+dig @localhost -p $UNBOUND_PORT 1.0.30.172.in-addr.arpa. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK for nodefault zone"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# this one should give our own data as the reply
+# but different trailing dot in unbound.conf file
+echo "> dig 1.0.29.172.in-addr.arpa."
+dig @localhost -p $UNBOUND_PORT 1.0.29.172.in-addr.arpa. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.42" outfile; then
+	echo "OK for nodefault zone"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/local_nodefault.tdir/local_nodefault.testns b/testdata/local_nodefault.tdir/local_nodefault.testns
new file mode 100644
index 000000000000..041888ea6237
--- /dev/null
+++ b/testdata/local_nodefault.tdir/local_nodefault.testns
@@ -0,0 +1,24 @@
+; nameserver test file
+$ORIGIN 30.172.in-addr.arpa.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+1.0	IN 	A
+SECTION ANSWER
+1.0	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+1.0.29.172.in-addr.arpa.	IN 	A
+SECTION ANSWER
+1.0.29.172.in-addr.arpa.	IN	A	10.20.30.42
+ENTRY_END
+
diff --git a/testdata/local_nodefault.tpkg b/testdata/local_nodefault.tpkg
deleted file mode 100644
index 5f9dc441a338..000000000000
--- a/testdata/local_nodefault.tpkg
+++ /dev/null
diff --git a/testdata/local_norec.tdir/local_norec.conf b/testdata/local_norec.tdir/local_norec.conf
new file mode 100644
index 000000000000..86cddbddfb53
--- /dev/null
+++ b/testdata/local_norec.tdir/local_norec.conf
@@ -0,0 +1,24 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	
+	local-data: "foo.example.com. A 1.1.1.1"
+
+	access-control: 0.0.0.0/0 allow_snoop
+	access-control: 127.0.0.0/8 allow_snoop
+	access-control: ::0/0 allow_snoop
+	access-control: ::1 allow_snoop
+	access-control: ::ffff:127.0.0.1 allow_snoop
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/local_norec.tdir/local_norec.dsc b/testdata/local_norec.tdir/local_norec.dsc
new file mode 100644
index 000000000000..fb1c77811f55
--- /dev/null
+++ b/testdata/local_norec.tdir/local_norec.dsc
@@ -0,0 +1,16 @@
+BaseName: local_norec
+Version: 1.0
+Description: Local-data and access control allow_snoop test.
+CreationDate: Mon Sep  1 14:26:00 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: local_norec.pre
+Post: local_norec.post
+Test: local_norec.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/local_norec.tdir/local_norec.post b/testdata/local_norec.tdir/local_norec.post
new file mode 100644
index 000000000000..bf65aa84ac48
--- /dev/null
+++ b/testdata/local_norec.tdir/local_norec.post
@@ -0,0 +1,10 @@
+# #-- local_norec.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/local_norec.tdir/local_norec.pre b/testdata/local_norec.tdir/local_norec.pre
new file mode 100644
index 000000000000..8ab4f6200463
--- /dev/null
+++ b/testdata/local_norec.tdir/local_norec.pre
@@ -0,0 +1,31 @@
+# #-- local_norec.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT local_norec.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < local_norec.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/local_norec.tdir/local_norec.test b/testdata/local_norec.tdir/local_norec.test
new file mode 100644
index 000000000000..b32f0aed1a8c
--- /dev/null
+++ b/testdata/local_norec.tdir/local_norec.test
@@ -0,0 +1,65 @@
+# #-- local_norec.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+#
+# www.example.com is available through recursion.
+# foo.example.com is available through local-data (and recursion...).
+#
+echo "> dig www.example.com. +RD"
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig www.example.com. +norec"
+dig @localhost +norec -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig foo.example.com. +RD"
+dig @localhost -p $UNBOUND_PORT foo.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "1.1.1.1" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig foo.example.com. +norec"
+dig @localhost +norec -p $UNBOUND_PORT foo.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "1.1.1.1" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/local_norec.tdir/local_norec.testns b/testdata/local_norec.tdir/local_norec.testns
new file mode 100644
index 000000000000..58dce45bc5bf
--- /dev/null
+++ b/testdata/local_norec.tdir/local_norec.testns
@@ -0,0 +1,24 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+foo	IN	A
+SECTION ANSWER
+foo	IN	A	10.20.30.50
+ENTRY_END
+
diff --git a/testdata/local_norec.tpkg b/testdata/local_norec.tpkg
deleted file mode 100644
index 2258695d8c50..000000000000
--- a/testdata/local_norec.tpkg
+++ /dev/null
diff --git a/testdata/local_nosnoop.tdir/local_nosnoop.conf b/testdata/local_nosnoop.tdir/local_nosnoop.conf
new file mode 100644
index 000000000000..f3dd8e72c17e
--- /dev/null
+++ b/testdata/local_nosnoop.tdir/local_nosnoop.conf
@@ -0,0 +1,24 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	
+	local-data: "foo.example.com. A 1.1.1.1"
+
+	access-control: 0.0.0.0/0 allow
+	access-control: 127.0.0.0/8 allow
+	access-control: ::0/0 allow
+	access-control: ::1 allow
+	access-control: ::ffff:127.0.0.1 allow
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/local_nosnoop.tdir/local_nosnoop.dsc b/testdata/local_nosnoop.tdir/local_nosnoop.dsc
new file mode 100644
index 000000000000..1e009f9e2fc9
--- /dev/null
+++ b/testdata/local_nosnoop.tdir/local_nosnoop.dsc
@@ -0,0 +1,16 @@
+BaseName: local_nosnoop
+Version: 1.0
+Description: Local-data and access control allow no snoop test.
+CreationDate: Mon Sep  1 14:36:53 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: local_nosnoop.pre
+Post: local_nosnoop.post
+Test: local_nosnoop.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/local_nosnoop.tdir/local_nosnoop.post b/testdata/local_nosnoop.tdir/local_nosnoop.post
new file mode 100644
index 000000000000..63d492d25470
--- /dev/null
+++ b/testdata/local_nosnoop.tdir/local_nosnoop.post
@@ -0,0 +1,10 @@
+# #-- local_nosnoop.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/local_nosnoop.tdir/local_nosnoop.pre b/testdata/local_nosnoop.tdir/local_nosnoop.pre
new file mode 100644
index 000000000000..e304f496e6e6
--- /dev/null
+++ b/testdata/local_nosnoop.tdir/local_nosnoop.pre
@@ -0,0 +1,31 @@
+# #-- local_nosnoop.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT local_nosnoop.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < local_nosnoop.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/local_nosnoop.tdir/local_nosnoop.test b/testdata/local_nosnoop.tdir/local_nosnoop.test
new file mode 100644
index 000000000000..1e762d5dc921
--- /dev/null
+++ b/testdata/local_nosnoop.tdir/local_nosnoop.test
@@ -0,0 +1,75 @@
+# #-- local_nosnoop.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+#
+# www.example.com is available through recursion.
+# foo.example.com is available through local-data (and recursion...).
+#
+# so, with 'allow' the cache snoop stops working:
+# 	dig +norec for www does not work any more.
+#
+echo "> dig www.example.com. +RD"
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig www.example.com. +norec"
+dig @localhost +norec -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "REFUSED" outfile; then
+	echo "OK rcode"
+else
+	echo "Not OK rcode"
+	exit 1
+fi
+
+if grep "10.20.30.40" outfile; then
+	echo "Not OK"
+	exit 1
+else
+	echo "OK"
+fi
+
+echo "> dig foo.example.com. +RD"
+dig @localhost -p $UNBOUND_PORT foo.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "1.1.1.1" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig foo.example.com. +norec"
+dig @localhost +norec -p $UNBOUND_PORT foo.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "1.1.1.1" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/local_nosnoop.tdir/local_nosnoop.testns b/testdata/local_nosnoop.tdir/local_nosnoop.testns
new file mode 100644
index 000000000000..58dce45bc5bf
--- /dev/null
+++ b/testdata/local_nosnoop.tdir/local_nosnoop.testns
@@ -0,0 +1,24 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+foo	IN	A
+SECTION ANSWER
+foo	IN	A	10.20.30.50
+ENTRY_END
+
diff --git a/testdata/local_nosnoop.tpkg b/testdata/local_nosnoop.tpkg
deleted file mode 100644
index 23765b29836a..000000000000
--- a/testdata/local_nosnoop.tpkg
+++ /dev/null
diff --git a/testdata/nss_compile.tdir/nss_compile.dsc b/testdata/nss_compile.tdir/nss_compile.dsc
new file mode 100644
index 000000000000..6c59d245fa41
--- /dev/null
+++ b/testdata/nss_compile.tdir/nss_compile.dsc
@@ -0,0 +1,16 @@
+BaseName: nss_compile
+Version: 1.0
+Description: Compile with NSS
+CreationDate: Fri Feb  8 14:40:28 CET 2013
+Maintainer: Wouter Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: nss_compile.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/nss_compile.tdir/nss_compile.test b/testdata/nss_compile.tdir/nss_compile.test
new file mode 100644
index 000000000000..82b194668fd9
--- /dev/null
+++ b/testdata/nss_compile.tdir/nss_compile.test
@@ -0,0 +1,38 @@
+# #-- nss_compile.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+if test "`hostname`" = "open.nlnetlabs.nl"; then
+	echo "on open, continue test"
+else
+	echo "not on open, no test, do this explicitly"
+	exit 0
+fi
+
+. ../common.sh
+get_make
+PRE="../.."
+
+opts=`$PRE/unbound -h | grep configured | sed -e 's/^.*options: //' | sed -e "s/'//g" `
+
+function error_exit ()
+{
+	cat config.log
+	echo "$1"
+	exit 1
+}
+
+mkdir testdata
+cp $PRE/testdata/*.rpl testdata/.
+cp $PRE/testdata/test* testdata/.
+
+echo ">>> $PRE/configure $opts --without-ssl --with-nss --with-libunbound-only LDFLAGS=-L/usr/local/lib/nss" 'CPPFLAGS="-I/usr/local/include/nss/nss -I/usr/local/include/nspr"'
+$PRE/configure $opts --without-ssl --with-nss --with-libunbound-only LDFLAGS=-L/usr/local/lib/nss CPPFLAGS="-I/usr/local/include/nss/nss -I/usr/local/include/nspr" || error_exit "could not configure"
+echo ">>> $MAKE"
+$MAKE || error_exit "could not make"
+echo ">>> $MAKE test"
+$MAKE test || error_exit "could not make test"
+
+exit 0
diff --git a/testdata/nss_compile.tpkg b/testdata/nss_compile.tpkg
deleted file mode 100644
index d6412017c532..000000000000
--- a/testdata/nss_compile.tpkg
+++ /dev/null
diff --git a/testdata/pylib.tdir/pylib.conf b/testdata/pylib.tdir/pylib.conf
new file mode 100644
index 000000000000..82fa27a68196
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.conf
@@ -0,0 +1,19 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	#port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	module-config: "validator iterator"
+
+#python:
+	#python-script: "pylib.py"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/pylib.tdir/pylib.dsc b/testdata/pylib.tdir/pylib.dsc
new file mode 100644
index 000000000000..fcea32b9e160
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.dsc
@@ -0,0 +1,16 @@
+BaseName: pylib
+Version: 1.0
+Description: Test python wrapper for libunbound
+CreationDate: Mon Apr  6 12:33:31 CEST 2009
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: pylib.pre
+Post: pylib.post
+Test: pylib.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/pylib.tdir/pylib.lookup.py b/testdata/pylib.tdir/pylib.lookup.py
new file mode 100755
index 000000000000..1c829bc7054d
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.lookup.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+'''
+Test for unbound lookup.
+BSD licensed.
+'''
+import unbound
+
+ctx = unbound.ub_ctx()
+status = ctx.config("ub.conf")
+if status != 0:
+	print "read config failed ", status
+	exit(1)
+
+print "config created"
+
+status, result = ctx.resolve("www.example.com", unbound.RR_TYPE_A, unbound.RR_CLASS_IN);
+if status == 0 and result.havedata:
+	print "Result: ", result.data.address_list
+else:
+	print "Failed ", status, " and data ", result
+
+ctx = None
+
+exit(0)
diff --git a/testdata/pylib.tdir/pylib.post b/testdata/pylib.tdir/pylib.post
new file mode 100644
index 000000000000..26db7e80eee9
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.post
@@ -0,0 +1,20 @@
+# #-- pylib.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+
+PRE="../.."
+. ../common.sh
+# if no python; exit
+if grep "define WITH_PYUNBOUND 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+
+# kill fwder
+kill_pid $FWD_PID
diff --git a/testdata/pylib.tdir/pylib.pre b/testdata/pylib.tdir/pylib.pre
new file mode 100644
index 000000000000..01ca2b896280
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.pre
@@ -0,0 +1,36 @@
+# #-- pylib.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# if no python; exit
+if grep "define WITH_PYUNBOUND 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+# get module python local
+cp $PRE/pythonmod/unboundmodule.py .
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT pylib.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# modify config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < pylib.conf > ub.conf
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+
diff --git a/testdata/pylib.tdir/pylib.py b/testdata/pylib.tdir/pylib.py
new file mode 100644
index 000000000000..3f6fed1c696b
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.py
@@ -0,0 +1,159 @@
+# -*- coding: utf-8 -*-
+'''
+ ubmodule-msg.py: simple response packet logger
+
+ Authors: Zdenek Vasicek (vasicek AT fit.vutbr.cz)
+          Marek Vavrusa  (xvavru00 AT stud.fit.vutbr.cz)
+
+ Copyright (c) 2008. All rights reserved.
+
+ This software is open source.
+ 
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 
+ Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 
+ Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ 
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ Modified for unit test by Wouter Wijngaards, NLnet Labs, 2009.
+'''
+import os
+
+def init(id, cfg):
+    log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
+    return True
+
+def deinit(id):
+    log_info("pythonmod: deinit called, module id is %d" % id)
+    return True
+
+def inform_super(id, qstate, superqstate, qdata):
+    return True
+
+def setTTL(qstate, ttl):
+    """Sets return_msg TTL and all the RRs TTL"""
+    if qstate.return_msg:
+        qstate.return_msg.rep.ttl = ttl
+        if (qstate.return_msg.rep):
+            for i in range(0,qstate.return_msg.rep.rrset_count):
+                d = qstate.return_msg.rep.rrsets[i].entry.data
+                for j in range(0,d.count+d.rrsig_count):
+                    d.rr_ttl[j] = ttl
+
+def dataHex(data, prefix=""):
+    res = ""
+    for i in range(0, (len(data)+15)/16):
+        res += "%s0x%02X | " % (prefix, i*16)
+        d = map(lambda x:ord(x), data[i*16:i*16+17])
+        for ch in d:
+            res += "%02X " % ch
+        for i in range(0,17-len(d)):
+            res += "   "
+        res += "| "
+        for ch in d:
+            if (ch < 32) or (ch > 127):
+                res += ". "
+            else:
+                res += "%c " % ch
+        res += "\n"
+    return res
+
+def printReturnMsg(qstate):
+    print "Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount,qstate.return_msg.rep.security, qstate.return_msg.rep.ttl)
+    print "           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str
+    if (qstate.return_msg.rep):
+        print "RRSets:",qstate.return_msg.rep.rrset_count
+        prevkey = None
+        for i in range(0,qstate.return_msg.rep.rrset_count):
+            r = qstate.return_msg.rep.rrsets[i]
+            rk = r.rk
+            print i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,
+            print "type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class)
+
+            d = r.entry.data
+            print "    RRDatas:",d.count+d.rrsig_count
+            for j in range(0,d.count+d.rrsig_count):
+                print "    ",j,":","TTL=",d.rr_ttl[j],"RR data:"
+                print dataHex(d.rr_data[j],"         ")
+
+
+def operate(id, event, qstate, qdata):
+    log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))
+    #print "pythonmod: per query data", qdata
+
+    print "Query:", ''.join(map(lambda x:chr(max(32,ord(x))),qstate.qinfo.qname)), qstate.qinfo.qname_list, qstate.qinfo.qname_str,
+    print "Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype,
+    print "Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass
+    print
+
+    if (event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS) and (qstate.qinfo.qname_str.endswith("www2.example.com.")):
+        print qstate.qinfo.qname_str
+
+        qstate.ext_state[id] = MODULE_FINISHED 
+
+        msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) #, 300)
+        #msg.authority.append("xxx.seznam.cz. 10 IN A 192.168.1.1")
+        #msg.additional.append("yyy.seznam.cz. 10 IN A 1.1.1.2.")
+
+	# answer can be returned to the client without further checking.
+
+        if qstate.qinfo.qtype == RR_TYPE_A:
+            msg.answer.append("%s 10 IN A 192.168.1.1" % qstate.qinfo.qname_str)
+        if (qstate.qinfo.qtype == RR_TYPE_SRV) or (qstate.qinfo.qtype == RR_TYPE_ANY):
+            msg.answer.append("%s 10 IN SRV 0 0 80 neinfo.example.com." % qstate.qinfo.qname_str)
+        if (qstate.qinfo.qtype == RR_TYPE_TXT) or (qstate.qinfo.qtype == RR_TYPE_ANY):
+            msg.answer.append("%s 10 IN TXT path=/" % qstate.qinfo.qname_str)
+
+        if not msg.set_return_msg(qstate):
+            qstate.ext_state[id] = MODULE_ERROR 
+            return True
+
+        #qstate.return_msg.rep.security = 2 #pokud nebude nasledovat validator, je zapotrebi nastavit security, aby nebyl paket zahozen v mesh_send_reply
+        printReturnMsg(qstate)
+
+        #Authoritative result can't be stored in cache
+        #if (not storeQueryInCache(qstate, qstate.return_msg.qinfo, qstate.return_msg.rep, 0)):
+        #    print "Can't store in cache"
+        #    qstate.ext_state[id] = MODULE_ERROR
+        #    return False
+        #print "Store OK"
+
+        qstate.return_rcode = RCODE_NOERROR
+        return True
+
+    if event == MODULE_EVENT_NEW:
+        qstate.ext_state[id] = MODULE_WAIT_MODULE 
+        return True
+
+    if event == MODULE_EVENT_MODDONE:
+        log_info("pythonmod: previous module done")
+        qstate.ext_state[id] = MODULE_FINISHED 
+        return True
+      
+    if event == MODULE_EVENT_PASS:
+        log_info("pythonmod: event_pass")
+        qstate.ext_state[id] = MODULE_WAIT_MODULE 
+        return True
+
+    log_err("pythonmod: BAD event")
+    qstate.ext_state[id] = MODULE_ERROR
+    return True
+
+log_info("pythonmod: script loaded.")
diff --git a/testdata/pylib.tdir/pylib.test b/testdata/pylib.tdir/pylib.test
new file mode 100644
index 000000000000..96a846403c15
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.test
@@ -0,0 +1,40 @@
+# #-- pylib.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+if grep "define WITH_PYUNBOUND 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+
+if test "`uname 2>&1`" = "Darwin"; then
+	echo export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:../../.libs"
+	export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:../../.libs"
+fi
+#echo export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:../../.libs:."
+#export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:../../.libs:."
+
+cp $PRE/libunbound/python/unbound.py .
+cp $PRE/.libs/_unbound* .
+cp $PRE/.libs/libunbound* .
+
+# do the test
+echo "> pylib.lookup.py www.example.com."
+./pylib.lookup.py www.example.com. | tee outfile
+
+echo "> cat logfiles"
+cat fwd.log 
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/pylib.tdir/pylib.testns b/testdata/pylib.tdir/pylib.testns
new file mode 100644
index 000000000000..f2a700cc7daf
--- /dev/null
+++ b/testdata/pylib.tdir/pylib.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/pylib.tpkg b/testdata/pylib.tpkg
deleted file mode 100644
index 202595c151e2..000000000000
--- a/testdata/pylib.tpkg
+++ /dev/null
diff --git a/testdata/pymod.tdir/pymod.conf b/testdata/pymod.tdir/pymod.conf
new file mode 100644
index 000000000000..b419c715bc68
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.conf
@@ -0,0 +1,19 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	module-config: "validator python iterator"
+
+python:
+	python-script: "pymod.py"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/pymod.tdir/pymod.dsc b/testdata/pymod.tdir/pymod.dsc
new file mode 100644
index 000000000000..386e058e16b0
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.dsc
@@ -0,0 +1,16 @@
+BaseName: pymod
+Version: 1.0
+Description: Test python module
+CreationDate: Thu Apr  2 12:50:50 CEST 2009
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: pymod.pre
+Post: pymod.post
+Test: pymod.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/pymod.tdir/pymod.post b/testdata/pymod.tdir/pymod.post
new file mode 100644
index 000000000000..368d285edab2
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.post
@@ -0,0 +1,20 @@
+# #-- pymod.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+
+PRE="../.."
+. ../common.sh
+# if no python; exit
+if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/pymod.tdir/pymod.pre b/testdata/pymod.tdir/pymod.pre
new file mode 100644
index 000000000000..9029a8742337
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.pre
@@ -0,0 +1,56 @@
+# #-- pymod.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# if no python; exit
+if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+# get module python local
+cp $PRE/pythonmod/unboundmodule.py .
+
+if test "`uname 2>&1`" = "Darwin"; then
+        ldnsdir=`grep ldnsdir= ../../Makefile | sed -e 's/ldnsdir=//'`
+        echo export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+        export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < pymod.conf > ub.conf
+
+# see if config file verifies
+if $PRE/unbound-checkconf ub.conf 2>&1; then
+	echo "checkconf OK"
+else
+	echo "checkconf failed"
+	exit 1
+fi
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT pymod.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/pymod.tdir/pymod.py b/testdata/pymod.tdir/pymod.py
new file mode 100644
index 000000000000..3f6fed1c696b
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.py
@@ -0,0 +1,159 @@
+# -*- coding: utf-8 -*-
+'''
+ ubmodule-msg.py: simple response packet logger
+
+ Authors: Zdenek Vasicek (vasicek AT fit.vutbr.cz)
+          Marek Vavrusa  (xvavru00 AT stud.fit.vutbr.cz)
+
+ Copyright (c) 2008. All rights reserved.
+
+ This software is open source.
+ 
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 
+ Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 
+ Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ 
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ Modified for unit test by Wouter Wijngaards, NLnet Labs, 2009.
+'''
+import os
+
+def init(id, cfg):
+    log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
+    return True
+
+def deinit(id):
+    log_info("pythonmod: deinit called, module id is %d" % id)
+    return True
+
+def inform_super(id, qstate, superqstate, qdata):
+    return True
+
+def setTTL(qstate, ttl):
+    """Sets return_msg TTL and all the RRs TTL"""
+    if qstate.return_msg:
+        qstate.return_msg.rep.ttl = ttl
+        if (qstate.return_msg.rep):
+            for i in range(0,qstate.return_msg.rep.rrset_count):
+                d = qstate.return_msg.rep.rrsets[i].entry.data
+                for j in range(0,d.count+d.rrsig_count):
+                    d.rr_ttl[j] = ttl
+
+def dataHex(data, prefix=""):
+    res = ""
+    for i in range(0, (len(data)+15)/16):
+        res += "%s0x%02X | " % (prefix, i*16)
+        d = map(lambda x:ord(x), data[i*16:i*16+17])
+        for ch in d:
+            res += "%02X " % ch
+        for i in range(0,17-len(d)):
+            res += "   "
+        res += "| "
+        for ch in d:
+            if (ch < 32) or (ch > 127):
+                res += ". "
+            else:
+                res += "%c " % ch
+        res += "\n"
+    return res
+
+def printReturnMsg(qstate):
+    print "Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount,qstate.return_msg.rep.security, qstate.return_msg.rep.ttl)
+    print "           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str
+    if (qstate.return_msg.rep):
+        print "RRSets:",qstate.return_msg.rep.rrset_count
+        prevkey = None
+        for i in range(0,qstate.return_msg.rep.rrset_count):
+            r = qstate.return_msg.rep.rrsets[i]
+            rk = r.rk
+            print i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,
+            print "type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class)
+
+            d = r.entry.data
+            print "    RRDatas:",d.count+d.rrsig_count
+            for j in range(0,d.count+d.rrsig_count):
+                print "    ",j,":","TTL=",d.rr_ttl[j],"RR data:"
+                print dataHex(d.rr_data[j],"         ")
+
+
+def operate(id, event, qstate, qdata):
+    log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))
+    #print "pythonmod: per query data", qdata
+
+    print "Query:", ''.join(map(lambda x:chr(max(32,ord(x))),qstate.qinfo.qname)), qstate.qinfo.qname_list, qstate.qinfo.qname_str,
+    print "Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype,
+    print "Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass
+    print
+
+    if (event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS) and (qstate.qinfo.qname_str.endswith("www2.example.com.")):
+        print qstate.qinfo.qname_str
+
+        qstate.ext_state[id] = MODULE_FINISHED 
+
+        msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) #, 300)
+        #msg.authority.append("xxx.seznam.cz. 10 IN A 192.168.1.1")
+        #msg.additional.append("yyy.seznam.cz. 10 IN A 1.1.1.2.")
+
+	# answer can be returned to the client without further checking.
+
+        if qstate.qinfo.qtype == RR_TYPE_A:
+            msg.answer.append("%s 10 IN A 192.168.1.1" % qstate.qinfo.qname_str)
+        if (qstate.qinfo.qtype == RR_TYPE_SRV) or (qstate.qinfo.qtype == RR_TYPE_ANY):
+            msg.answer.append("%s 10 IN SRV 0 0 80 neinfo.example.com." % qstate.qinfo.qname_str)
+        if (qstate.qinfo.qtype == RR_TYPE_TXT) or (qstate.qinfo.qtype == RR_TYPE_ANY):
+            msg.answer.append("%s 10 IN TXT path=/" % qstate.qinfo.qname_str)
+
+        if not msg.set_return_msg(qstate):
+            qstate.ext_state[id] = MODULE_ERROR 
+            return True
+
+        #qstate.return_msg.rep.security = 2 #pokud nebude nasledovat validator, je zapotrebi nastavit security, aby nebyl paket zahozen v mesh_send_reply
+        printReturnMsg(qstate)
+
+        #Authoritative result can't be stored in cache
+        #if (not storeQueryInCache(qstate, qstate.return_msg.qinfo, qstate.return_msg.rep, 0)):
+        #    print "Can't store in cache"
+        #    qstate.ext_state[id] = MODULE_ERROR
+        #    return False
+        #print "Store OK"
+
+        qstate.return_rcode = RCODE_NOERROR
+        return True
+
+    if event == MODULE_EVENT_NEW:
+        qstate.ext_state[id] = MODULE_WAIT_MODULE 
+        return True
+
+    if event == MODULE_EVENT_MODDONE:
+        log_info("pythonmod: previous module done")
+        qstate.ext_state[id] = MODULE_FINISHED 
+        return True
+      
+    if event == MODULE_EVENT_PASS:
+        log_info("pythonmod: event_pass")
+        qstate.ext_state[id] = MODULE_WAIT_MODULE 
+        return True
+
+    log_err("pythonmod: BAD event")
+    qstate.ext_state[id] = MODULE_ERROR
+    return True
+
+log_info("pythonmod: script loaded.")
diff --git a/testdata/pymod.tdir/pymod.test b/testdata/pymod.tdir/pymod.test
new file mode 100644
index 000000000000..43bf6e65f87f
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.test
@@ -0,0 +1,56 @@
+# #-- pymod.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+
+if test "`uname 2>&1`" = "Darwin"; then
+        ldnsdir=`grep ldnsdir= ../../Makefile | sed -e 's/ldnsdir=//'`
+        echo export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+        export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+fi
+
+# see if config file verifies
+if $PRE/unbound-checkconf ub.conf; then
+	echo "checkconf OK"
+else
+	echo "checkconf failed"
+	exit 1
+fi
+
+# do the test
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> dig www2.example.com."
+dig @localhost -p $UNBOUND_PORT www2.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "192.168.1.1" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/pymod.tdir/pymod.testns b/testdata/pymod.tdir/pymod.testns
new file mode 100644
index 000000000000..55926bb50c9f
--- /dev/null
+++ b/testdata/pymod.tdir/pymod.testns
@@ -0,0 +1,24 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/pymod.tpkg b/testdata/pymod.tpkg
deleted file mode 100644
index 164a82a00424..000000000000
--- a/testdata/pymod.tpkg
+++ /dev/null
diff --git a/testdata/pymod_thread.tdir/pymod_thread.conf b/testdata/pymod_thread.tdir/pymod_thread.conf
new file mode 100644
index 000000000000..3bf8df475d36
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.conf
@@ -0,0 +1,19 @@
+server:
+	verbosity: 2
+	num-threads: 3
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	module-config: "validator python iterator"
+
+python:
+	python-script: "pymod_thread.py"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/pymod_thread.tdir/pymod_thread.dsc b/testdata/pymod_thread.tdir/pymod_thread.dsc
new file mode 100644
index 000000000000..d2cc7f5c5fb9
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.dsc
@@ -0,0 +1,16 @@
+BaseName: pymod_thread
+Version: 1.0
+Description: Test python module threaded
+CreationDate: Fri Mar 12 11:41:03 CET 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: pymod_thread.pre
+Post: pymod_thread.post
+Test: pymod_thread.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/pymod_thread.tdir/pymod_thread.post b/testdata/pymod_thread.tdir/pymod_thread.post
new file mode 100644
index 000000000000..e9b307548ba7
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.post
@@ -0,0 +1,21 @@
+# #-- pymod_thread.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+
+PRE="../.."
+. ../common.sh
+# if no python; exit
+if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+exit 0
diff --git a/testdata/pymod_thread.tdir/pymod_thread.pre b/testdata/pymod_thread.tdir/pymod_thread.pre
new file mode 100644
index 000000000000..c16362a0b3fb
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.pre
@@ -0,0 +1,56 @@
+# #-- pymod_thread.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# if no python; exit
+if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+# get module python local
+cp $PRE/pythonmod/unboundmodule.py .
+
+if test "`uname 2>&1`" = "Darwin"; then
+        ldnsdir=`grep ldnsdir= ../../Makefile | sed -e 's/ldnsdir=//'`
+        echo export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+        export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < pymod_thread.conf > ub.conf
+
+# see if config file verifies
+if $PRE/unbound-checkconf ub.conf 2>&1; then
+	echo "checkconf OK"
+else
+	echo "checkconf failed"
+	exit 1
+fi
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT pymod_thread.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/pymod_thread.tdir/pymod_thread.py b/testdata/pymod_thread.tdir/pymod_thread.py
new file mode 100644
index 000000000000..31e1d43f64ae
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.py
@@ -0,0 +1,165 @@
+# -*- coding: utf-8 -*-
+'''
+ ubmodule-msg.py: simple response packet logger
+
+ Authors: Zdenek Vasicek (vasicek AT fit.vutbr.cz)
+          Marek Vavrusa  (xvavru00 AT stud.fit.vutbr.cz)
+
+ Copyright (c) 2008. All rights reserved.
+
+ This software is open source.
+ 
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 
+ Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ 
+ Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ 
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+ Modified for unit test by Wouter Wijngaards, NLnet Labs, 2009.
+'''
+import os
+
+def init(id, cfg):
+    log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script))
+    return True
+
+def deinit(id):
+    log_info("pythonmod: deinit called, module id is %d" % id)
+    return True
+
+def inform_super(id, qstate, superqstate, qdata):
+    return True
+
+def setTTL(qstate, ttl):
+    """Sets return_msg TTL and all the RRs TTL"""
+    if qstate.return_msg:
+        qstate.return_msg.rep.ttl = ttl
+        if (qstate.return_msg.rep):
+            for i in range(0,qstate.return_msg.rep.rrset_count):
+                d = qstate.return_msg.rep.rrsets[i].entry.data
+                for j in range(0,d.count+d.rrsig_count):
+                    d.rr_ttl[j] = ttl
+
+def dataHex(data, prefix=""):
+    res = ""
+    for i in range(0, (len(data)+15)/16):
+        res += "%s0x%02X | " % (prefix, i*16)
+        d = map(lambda x:ord(x), data[i*16:i*16+17])
+        for ch in d:
+            res += "%02X " % ch
+        for i in range(0,17-len(d)):
+            res += "   "
+        res += "| "
+        for ch in d:
+            if (ch < 32) or (ch > 127):
+                res += ". "
+            else:
+                res += "%c " % ch
+        res += "\n"
+    return res
+
+def printReturnMsg(qstate):
+    print "Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount,qstate.return_msg.rep.security, qstate.return_msg.rep.ttl)
+    print "           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str
+    if (qstate.return_msg.rep):
+        print "RRSets:",qstate.return_msg.rep.rrset_count
+        prevkey = None
+        for i in range(0,qstate.return_msg.rep.rrset_count):
+            r = qstate.return_msg.rep.rrsets[i]
+            rk = r.rk
+            print i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,
+            print "type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class)
+
+            d = r.entry.data
+            print "    RRDatas:",d.count+d.rrsig_count
+            for j in range(0,d.count+d.rrsig_count):
+                print "    ",j,":","TTL=",d.rr_ttl[j],"RR data:"
+                print dataHex(d.rr_data[j],"         ")
+
+
+def operate(id, event, qstate, qdata):
+    log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))
+    #print "pythonmod: per query data", qdata
+
+    print "Query:", ''.join(map(lambda x:chr(max(32,ord(x))),qstate.qinfo.qname)), qstate.qinfo.qname_list, qstate.qinfo.qname_str,
+    print "Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype,
+    print "Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass
+    print
+
+    if (event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS) and (qstate.qinfo.qname_str.endswith("example.com.")):
+        print qstate.qinfo.qname_str
+
+        qstate.ext_state[id] = MODULE_FINISHED 
+
+	# eat time
+	y = 20
+	for z in range(2, 10000):
+		y = y*2 - z/2
+		y = y/2 + z
+
+        msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) #, 300)
+        #msg.authority.append("xxx.seznam.cz. 10 IN A 192.168.1.1")
+        #msg.additional.append("yyy.seznam.cz. 10 IN A 1.1.1.2.")
+
+	# answer can be returned to the client without further checking.
+
+        if qstate.qinfo.qtype == RR_TYPE_A:
+            msg.answer.append("%s 10 IN A 192.168.1.1" % qstate.qinfo.qname_str)
+        if (qstate.qinfo.qtype == RR_TYPE_SRV) or (qstate.qinfo.qtype == RR_TYPE_ANY):
+            msg.answer.append("%s 10 IN SRV 0 0 80 neinfo.example.com." % qstate.qinfo.qname_str)
+        if (qstate.qinfo.qtype == RR_TYPE_TXT) or (qstate.qinfo.qtype == RR_TYPE_ANY):
+            msg.answer.append("%s 10 IN TXT path=/" % qstate.qinfo.qname_str)
+
+        if not msg.set_return_msg(qstate):
+            qstate.ext_state[id] = MODULE_ERROR 
+            return True
+
+        #qstate.return_msg.rep.security = 2 #pokud nebude nasledovat validator, je zapotrebi nastavit security, aby nebyl paket zahozen v mesh_send_reply
+        printReturnMsg(qstate)
+
+        #Authoritative result can't be stored in cache
+        #if (not storeQueryInCache(qstate, qstate.return_msg.qinfo, qstate.return_msg.rep, 0)):
+        #    print "Can't store in cache"
+        #    qstate.ext_state[id] = MODULE_ERROR
+        #    return False
+        #print "Store OK"
+
+        qstate.return_rcode = RCODE_NOERROR
+        return True
+
+    if event == MODULE_EVENT_NEW:
+        qstate.ext_state[id] = MODULE_WAIT_MODULE 
+        return True
+
+    if event == MODULE_EVENT_MODDONE:
+        log_info("pythonmod: previous module done")
+        qstate.ext_state[id] = MODULE_FINISHED 
+        return True
+      
+    if event == MODULE_EVENT_PASS:
+        log_info("pythonmod: event_pass")
+        qstate.ext_state[id] = MODULE_WAIT_MODULE 
+        return True
+
+    log_err("pythonmod: BAD event")
+    qstate.ext_state[id] = MODULE_ERROR
+    return True
+
+log_info("pythonmod: script loaded.")
diff --git a/testdata/pymod_thread.tdir/pymod_thread.test b/testdata/pymod_thread.tdir/pymod_thread.test
new file mode 100644
index 000000000000..c6baa01be842
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.test
@@ -0,0 +1,67 @@
+# #-- pymod_thread.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then
+	echo "have python module"
+else
+	echo "no python module"
+	exit 0
+fi
+
+if test "`uname 2>&1`" = "Darwin"; then
+        ldnsdir=`grep ldnsdir= ../../Makefile | sed -e 's/ldnsdir=//'`
+        echo export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+        export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:$ldnsdir/lib:../../.libs"
+fi
+
+# see if config file verifies
+if $PRE/unbound-checkconf ub.conf; then
+	echo "checkconf OK"
+else
+	echo "checkconf failed"
+	exit 1
+fi
+
+# do the test
+# generate some load.
+echo "> dig www[1-10].example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile1 &
+dig @localhost -p $UNBOUND_PORT www2.example.com. | tee outfile3 &
+dig @localhost -p $UNBOUND_PORT www3.example.com. | tee outfile2 &
+dig @localhost -p $UNBOUND_PORT www4.example.com. | tee outfile4 &
+dig @localhost -p $UNBOUND_PORT www5.example.com. | tee outfile5 &
+dig @localhost -p $UNBOUND_PORT www6.example.com. | tee outfile6 &
+dig @localhost -p $UNBOUND_PORT www7.example.com. | tee outfile7 &
+dig @localhost -p $UNBOUND_PORT www8.example.com. | tee outfile8 &
+dig @localhost -p $UNBOUND_PORT www9.example.com. | tee outfile9 &
+dig @localhost -p $UNBOUND_PORT www10.example.com. | tee outfile10 &
+
+wait  # wait for all jobs to complete.
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+for x in outfile1 outfile2 outfile3 outfile4 outfile5; do
+if grep "192.168.1.1" $x; then
+	echo "$x OK"
+else
+	echo "$x Not OK"
+	exit 1
+fi
+done
+
+for x in outfile6 outfile7 outfile8 outfile9 outfile10; do
+if grep "192.168.1.1" $x; then
+	echo "$x OK"
+else
+	echo "$x Not OK"
+	exit 1
+fi
+done
+
+exit 0
diff --git a/testdata/pymod_thread.tdir/pymod_thread.testns b/testdata/pymod_thread.tdir/pymod_thread.testns
new file mode 100644
index 000000000000..55926bb50c9f
--- /dev/null
+++ b/testdata/pymod_thread.tdir/pymod_thread.testns
@@ -0,0 +1,24 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/pymod_thread.tpkg b/testdata/pymod_thread.tpkg
deleted file mode 100644
index 96d5d9b3936d..000000000000
--- a/testdata/pymod_thread.tpkg
+++ /dev/null
diff --git a/testdata/remote-threaded.tdir/bad_control.key b/testdata/remote-threaded.tdir/bad_control.key
new file mode 100644
index 000000000000..d29cdbc91b37
--- /dev/null
+++ b/testdata/remote-threaded.tdir/bad_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDti51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4G
+SLOE02/hKDkdkOvaUG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtO
+DWc3tXPT1IlSEN0xnAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQAB
+AoGAG3w/DatfMCu/nS5OdQx9BSqPgNbnUSqux9xA0fhgPTlN0T3oRtPcqa7JUDUW
+PryI/a62ry+zGkw98N2AxolCZg3N7Z3vuRx2FMcKKNwpTzDmcZW7TmMk5FPof6gE
+PnYl/ff0w+kxqA+L2EexH3Xi6ApLSZcjyzKWj+dL2AuT9gkCQQD3dPitwITxgCAD
+IaHw23e3FRkM/hw1Gp8bt6nbuxitVxxpO96q1EQ+fCy/mf0bMEJDp3xzMEIfP3r4
+GmNbaxa1AkEA9b8LeBLbQ2cm2+UMeUgygBsRirdUQ786auqH38Jbvi/j6S9sDl2x
+q1vRtikEBZJWfkhsOzrzwFDKe1bI/EEn9wJAAzOwRA9JqRZPU7sLrWIpmmTbfh+L
+neRKSsGFoSI6n4ORCouLxgoZF/XjXldPvxpQwS9ZnOPy9xSLMsqknno0QQJAeDtA
+IT8Yh6GwIWWu9KeeDY8wxe1sDLlCm4yjbZZpzGMh3rSU6XJtuqjxsW3fydoO9zn3
+ugLdvvnIFxAexUwbgQJBANyM13xcObfUJOj9rjlGCh0CDh/04ONl8SH8HBnM8guA
+RJI5S6vBHweVRopEZcF1sQm6wMf3ej/sGkyyNvJxRkY=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/remote-threaded.tdir/bad_control.pem b/testdata/remote-threaded.tdir/bad_control.pem
new file mode 100644
index 000000000000..e06b847208e3
--- /dev/null
+++ b/testdata/remote-threaded.tdir/bad_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQDd5/rocjG5vDANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0NFoXDTI4MDYxMzEyMjQ0NFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDt
+i51Z6qASvAjPFFhLLlq8BwtsnmfqMPMn57dKAghb4OifeL4GSLOE02/hKDkdkOva
+UG2UqDNh2OoPTuJk4A+mG2LJoziFhHKlIebo9v2YiFWOBVtODWc3tXPT1IlSEN0x
+nAGelMmeLcPeCPe+A5IDlIHzF/+YiDgS38S9dL17owIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAHpvcKqY48X9WsqogV16L+zT7iXhZ4tySA9EBk1a+0gud/iDPKSBi7mK
+4rzphVfb4S207dVmTG+1WNpa6l3pTGML6XLElxqIu/kr7w4cF0rKvZxWPsBRqYjH
+5HrK8CrQ0+YvUHXiu7IaACLGvKXY4Tqa3HQyvEtzLWJ4HhOrGx8F
+-----END CERTIFICATE-----
diff --git a/testdata/remote-threaded.tdir/bad_server.key b/testdata/remote-threaded.tdir/bad_server.key
new file mode 100644
index 000000000000..0dbb134b5be7
--- /dev/null
+++ b/testdata/remote-threaded.tdir/bad_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC9hurNHBtB7QFEuPJOnCylUWUF2/US3v9yQQQXnstuXMQXRaq1
+1uviLmwaGurV9tngX59HITsBT74NQrtFKfEDLViLrm2arAM9Ozsn4tnv30HXPRDj
+UOc1M05Q7UzjaSrOv+TkPEqyhtUyaP1DYo0bcmbxtSkYc2ZEWCwhPklUwQIDAQAB
+AoGATjzZxN4ramWaNnJapJTX4U7eczK/0pB3xwSL2exVcjOdRzYdKH+WVIJxYb1m
+3/jNLFCNAeH356yxeevoPr73nG75YJ9I1ZWQWTnS3SDK6JD1+3pmAD0bQWFoitpf
+FoSH9H4X5gFB5vCZ99YVoYH1UXWPcgvUHwxz0voImt6lCKECQQD4YQ4A3M0+Ki8v
+Hl+5FKULnS0UtBkweCvkF/X1zZRjjYr6hLnqldFkkgTBKWe17pUXX0nwRMbP1YZX
+i+vDq5JNAkEAw1eYsmC0nVAMawo57N6LYavGv/n5u1cvpTpKDtn4cXH0Uqq13Kyu
+2FUTzan2NhCEK78UzbWaeewBJmxYda1+RQJAdShKk6uTAEyjnwUjv8h2JWlJN2fQ
+LeWxRlDrCruiz+aW9J4gl/99GoQpy/c83TshhjnDRZsbcDNWv/rXBZ/rTQJAFQva
+CtX6f7yBKgM3DHtJvyM3zbVMH9Ab9QxbsE/xwZ9KeKGl6Hm+eNZpxM3cFiUfaGs0
+/ZjkZOB1m0MvILaplQJAXC3PJ/E+87banGZRJl5qtS6/HoX5lH9TPkL8Essy7ANO
+2BT2OTQawD1A+VKIrQHXs085Of8tQUfrfHHt7s3Kqg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/remote-threaded.tdir/bad_server.pem b/testdata/remote-threaded.tdir/bad_server.pem
new file mode 100644
index 000000000000..983247ac73bd
--- /dev/null
+++ b/testdata/remote-threaded.tdir/bad_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQCDugnhq8B6LzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkyNjEyMjQ0M1oXDTI4MDYxMzEyMjQ0M1owEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvYbqzRwbQe0B
+RLjyTpwspVFlBdv1Et7/ckEEF57LblzEF0Wqtdbr4i5sGhrq1fbZ4F+fRyE7AU++
+DUK7RSnxAy1Yi65tmqwDPTs7J+LZ799B1z0Q41DnNTNOUO1M42kqzr/k5DxKsobV
+Mmj9Q2KNG3Jm8bUpGHNmRFgsIT5JVMECAwEAATANBgkqhkiG9w0BAQUFAAOBgQCy
+zGMW35/9xXoEWsuLFWUOaEKVq5DXuXtXbcMpDW6k2ELoraa305vh7Zwhj5JSqfcm
+O0xyqIzXvz/cYdyOTgEkdMDZ/EvQsxKTwvj6eA4614yB1r3Ju5eZd4Gpo6BHhSpu
+oqsrr0duJ+JOANTyaBplIxM1sjHbR4FGtmrFknBYBQ==
+-----END CERTIFICATE-----
diff --git a/testdata/remote-threaded.tdir/remote-threaded.conf b/testdata/remote-threaded.tdir/remote-threaded.conf
new file mode 100644
index 000000000000..da9fee1de1ba
--- /dev/null
+++ b/testdata/remote-threaded.tdir/remote-threaded.conf
@@ -0,0 +1,25 @@
+server:
+	verbosity: 2
+	num-threads: 4
+	outgoing-range: 16
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+remote-control:
+	control-enable: yes
+	control-interface: 127.0.0.1
+	# control-interface: ::1
+	control-port: @CONTROL_PORT@
+	server-key-file: "unbound_server.key"
+	server-cert-file: "unbound_server.pem"
+	control-key-file: "unbound_control.key"
+	control-cert-file: "unbound_control.pem"
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/remote-threaded.tdir/remote-threaded.dsc b/testdata/remote-threaded.tdir/remote-threaded.dsc
new file mode 100644
index 000000000000..b3aeebac141a
--- /dev/null
+++ b/testdata/remote-threaded.tdir/remote-threaded.dsc
@@ -0,0 +1,16 @@
+BaseName: remote-threaded
+Version: 1.0
+Description: remote control test with thread communication
+CreationDate: Wed Dec  3 15:00:38 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: remote-threaded.pre
+Post: remote-threaded.post
+Test: remote-threaded.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/remote-threaded.tdir/remote-threaded.post b/testdata/remote-threaded.tdir/remote-threaded.post
new file mode 100644
index 000000000000..4cccd9a8b6ba
--- /dev/null
+++ b/testdata/remote-threaded.tdir/remote-threaded.post
@@ -0,0 +1,13 @@
+# #-- remote-threaded.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+# unbound stopped by test (if successful)
+kill $UNBOUND_PID >/dev/null 2>&1
+kill $UNBOUND_PID >/dev/null 2>&1
+exit 0
diff --git a/testdata/remote-threaded.tdir/remote-threaded.pre b/testdata/remote-threaded.tdir/remote-threaded.pre
new file mode 100644
index 000000000000..76dc6b2492ae
--- /dev/null
+++ b/testdata/remote-threaded.tdir/remote-threaded.pre
@@ -0,0 +1,33 @@
+# #-- remote-threaded.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 3
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+CONTROL_PORT=$(($RND_PORT + 2))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT remote-threaded.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < remote-threaded.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/remote-threaded.tdir/remote-threaded.test b/testdata/remote-threaded.tdir/remote-threaded.test
new file mode 100644
index 000000000000..7392fa9097ca
--- /dev/null
+++ b/testdata/remote-threaded.tdir/remote-threaded.test
@@ -0,0 +1,308 @@
+# #-- remote-threaded.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# exit value is 1 on usage
+$PRE/unbound-control -h
+if test $? -ne 1; then
+	echo "wrong exit value for usage."
+	exit 1
+else
+	echo "exit value for usage: OK"
+fi
+
+# use lock-verify if possible
+
+# test if the server is up.
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# exit value is 1 when a bad command is given.
+echo "$PRE/unbound-control -c ub.conf blablargh"
+$PRE/unbound-control -c ub.conf blablargh
+if test $? -ne 1; then
+	echo "wrong exit value on error."
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	exit 1
+else
+	echo "correct exit value on error"
+fi
+
+# reload the server. test if the server came up by putting a new
+# local-data element in the server.
+echo "server: local-data: 'afterreload. IN A 5.6.7.8'" >> ub.conf
+echo "$PRE/unbound-control -c ub.conf reload"
+$PRE/unbound-control -c ub.conf reload
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+echo "> dig afterreload."
+dig @127.0.0.1 -p $UNBOUND_PORT afterreload. | tee outfile
+echo "> check answer"
+if grep "5.6.7.8" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# must have had queries now.  1 since reload.
+echo "$PRE/unbound-control -c ub.conf stats"
+$PRE/unbound-control -c ub.conf stats > tmp.$$
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+if grep "^total.num.queries=[1-9][0-9]*$" tmp.$$; then
+	echo "OK"
+else
+	echo "bad stats"
+	cat tmp.$$
+	exit 1
+fi
+
+# verbosity
+echo "$PRE/unbound-control -c ub.conf verbosity 4"
+$PRE/unbound-control -c ub.conf verbosity 4
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+# check syntax error in parse 
+echo "$PRE/unbound-control -c ub.conf verbosity jkdf"
+$PRE/unbound-control -c ub.conf verbosity jkdf
+if test $? -ne 1; then
+	echo "wrong exit value after failure"
+	exit 1
+fi
+
+# check bad credentials
+cp ub.conf bad.conf
+echo "remote-control:" >> bad.conf
+echo "	server-key-file: bad_server.key" >> bad.conf
+echo "	server-cert-file: bad_server.pem" >> bad.conf
+echo "	control-key-file: bad_control.key" >> bad.conf
+echo "	control-cert-file: bad_control.pem" >> bad.conf
+echo "$PRE/unbound-control -c bad.conf verbosity 2"
+$PRE/unbound-control -c bad.conf verbosity 2
+if test $? -ne 1; then
+	echo "wrong exit value after failure"
+	exit 1
+fi
+
+# create a new local zone
+echo "> test of local zone"
+echo "$PRE/unbound-control -c ub.conf local_zone example.net static"
+$PRE/unbound-control -c ub.conf local_zone example.net static
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "$PRE/unbound-control -c ub.conf local_data www.example.net A 192.0.2.1"
+$PRE/unbound-control -c ub.conf local_data www.example.net A 192.0.2.1
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+# check that www.example.net exists
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# check that mail.example.net has nxdomain
+echo "> dig mail.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT mail.example.net. | tee outfile
+echo "> check answer"
+if grep "NXDOMAIN" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# remove www.example.net - check it gets nxdomain
+echo "$PRE/unbound-control -c ub.conf local_data_remove www.example.net"
+$PRE/unbound-control -c ub.conf local_data_remove www.example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "NXDOMAIN" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# remove example.net - check its gone.
+echo "$PRE/unbound-control -c ub.conf local_zone_remove example.net"
+$PRE/unbound-control -c ub.conf local_zone_remove example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "SERVFAIL" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# dump the cache
+echo "> test cache dump"
+# fillup cache
+echo "dig www.example.com"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com.
+echo "$PRE/unbound-control -c ub.conf dump_cache"
+$PRE/unbound-control -c ub.conf dump_cache > tmp.$$
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+cat tmp.$$
+# we do not look at content. Only thread 0 content.
+# because it may not be there when it is compiled with processes only.
+if grep MSG_CACHE tmp.$$; then
+	echo "OK this is a cache dump"
+else
+	echo "Not OK cache dump"
+	exit 1
+fi
+
+# test lookup 
+echo "$PRE/unbound-control -c ub.conf lookup www.example.com"
+$PRE/unbound-control -c ub.conf lookup www.example.com
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+# answer to lookup is meaningless because of use a forwarder, oh well.
+
+# load the cache dump.
+echo "$PRE/unbound-control -c ub.conf load_cache < tmp.$$"
+$PRE/unbound-control -c ub.conf load_cache < tmp.$$
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+# do not check if cache dump contents are present ; other threads
+# may not have gotten it when it is compiled with processes only.
+
+# flushing
+echo "$PRE/unbound-control -c ub.conf flush www.example.net"
+$PRE/unbound-control -c ub.conf flush www.example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+echo "$PRE/unbound-control -c ub.conf flush_type www.example.net TXT"
+$PRE/unbound-control -c ub.conf flush_type www.example.net TXT
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+echo "$PRE/unbound-control -c ub.conf flush_zone example.net"
+$PRE/unbound-control -c ub.conf flush_zone example.net
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+
+# now stop the server
+echo "$PRE/unbound-control -c ub.conf stop"
+$PRE/unbound-control -c ub.conf stop
+if test $? -ne 0; then
+	echo "wrong exit value after success"
+	exit 1
+fi
+# see if the server has really exited.
+TRY_MAX=20
+for (( try=0 ; try <= $TRY_MAX ; try++ )) ; do
+	if kill -0 $UNBOUND_PID 2>&1 | tee tmp.$$; then
+		echo "not stopped yet, waiting"
+		sleep 1
+	else
+		echo "stopped OK; break"
+		break;
+	fi
+	if grep "No such process" tmp.$$; then
+		echo "stopped OK; break"
+		break;
+	fi
+done
+if kill -0 $UNBOUND_PID; then
+	echo "still up!"
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "not stopped, failure"
+	exit 1
+else
+	echo "stopped OK"
+
+        if test -f ublocktrace.0; then
+		if $PRE/lock-verify ublocktrace.*; then
+			echo "lock-verify test worked."
+		else
+			echo "lock-verify test failed."
+			cat fwd.log 
+			cat unbound.log
+			exit 1
+		fi
+	fi
+fi
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> OK"
+exit 0
diff --git a/testdata/remote-threaded.tdir/remote-threaded.testns b/testdata/remote-threaded.tdir/remote-threaded.testns
new file mode 100644
index 000000000000..0c911ca5b30e
--- /dev/null
+++ b/testdata/remote-threaded.tdir/remote-threaded.testns
@@ -0,0 +1,22 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA SERVFAIL
+ADJUST copy_id
+SECTION QUESTION
+www.example.net.	IN	A
+ENTRY_END
+
diff --git a/testdata/remote-threaded.tdir/unbound_control.key b/testdata/remote-threaded.tdir/unbound_control.key
new file mode 100644
index 000000000000..d7c43a06bb58
--- /dev/null
+++ b/testdata/remote-threaded.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/remote-threaded.tdir/unbound_control.pem b/testdata/remote-threaded.tdir/unbound_control.pem
new file mode 100644
index 000000000000..8f1ba87f1cdd
--- /dev/null
+++ b/testdata/remote-threaded.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----
diff --git a/testdata/remote-threaded.tdir/unbound_server.key b/testdata/remote-threaded.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/remote-threaded.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/remote-threaded.tdir/unbound_server.pem b/testdata/remote-threaded.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/remote-threaded.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/remote-threaded.tpkg b/testdata/remote-threaded.tpkg
deleted file mode 100644
index 0e614d87a9b6..000000000000
--- a/testdata/remote-threaded.tpkg
+++ /dev/null
diff --git a/testdata/root_anchor.tdir/root_anchor.dsc b/testdata/root_anchor.tdir/root_anchor.dsc
new file mode 100644
index 000000000000..daf231da58de
--- /dev/null
+++ b/testdata/root_anchor.tdir/root_anchor.dsc
@@ -0,0 +1,16 @@
+BaseName: root_anchor
+Version: 1.0
+Description: check if root anchor has changed.
+CreationDate: Tue Sep 28 12:43:09 CEST 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: root_anchor.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/root_anchor.tdir/root_anchor.test b/testdata/root_anchor.tdir/root_anchor.test
new file mode 100644
index 000000000000..8be248ab9e12
--- /dev/null
+++ b/testdata/root_anchor.tdir/root_anchor.test
@@ -0,0 +1,51 @@
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# only do this test if the network is up.
+echo "is the net up?"
+if dig @k.root-servers.net . SOA 2>&1 | grep NOERROR ; then
+	echo yes
+else
+	echo no
+	exit 0
+fi
+
+# test that unbound-anchor, its builtin DNSKEY, works.
+# so the https is disabled (go to 127.0.0.1@10099).
+$PRE/unbound-anchor -u "127.0.0.1" -P 10099 -a test.ds -v
+# check that the test.ds file is OK.
+if $PRE/unbound-host -f test.ds -t SOA -v . 2>&1 | grep "(secure)"; then
+	echo "The builtin DS root anchors work"
+else
+	echo "The builtin DS root anchors do not work"
+	exit 1
+fi
+
+echo ""
+# test that unbound-anchor, the builtin certificate, works
+# so, force https with -F and the -c is a nonexistant file
+$PRE/unbound-anchor -a test.cert -c test.pem -v -F
+# check that the test.cert file is OK.
+if $PRE/unbound-host -f test.cert -t SOA -v . 2>&1 | grep "(secure)"; then
+	echo "The builtin root update certificate works"
+else
+	echo "The builtin root update certificate does not work"
+	exit 1
+fi
+
+# use curl to see if the PGP certificate has been updated.
+curl --time-cond "20170203 10:00:00" https://data.iana.org/root-anchors/icannbundle.pem > newcert
+if test -n "`cat newcert`"; then
+	echo "icannbundle.pem has been updated"
+	cat newcert
+	echo "icannbundle.pem has been updated"
+	exit 1
+else
+	echo "icannbundle.pem has not been updated"
+fi
+
+exit 0
diff --git a/testdata/root_anchor.tpkg b/testdata/root_anchor.tpkg
deleted file mode 100644
index 98aa57e5257e..000000000000
--- a/testdata/root_anchor.tpkg
+++ /dev/null
diff --git a/testdata/root_hints.tdir/root_hints.dsc b/testdata/root_hints.tdir/root_hints.dsc
new file mode 100644
index 000000000000..5576fbaf942a
--- /dev/null
+++ b/testdata/root_hints.tdir/root_hints.dsc
@@ -0,0 +1,16 @@
+BaseName: root_hints
+Version: 1.0
+Description: check if root hints have changed.
+CreationDate: Thu Oct 22 12:42:40 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre:
+Post:
+Test: root_hints.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/root_hints.tdir/root_hints.test b/testdata/root_hints.tdir/root_hints.test
new file mode 100644
index 000000000000..6ae4ec7f4677
--- /dev/null
+++ b/testdata/root_hints.tdir/root_hints.test
@@ -0,0 +1,62 @@
+# #-- 06-ianaports.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+
+# dig 9 ?
+digv=`dig -v 2>&1 | wc -l`
+if test $digv -ne 1; then
+	echo "Dig too old. skip test"
+	exit 0
+fi
+
+eval `grep ^srcdir= $PRE/Makefile`
+echo "srcdir="$srcdir
+
+# obtain list from compiled in settings:
+grep "ROOT-SERVERS.NET." $PRE/$srcdir/iterator/iter_hints.c > curlist
+echo "Current list:"
+cat curlist
+
+result="0"
+
+# dig all servers and check if same
+for rs in A.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET.; do
+
+	addr4=`dig +short $rs A`
+	addr6=`dig +short $rs AAAA`
+
+	# all IP4 must be present as listed.
+	if test -z "$addr4" ; then
+		echo "$rs A is removed! It has changed!"
+		result="1"
+	fi
+	if grep $rs curlist | grep "$addr4" >/dev/null; then
+		echo "$rs is OK: A $addr4"
+	else
+		echo "$rs A now $addr4, it has changed!"
+		result="1"
+	fi
+	# if IP6 is "" then it must be "" as well in the compiled hints
+	if test -z "$addr6" ; then
+		if grep $rs curlist | grep ":" >/dev/null; then
+			echo "$rs AAAA now removed, it has changed!"
+			result="1"
+		else
+			echo $rs' is OK: AAAA ""'
+		fi
+	else
+		# root server has an IP6.
+		if grep $rs curlist | grep "$addr6" >/dev/null; then
+			echo "$rs is OK: AAAA $addr6"
+		else
+			echo "$rs AAAA now $addr6, it has changed!"
+			result="1"
+		fi
+	fi
+done
+
+exit $result
diff --git a/testdata/root_hints.tpkg b/testdata/root_hints.tpkg
deleted file mode 100644
index 9c83fc32d360..000000000000
--- a/testdata/root_hints.tpkg
+++ /dev/null
diff --git a/testdata/speed_cache.tdir/makeqs.c b/testdata/speed_cache.tdir/makeqs.c
new file mode 100644
index 000000000000..8e6179f66b21
--- /dev/null
+++ b/testdata/speed_cache.tdir/makeqs.c
@@ -0,0 +1,14 @@
+/**
+ * \file
+ * This file creates queries for the speed test
+ */
+#include <stdio.h>
+#include <stdlib.h>
+/** main program to create queries, pass the number of them. */
+int main(int argc, char** argv) {
+        int i;
+        int max = atoi(argv[1]);
+        for(i=0; i<max; i++)
+                printf("a%8.8d.example.com IN A\n", i);
+        return 0;
+}
diff --git a/testdata/speed_cache.tdir/makeqs.sh b/testdata/speed_cache.tdir/makeqs.sh
new file mode 100644
index 000000000000..aebabfcafa25
--- /dev/null
+++ b/testdata/speed_cache.tdir/makeqs.sh
@@ -0,0 +1,33 @@
+# generate query file, $1=number $2=filename.
+
+cat >makeqs.c <<EOF
+#include <stdio.h>
+#include <stdlib.h>
+int main(int argc, char** argv) {
+	int i;
+	int max = atoi(argv[1]);
+	for(i=0; i<max; i++)
+		printf("a%8.8d.example.com IN A\n", i);
+	return 0;
+}
+EOF
+
+gcc -o makeqs makeqs.c
+
+#function makeqs() {
+	#i=0
+	#echo "; generated by makeqs" > $2
+	#while test $i -lt $1; do
+		#echo "a$i.example.com IN A" >> $2
+		#i=`expr $i + 1`
+	#done
+#}
+
+./makeqs 10 > q10.txt
+cat q10.txt
+./makeqs 100 > q100.txt
+./makeqs 1000 > q1000.txt
+./makeqs 10000 > q10000.txt
+./makeqs 100000 > q100000.txt
+#./makeqs 1000000 > q1000000.txt
+#./makeqs 10000000 > q10000000.txt
diff --git a/testdata/speed_cache.tdir/speed_cache.conf b/testdata/speed_cache.tdir/speed_cache.conf
new file mode 100644
index 000000000000..64cf30b796d8
--- /dev/null
+++ b/testdata/speed_cache.tdir/speed_cache.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 0
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	rrset-cache-size: 100k
+	msg-cache-size: 100k
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/speed_cache.tdir/speed_cache.dsc b/testdata/speed_cache.tdir/speed_cache.dsc
new file mode 100644
index 000000000000..9171dd2a6115
--- /dev/null
+++ b/testdata/speed_cache.tdir/speed_cache.dsc
@@ -0,0 +1,16 @@
+BaseName: speed_cache
+Version: 1.0
+Description: Speed test with cache sizes
+CreationDate: Fri Feb 15 15:46:25 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: speed_cache.pre
+Post: speed_cache.post
+Test: speed_cache.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/speed_cache.tdir/speed_cache.post b/testdata/speed_cache.tdir/speed_cache.post
new file mode 100644
index 000000000000..3ca4a4b403d7
--- /dev/null
+++ b/testdata/speed_cache.tdir/speed_cache.post
@@ -0,0 +1,10 @@
+# #-- speed_cache.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/speed_cache.tdir/speed_cache.pre b/testdata/speed_cache.tdir/speed_cache.pre
new file mode 100644
index 000000000000..fc7906e33f40
--- /dev/null
+++ b/testdata/speed_cache.tdir/speed_cache.pre
@@ -0,0 +1,31 @@
+# #-- speed_cache.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT speed_cache.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < speed_cache.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/speed_cache.tdir/speed_cache.test b/testdata/speed_cache.tdir/speed_cache.test
new file mode 100644
index 000000000000..a45d4436c3b3
--- /dev/null
+++ b/testdata/speed_cache.tdir/speed_cache.test
@@ -0,0 +1,79 @@
+# #-- speed_cache.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+# make tool
+get_make
+(cd $PRE; $MAKE perf)
+
+get_gcc
+$CC -o makeqs makeqs.c
+if test $? -ne 0; then
+	echo "could not compile makeqs"
+	exit 1
+fi
+
+./makeqs 10 > q10.txt
+cat q10.txt
+./makeqs 100 > q100.txt
+./makeqs 1000 > q1000.txt
+./makeqs 10000 > q10000.txt
+#./makeqs 100000 > q100000.txt
+#./makeqs 1000000 > q1000000.txt
+#./makeqs 10000000 > q10000000.txt
+
+# seconds per test
+dur=1
+
+# do the test
+echo "> perf test ldns-testns"
+$PRE/perf -d $dur -a "www.example.com IN A" 127.0.0.1@$FWD_PORT 2>&1 | tee outfile
+
+echo "> perf test cache-1"
+$PRE/perf -d $dur -a "www.example.com IN A" 127.0.0.1@$UNBOUND_PORT 2>&1 | tee outfile
+echo -n "cache-size-1  	" >> ../.perfstats.txt
+grep "average qps" outfile >> ../.perfstats.txt
+
+# with $1=number $2=pretty-str $3=queryfile
+function perfnum() {
+	echo ""
+	echo "> perf test $1 $2"
+	$PRE/perf -d $dur -f $3 127.0.0.1@$UNBOUND_PORT 2>&1 | tee outfile
+	if test -n "$2"; then
+		echo -n "$2	" >> ../.perfstats.txt
+		grep "average qps" outfile >> ../.perfstats.txt
+	fi
+}
+
+function perftns() {
+	echo ""
+	echo "> perf testns $1 $2"
+	$PRE/perf -d $dur -f $3 127.0.0.1@$FWD_PORT 2>&1 | tee outfile
+}
+
+#perfnum 10 "" q10.txt
+perfnum 100 "cache-suffices" q100.txt
+#perfnum 1000 "" q1000.txt
+perfnum 10000 "cache-toosmall" q10000.txt
+#perfnum 100000 "100k" q100000.txt
+#perfnum 1000000 "1m" q1000000.txt
+#perfnum 1000000 "10m" q10000000.txt
+
+#perftns 10 "10" q10.txt
+#perftns 100 "100" q100.txt
+perftns 1000 "1k" q1000.txt
+#perftns 10000 "10k" q10000.txt
+#perftns 100000 "100k" q100000.txt
+#perftns 1000000 "1m" q1000000.txt
+#perftns 1000000 "10m" q10000000.txt
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+rm -f q*.txt
+exit 0
diff --git a/testdata/speed_cache.tdir/speed_cache.testns b/testdata/speed_cache.tdir/speed_cache.testns
new file mode 100644
index 000000000000..1293c24b0150
--- /dev/null
+++ b/testdata/speed_cache.tdir/speed_cache.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+www	IN	A
+SECTION AUTHORITY
+@	IN	SOA	ns hostmaster 2008021401 1800 900 604800 86400
+ENTRY_END
+
diff --git a/testdata/speed_cache.tpkg b/testdata/speed_cache.tpkg
deleted file mode 100644
index bade5288b3a4..000000000000
--- a/testdata/speed_cache.tpkg
+++ /dev/null
diff --git a/testdata/speed_local.tdir/speed_local.conf b/testdata/speed_local.tdir/speed_local.conf
new file mode 100644
index 000000000000..bfc10071272f
--- /dev/null
+++ b/testdata/speed_local.tdir/speed_local.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 1
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/speed_local.tdir/speed_local.dsc b/testdata/speed_local.tdir/speed_local.dsc
new file mode 100644
index 000000000000..7b4076fb73ea
--- /dev/null
+++ b/testdata/speed_local.tdir/speed_local.dsc
@@ -0,0 +1,16 @@
+BaseName: speed_local
+Version: 1.0
+Description: Speed test with localhost query.
+CreationDate: Thu Feb 14 16:51:55 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: speed_local.pre
+Post: speed_local.post
+Test: speed_local.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/speed_local.tdir/speed_local.post b/testdata/speed_local.tdir/speed_local.post
new file mode 100644
index 000000000000..dc88245eb7fd
--- /dev/null
+++ b/testdata/speed_local.tdir/speed_local.post
@@ -0,0 +1,9 @@
+# #-- speed_local.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $UNBOUND_PID
diff --git a/testdata/speed_local.tdir/speed_local.pre b/testdata/speed_local.tdir/speed_local.pre
new file mode 100644
index 000000000000..712fde6ae4bb
--- /dev/null
+++ b/testdata/speed_local.tdir/speed_local.pre
@@ -0,0 +1,23 @@
+# #-- speed_local.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < speed_local.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+
diff --git a/testdata/speed_local.tdir/speed_local.test b/testdata/speed_local.tdir/speed_local.test
new file mode 100644
index 000000000000..684b3c52251b
--- /dev/null
+++ b/testdata/speed_local.tdir/speed_local.test
@@ -0,0 +1,43 @@
+# #-- speed_local.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE perf)
+
+echo "> perf version.server"
+$PRE/perf -d 1 -a "version.server CH TXT -" 127.0.0.1@$UNBOUND_PORT 2>&1 | 
+tee outfile
+
+echo -n "version-server	" > line.txt
+if grep "average qps" outfile >> line.txt 2>&1; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+
+echo "> perf localhost"
+$PRE/perf -d 1 -a "localhost IN A -" 127.0.0.1@$UNBOUND_PORT 2>&1 | 
+tee outfile
+
+echo -n "localhost-addr	" >> line.txt
+if grep "average qps" outfile >> line.txt 2>&1; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+cat line.txt >> ../.perfstats.txt
+
+exit 0
diff --git a/testdata/speed_local.tdir/speed_local.testns b/testdata/speed_local.tdir/speed_local.testns
new file mode 100644
index 000000000000..f2a700cc7daf
--- /dev/null
+++ b/testdata/speed_local.tdir/speed_local.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/speed_local.tpkg b/testdata/speed_local.tpkg
deleted file mode 100644
index 572f60cf14ca..000000000000
--- a/testdata/speed_local.tpkg
+++ /dev/null
diff --git a/testdata/stat_timer.tdir/stat_timer.conf b/testdata/stat_timer.tdir/stat_timer.conf
new file mode 100644
index 000000000000..8245647294b1
--- /dev/null
+++ b/testdata/stat_timer.tdir/stat_timer.conf
@@ -0,0 +1,16 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	statistics-interval: 1
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
diff --git a/testdata/stat_timer.tdir/stat_timer.dsc b/testdata/stat_timer.tdir/stat_timer.dsc
new file mode 100644
index 000000000000..3d6f23e71e32
--- /dev/null
+++ b/testdata/stat_timer.tdir/stat_timer.dsc
@@ -0,0 +1,16 @@
+BaseName: stat_timer
+Version: 1.0
+Description: Test statistics-interval timer.
+CreationDate: Tue Feb  5 14:41:10 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: stat_timer.pre
+Post: stat_timer.post
+Test: stat_timer.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/stat_timer.tdir/stat_timer.post b/testdata/stat_timer.tdir/stat_timer.post
new file mode 100644
index 000000000000..0a9d9ac5bd17
--- /dev/null
+++ b/testdata/stat_timer.tdir/stat_timer.post
@@ -0,0 +1,11 @@
+# #-- stat_timer.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+
diff --git a/testdata/stat_timer.tdir/stat_timer.pre b/testdata/stat_timer.tdir/stat_timer.pre
new file mode 100644
index 000000000000..284e1106d58a
--- /dev/null
+++ b/testdata/stat_timer.tdir/stat_timer.pre
@@ -0,0 +1,31 @@
+# #-- stat_timer.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT stat_timer.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stat_timer.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/stat_timer.tdir/stat_timer.test b/testdata/stat_timer.tdir/stat_timer.test
new file mode 100644
index 000000000000..8a84c3f41d17
--- /dev/null
+++ b/testdata/stat_timer.tdir/stat_timer.test
@@ -0,0 +1,40 @@
+# #-- stat_timer.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# test if unbound is up 
+echo "> dig www.example.com."
+dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+# wait for statistics timer to go off a couple times.
+sleep 5
+
+n=`grep "server stats" unbound.log | wc | awk '{print $1}'`
+echo "counted $n stat lines"
+if test $n -gt 6; then
+	echo "OK"
+else
+	echo "> cat logfiles"
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+exit 0
diff --git a/testdata/stat_timer.tdir/stat_timer.testns b/testdata/stat_timer.tdir/stat_timer.testns
new file mode 100644
index 000000000000..f2a700cc7daf
--- /dev/null
+++ b/testdata/stat_timer.tdir/stat_timer.testns
@@ -0,0 +1,14 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
diff --git a/testdata/stat_timer.tpkg b/testdata/stat_timer.tpkg
deleted file mode 100644
index 982e698829ab..000000000000
--- a/testdata/stat_timer.tpkg
+++ /dev/null
diff --git a/testdata/stream_ssl.tdir/stream_ssl.clie.conf b/testdata/stream_ssl.tdir/stream_ssl.clie.conf
new file mode 100644
index 000000000000..f62af1a86f45
--- /dev/null
+++ b/testdata/stream_ssl.tdir/stream_ssl.clie.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @CLIEPORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound-clie.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	ssl-upstream: yes
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@SERVPORT@"
diff --git a/testdata/stream_ssl.tdir/stream_ssl.dsc b/testdata/stream_ssl.tdir/stream_ssl.dsc
new file mode 100644
index 000000000000..ee79484ece6c
--- /dev/null
+++ b/testdata/stream_ssl.tdir/stream_ssl.dsc
@@ -0,0 +1,16 @@
+BaseName: stream_ssl
+Version: 1.0
+Description: Stream queries over SSL channel.
+CreationDate: Wed Nov  9 14:02:31 CET 2011
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: stream_ssl.pre
+Post: stream_ssl.post
+Test: stream_ssl.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/stream_ssl.tdir/stream_ssl.post b/testdata/stream_ssl.tdir/stream_ssl.post
new file mode 100644
index 000000000000..4cdbe726710f
--- /dev/null
+++ b/testdata/stream_ssl.tdir/stream_ssl.post
@@ -0,0 +1,10 @@
+# #-- stream_ssl.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $UNBOUNDSERV_PID
+kill_pid $UNBOUNDCLIE_PID
diff --git a/testdata/stream_ssl.tdir/stream_ssl.pre b/testdata/stream_ssl.tdir/stream_ssl.pre
new file mode 100644
index 000000000000..200d27cf61a2
--- /dev/null
+++ b/testdata/stream_ssl.tdir/stream_ssl.pre
@@ -0,0 +1,29 @@
+# #-- stream_ssl.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+SERV_PORT=$RND_PORT
+CLIE_PORT=$(($RND_PORT + 1))
+echo "SERV_PORT=$SERV_PORT" >> .tpkg.var.test
+echo "CLIE_PORT=$CLIE_PORT" >> .tpkg.var.test
+
+# make config files
+sed -e 's/@SERVPORT\@/'$SERV_PORT'/' -e 's/@CLIEPORT\@/'$CLIE_PORT'/' < stream_ssl.serv.conf > ubserv.conf
+sed -e 's/@SERVPORT\@/'$SERV_PORT'/' -e 's/@CLIEPORT\@/'$CLIE_PORT'/' < stream_ssl.clie.conf > ubclie.conf
+
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -v -v -v -v -c ubserv.conf >unboundserv.log 2>&1 &
+UNBOUNDSERV_PID=$!
+echo "UNBOUNDSERV_PID=$UNBOUNDSERV_PID" >> .tpkg.var.test
+$PRE/unbound -d -v -v -v -v -c ubclie.conf >unboundclie.log 2>&1 &
+UNBOUNDCLIE_PID=$!
+echo "UNBOUNDCLIE_PID=$UNBOUNDCLIE_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unboundserv.log
+wait_unbound_up unboundclie.log
diff --git a/testdata/stream_ssl.tdir/stream_ssl.serv.conf b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
new file mode 100644
index 000000000000..9dd169ff78bf
--- /dev/null
+++ b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
@@ -0,0 +1,20 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @SERVPORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound-serv.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: yes
+	local-data: "www.example.com. IN A 10.20.30.40"
+	ssl-port: @SERVPORT@
+	ssl-service-key: "unbound_server.key"
+	ssl-service-pem: "unbound_server.pem"
+
+# no other queries should reach here.
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1"
diff --git a/testdata/stream_ssl.tdir/stream_ssl.test b/testdata/stream_ssl.tdir/stream_ssl.test
new file mode 100644
index 000000000000..08bbcdee9205
--- /dev/null
+++ b/testdata/stream_ssl.tdir/stream_ssl.test
@@ -0,0 +1,74 @@
+# #-- stream_ssl.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# first test streamtcp against the server unbound.
+echo "> streamtcp -s www.example.com A IN"
+$PRE/streamtcp -s -f 127.0.0.1@$SERV_PORT www.example.com. A IN >outfile 2>&1
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	echo "SSLSERVICE"
+	cat unboundserv.log
+	echo "SSLCLIENT"
+	cat unboundclie.log
+	echo "Not OK"
+	exit 1
+else
+	echo "exit status OK"
+fi
+echo "> cat logfiles"
+cat outfile
+echo "SSLSERVICE"
+cat unboundserv.log
+echo "SSLCLIENT"
+cat unboundclie.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+rm -f outfile
+
+# test client unbound (no SSL towards it, but it does SSL to the SSL service)
+echo "> dig www.example.com A IN"
+dig @127.0.0.1 -p $CLIE_PORT www.example.com. >outfile 2>&1
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	echo "SSLSERVICE"
+	cat unboundserv.log
+	echo "SSLCLIENT"
+	cat unboundclie.log
+	echo "Not OK"
+	exit 1
+else
+	echo "exit status OK"
+fi
+echo "> cat logfiles"
+cat outfile
+echo "SSLSERVICE"
+cat unboundserv.log
+echo "SSLCLIENT"
+cat unboundclie.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/stream_ssl.tdir/unbound_control.key b/testdata/stream_ssl.tdir/unbound_control.key
new file mode 100644
index 000000000000..d7c43a06bb58
--- /dev/null
+++ b/testdata/stream_ssl.tdir/unbound_control.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDD6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBa
+rzPA0vlyuNtUsEN3qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvH
+ST6JwUdIg0Lzg/USJ81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQAB
+AoGAFT3e35MIgI4uDJJ8X0RfHp2NCO2LUg4TKbWical/C0W9vlR1/x80G1pE1d2Z
+WotqJVWTrOq6eBox19RCgtLg2wPGk9uD62+9SDT37heWFlUCElWq50pQG6k9ThiG
+DDypkZyZ/52+DdWybiaQJkuK6O5qQXuNAtVJMpghu4GnHAECQQDsupnZUQDpapzr
+4FC4MSkL2+A1PRt6g4VhwoqOpJXaHfVnH6F7AwUuOLNwGdR5Cvv70pfJ7Jqg8L2m
+Kxyl5bORAkEA09rn34YQ0pHJdHidbl2kInIuYTz09+TO3LWwan17nISH9aaYvVDr
+p9x1B4Qzw9qyxT9oll7ze/5Rw/7C3AQj4QJAT2B2a+b8bkgAXBs4FbruL3rHoDJg
+P2FQXSpVOWU4lg2LlsuFYvDtUMVUbZdLplanjZXcral3Y9W1Ub2M+ped8QJAYQN+
+aRpge7ys7vwIw7B36Bo3aOncF+ScYe+FkM5Tm7II/JHEofT7ZQwMP1vnxIlSkgbe
+YvWqNB6a3NC99LikoQJBAM4UhDdRg63Tr6Idky6CQaH///zAN7nArJfffKGWFdw9
+DKrWpNqvYZtX/cfEJucKcRCm5YL8CKFYbQy4VoCxUcE=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/stream_ssl.tdir/unbound_control.pem b/testdata/stream_ssl.tdir/unbound_control.pem
new file mode 100644
index 000000000000..8f1ba87f1cdd
--- /dev/null
+++ b/testdata/stream_ssl.tdir/unbound_control.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBozCCAQwCCQD6XaN6FzW/4DANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowGjEYMBYGA1UE
+AxMPdW5ib3VuZC1jb250cm9sMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD
+6DogNCsSeEa1u99+6PUVbGzjMzzei9MIK6s94+zcpp7OAOBarzPA0vlyuNtUsEN3
+qwPomQQQmIgbT7OXkzC1wqioxwa609xoL8oW/I7e336rEyvHST6JwUdIg0Lzg/US
+J81eTwMnzYSd4Bpsqr9eP33ubaR7Gh/6o76loLOlcQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4GBAGFAXmaQHuFgAuc6HVhYZJdToxLBhfxGpot4oZNjcb1Cdoz3OL34MU1B
+9E5psj2PpGPIi8/RwoqBtAJHJ+J5cWngo03o4ZmdwKNSzaxlp141z/3rUtFqEHEC
+iO6gPCT3U7dt6MyC7r6vdMqyW6aldP3CtwD0gQziKAMoj+TAfAcq
+-----END CERTIFICATE-----
diff --git a/testdata/stream_ssl.tdir/unbound_server.key b/testdata/stream_ssl.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/stream_ssl.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/stream_ssl.tdir/unbound_server.pem b/testdata/stream_ssl.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/stream_ssl.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/stream_ssl.tpkg b/testdata/stream_ssl.tpkg
deleted file mode 100644
index cf734d4d70b1..000000000000
--- a/testdata/stream_ssl.tpkg
+++ /dev/null
diff --git a/testdata/stream_tcp.tdir/stream_tcp.conf b/testdata/stream_tcp.tdir/stream_tcp.conf
new file mode 100644
index 000000000000..2b900640e764
--- /dev/null
+++ b/testdata/stream_tcp.tdir/stream_tcp.conf
@@ -0,0 +1,14 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/stream_tcp.tdir/stream_tcp.dsc b/testdata/stream_tcp.tdir/stream_tcp.dsc
new file mode 100644
index 000000000000..3fce8b58559c
--- /dev/null
+++ b/testdata/stream_tcp.tdir/stream_tcp.dsc
@@ -0,0 +1,16 @@
+BaseName: stream_tcp
+Version: 1.0
+Description: Stream several queries over a TCP channel.
+CreationDate: Fri Feb  8 11:09:09 CET 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: stream_tcp.pre
+Post: stream_tcp.post
+Test: stream_tcp.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/stream_tcp.tdir/stream_tcp.post b/testdata/stream_tcp.tdir/stream_tcp.post
new file mode 100644
index 000000000000..17f1e7089f72
--- /dev/null
+++ b/testdata/stream_tcp.tdir/stream_tcp.post
@@ -0,0 +1,10 @@
+# #-- stream_tcp.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/stream_tcp.tdir/stream_tcp.pre b/testdata/stream_tcp.tdir/stream_tcp.pre
new file mode 100644
index 000000000000..4c2156c80e92
--- /dev/null
+++ b/testdata/stream_tcp.tdir/stream_tcp.pre
@@ -0,0 +1,30 @@
+# #-- stream_tcp.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT stream_tcp.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stream_tcp.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -v -v -v -v -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
diff --git a/testdata/stream_tcp.tdir/stream_tcp.test b/testdata/stream_tcp.tdir/stream_tcp.test
new file mode 100644
index 000000000000..695cb0c72f3a
--- /dev/null
+++ b/testdata/stream_tcp.tdir/stream_tcp.test
@@ -0,0 +1,79 @@
+# #-- stream_tcp.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# first test a single TCP query.
+echo "> query www.example.com."
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www.example.com. A IN >outfile 2>&1
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+else
+	echo "exit status OK"
+fi
+echo "> cat logfiles"
+cat outfile
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# test more 
+echo ""
+echo ""
+echo "> query www.example.com www2.example.com www3.example.com"
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www.example.com. A IN www2.example.com. A IN www3.example.com A IN >outfile 2>&1
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+else
+	echo "exit status OK"
+fi
+echo "> cat logfiles"
+cat outfile
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+if grep "10.20.30.42" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+if grep "10.20.30.43" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/stream_tcp.tdir/stream_tcp.testns b/testdata/stream_tcp.tdir/stream_tcp.testns
new file mode 100644
index 000000000000..fefbcc767a09
--- /dev/null
+++ b/testdata/stream_tcp.tdir/stream_tcp.testns
@@ -0,0 +1,34 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
diff --git a/testdata/stream_tcp.tpkg b/testdata/stream_tcp.tpkg
deleted file mode 100644
index 9cc58912e4df..000000000000
--- a/testdata/stream_tcp.tpkg
+++ /dev/null
diff --git a/testdata/stub_udp.tdir/stub_udp.conf b/testdata/stub_udp.tdir/stub_udp.conf
new file mode 100644
index 000000000000..c8e2ae26ef94
--- /dev/null
+++ b/testdata/stub_udp.tdir/stub_udp.conf
@@ -0,0 +1,18 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+stub-zone:
+	name: "example.com"
+	stub-addr: "127.0.0.1@@TOPORT@"
+# a k a root hints
+stub-zone:
+	name: "."
+	stub-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/stub_udp.tdir/stub_udp.dsc b/testdata/stub_udp.tdir/stub_udp.dsc
new file mode 100644
index 000000000000..c76c8995ed4f
--- /dev/null
+++ b/testdata/stub_udp.tdir/stub_udp.dsc
@@ -0,0 +1,16 @@
+BaseName: stub_udp
+Version: 1.0
+Description: Stub server contacted via UDP.
+CreationDate: Tue Sep 30 15:10:00 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: stub_udp.pre
+Post: stub_udp.post
+Test: stub_udp.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/stub_udp.tdir/stub_udp.post b/testdata/stub_udp.tdir/stub_udp.post
new file mode 100644
index 000000000000..c9216ed749c1
--- /dev/null
+++ b/testdata/stub_udp.tdir/stub_udp.post
@@ -0,0 +1,10 @@
+# #-- stub_udp.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/stub_udp.tdir/stub_udp.pre b/testdata/stub_udp.tdir/stub_udp.pre
new file mode 100644
index 000000000000..d9dcaadedc85
--- /dev/null
+++ b/testdata/stub_udp.tdir/stub_udp.pre
@@ -0,0 +1,35 @@
+# #-- stub_udp.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+. ../common.sh
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT stub_udp.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_udp.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+
+# wait for forwarder to come up
+wait_ldns_testns_up fwd.log
+
+# wait for unbound to come up
+wait_unbound_up unbound.log
+
diff --git a/testdata/stub_udp.tdir/stub_udp.test b/testdata/stub_udp.tdir/stub_udp.test
new file mode 100644
index 000000000000..c417d2a04b2e
--- /dev/null
+++ b/testdata/stub_udp.tdir/stub_udp.test
@@ -0,0 +1,37 @@
+# #-- stub_udp.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+
+# check delegations from cache by doing second test
+echo "> dig mail.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT mail.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.66" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/stub_udp.tdir/stub_udp.testns b/testdata/stub_udp.tdir/stub_udp.testns
new file mode 100644
index 000000000000..5d581b00a665
--- /dev/null
+++ b/testdata/stub_udp.tdir/stub_udp.testns
@@ -0,0 +1,46 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+SECTION AUTHORITY
+@	IN 	NS	ns.example.com.
+SECTION ADDITIONAL
+ns	IN	A	127.0.0.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+mail	IN	A
+SECTION ANSWER
+mail	IN	A	10.20.30.66
+SECTION AUTHORITY
+@	IN 	NS	ns.example.com.
+SECTION ADDITIONAL
+ns	IN	A	127.0.0.1
+ENTRY_END
+
+; root prime
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+. 	IN 	NS 	root.server.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+root.server.	IN	A	127.0.0.1
+ENTRY_END
+
diff --git a/testdata/stub_udp.tpkg b/testdata/stub_udp.tpkg
deleted file mode 100644
index 9a4757d60daa..000000000000
--- a/testdata/stub_udp.tpkg
+++ /dev/null
diff --git a/testdata/stub_udp6.tdir/stub_udp6.conf b/testdata/stub_udp6.tdir/stub_udp6.conf
new file mode 100644
index 000000000000..a037908b3166
--- /dev/null
+++ b/testdata/stub_udp6.tdir/stub_udp6.conf
@@ -0,0 +1,19 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: ::1
+	outgoing-interface: ::1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+stub-zone:
+	name: "example.com"
+	stub-addr: "::1@@TOPORT@"
+# a k a root hints
+stub-zone:
+	name: "."
+	stub-addr: "::1@@TOPORT@"
diff --git a/testdata/stub_udp6.tdir/stub_udp6.dsc b/testdata/stub_udp6.tdir/stub_udp6.dsc
new file mode 100644
index 000000000000..7f73c58218de
--- /dev/null
+++ b/testdata/stub_udp6.tdir/stub_udp6.dsc
@@ -0,0 +1,16 @@
+BaseName: stub_udp6
+Version: 1.0
+Description: Stub server contacted via UDP over IPv6.
+CreationDate: Wed Mar 10 13:33:06 CET 2010
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: stub_udp6.pre
+Post: stub_udp6.post
+Test: stub_udp6.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/stub_udp6.tdir/stub_udp6.post b/testdata/stub_udp6.tdir/stub_udp6.post
new file mode 100644
index 000000000000..e25670bbac60
--- /dev/null
+++ b/testdata/stub_udp6.tdir/stub_udp6.post
@@ -0,0 +1,10 @@
+# #-- stub_udp6.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/stub_udp6.tdir/stub_udp6.pre b/testdata/stub_udp6.tdir/stub_udp6.pre
new file mode 100644
index 000000000000..209ab242f32f
--- /dev/null
+++ b/testdata/stub_udp6.tdir/stub_udp6.pre
@@ -0,0 +1,31 @@
+# #-- stub_udp6.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -6 -p $FWD_PORT stub_udp6.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_udp6.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/stub_udp6.tdir/stub_udp6.test b/testdata/stub_udp6.tdir/stub_udp6.test
new file mode 100644
index 000000000000..5336c8e3d67d
--- /dev/null
+++ b/testdata/stub_udp6.tdir/stub_udp6.test
@@ -0,0 +1,37 @@
+# #-- stub_udp6.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+# do the test
+echo "> dig www.example.com."
+dig @::1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+
+# check delegations from cache by doing second test
+echo "> dig mail.example.com."
+dig @::1 -p $UNBOUND_PORT mail.example.com. | tee outfile
+echo "> cat logfiles"
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.66" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/stub_udp6.tdir/stub_udp6.testns b/testdata/stub_udp6.tdir/stub_udp6.testns
new file mode 100644
index 000000000000..5d581b00a665
--- /dev/null
+++ b/testdata/stub_udp6.tdir/stub_udp6.testns
@@ -0,0 +1,46 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+SECTION AUTHORITY
+@	IN 	NS	ns.example.com.
+SECTION ADDITIONAL
+ns	IN	A	127.0.0.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+mail	IN	A
+SECTION ANSWER
+mail	IN	A	10.20.30.66
+SECTION AUTHORITY
+@	IN 	NS	ns.example.com.
+SECTION ADDITIONAL
+ns	IN	A	127.0.0.1
+ENTRY_END
+
+; root prime
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+. 	IN 	NS 	root.server.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+root.server.	IN	A	127.0.0.1
+ENTRY_END
+
diff --git a/testdata/stub_udp6.tpkg b/testdata/stub_udp6.tpkg
deleted file mode 100644
index c5e7ffe9dcf4..000000000000
--- a/testdata/stub_udp6.tpkg
+++ /dev/null
diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
new file mode 100644
index 000000000000..384f16b0738a
--- /dev/null
+++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
@@ -0,0 +1,15 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.dsc b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.dsc
new file mode 100644
index 000000000000..d775ec8e9df5
--- /dev/null
+++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.dsc
@@ -0,0 +1,16 @@
+BaseName: tcp_sigpipe
+Version: 1.0
+Description: Generate SIGPIPE over a TCP channel.
+CreationDate: Tue Apr 22 13:45:04 CEST 2008
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: tcp_sigpipe.pre
+Post: tcp_sigpipe.post
+Test: tcp_sigpipe.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.post b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.post
new file mode 100644
index 000000000000..4df9fe12588d
--- /dev/null
+++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.post
@@ -0,0 +1,10 @@
+# #-- tcp_sigpipe.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.pre b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.pre
new file mode 100644
index 000000000000..274dc1198d9a
--- /dev/null
+++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.pre
@@ -0,0 +1,31 @@
+# #-- tcp_sigpipe.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT tcp_sigpipe.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < tcp_sigpipe.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.test b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.test
new file mode 100644
index 000000000000..6263dca5e625
--- /dev/null
+++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.test
@@ -0,0 +1,45 @@
+# #-- tcp_sigpipe.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+if uname | grep MINGW >/dev/null; then
+	echo "no job control in shell on windows. end test"
+	exit 0
+fi
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# first test a single TCP query.
+echo "> query www.example.com."
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www.example.com. A IN >outfile 2>&1 &
+kill -PIPE $UNBOUND_PID
+wait
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+else
+	echo "exit status OK"
+fi
+echo "> cat logfiles"
+cat outfile
+cat fwd.log 
+cat unbound.log
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+exit 0
diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.testns b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.testns
new file mode 100644
index 000000000000..7b773d3b2e73
--- /dev/null
+++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.testns
@@ -0,0 +1,42 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH UDP opcode qtype qname
+REPLY QR AA NOERROR TC
+ADJUST copy_id 
+SECTION QUESTION
+www	IN	A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH TCP opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=3
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
diff --git a/testdata/tcp_sigpipe.tpkg b/testdata/tcp_sigpipe.tpkg
deleted file mode 100644
index 4d6dee4d41b7..000000000000
--- a/testdata/tcp_sigpipe.tpkg
+++ /dev/null