46 files changed, 2856 insertions, 602 deletions

diff --git a/testdata/auth_zonefile_dnssec_fail.rpl b/testdata/auth_zonefile_dnssec_fail.rpl
index 49da19993a63..7e4e51de5cd4 100644
--- a/testdata/auth_zonefile_dnssec_fail.rpl
+++ b/testdata/auth_zonefile_dnssec_fail.rpl
@@ -47,7 +47,9 @@ ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752
 ; this RR is edited to create the failure
 ;www.example.com. IN A   10.20.30.40
 www.example.com. IN A   127.0.0.1
-www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+; also edits the signature to fail, without needing crypto checks.
+;www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
+www.example.com.        3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 28540 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854}
 
 TEMPFILE_END
 
diff --git a/testdata/dnscrypt_queries.tdir/1.cert b/testdata/dnscrypt_queries.tdir/1.cert
deleted file mode 100644
index fbc529bfa3ab..000000000000
--- a/testdata/dnscrypt_queries.tdir/1.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/1.key b/testdata/dnscrypt_queries.tdir/1.key
deleted file mode 100644
index 165262c86e53..000000000000
--- a/testdata/dnscrypt_queries.tdir/1.key
+++ /dev/null
@@ -1 +0,0 @@
-����K��#��4�s�	p������x!��A�"mM
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries.tdir/1_chacha.cert b/testdata/dnscrypt_queries.tdir/1_chacha.cert
deleted file mode 100644
index 3da5c612d060..000000000000
--- a/testdata/dnscrypt_queries.tdir/1_chacha.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/1_salsa.cert b/testdata/dnscrypt_queries.tdir/1_salsa.cert
deleted file mode 100644
index 17e447fc339b..000000000000
--- a/testdata/dnscrypt_queries.tdir/1_salsa.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/2.cert b/testdata/dnscrypt_queries.tdir/2.cert
deleted file mode 100644
index ebf8ac108d14..000000000000
--- a/testdata/dnscrypt_queries.tdir/2.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/2.key b/testdata/dnscrypt_queries.tdir/2.key
deleted file mode 100644
index c299f550ae95..000000000000
--- a/testdata/dnscrypt_queries.tdir/2.key
+++ /dev/null
@@ -1 +0,0 @@
-m7�����x;�%׸���*��R��ӯ�mD��
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries.tdir/2_chacha.cert b/testdata/dnscrypt_queries.tdir/2_chacha.cert
deleted file mode 100644
index ed4ec26065a6..000000000000
--- a/testdata/dnscrypt_queries.tdir/2_chacha.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/2_salsa.cert b/testdata/dnscrypt_queries.tdir/2_salsa.cert
deleted file mode 100644
index 6e71fe97864d..000000000000
--- a/testdata/dnscrypt_queries.tdir/2_salsa.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.conf b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.conf
deleted file mode 100644
index 355d4ff13595..000000000000
--- a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-server:
-	verbosity: 2
-	# num-threads: 1
-	port: @PORT@
-    interface: 0.0.0.0
-    interface: 0.0.0.0@@DNSCRYPT_PORT@
-	use-syslog: no
-	directory: .
-	pidfile: "unbound.pid"
-	chroot: ""
-	username: ""
-	do-not-query-localhost: no
-
-forward-zone:
-	name: "."
-	forward-addr: "127.0.0.1@@TOPORT@"
-
-dnscrypt:
-    dnscrypt-enable: yes
-    dnscrypt-port: @DNSCRYPT_PORT@
-    dnscrypt-provider: 2.dnscrypt-cert.example.com.
-    dnscrypt-secret-key: 1.key
-    dnscrypt-secret-key: 2.key
-    dnscrypt-provider-cert: 1_salsa.cert
-    dnscrypt-provider-cert: 2_salsa.cert
-
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.dsc b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.dsc
deleted file mode 100644
index e1e653e57117..000000000000
--- a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: dnscrypt_queries
-Version: 1.0
-Description: dnscrypt queries.
-CreationDate: Fri Mar 03 10:08:08 CEST 2017
-Maintainer: Emmanuel Bretelle
-Category: 
-Component:
-CmdDepends: 
-Depends: 
-Help:
-Pre: dnscrypt_queries.pre
-Post: dnscrypt_queries.post
-Test: dnscrypt_queries.test
-AuxFiles: 
-Passed:
-Failure:
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.post b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.post
deleted file mode 100644
index b61480616892..000000000000
--- a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.post
+++ /dev/null
@@ -1,20 +0,0 @@
-# #-- dnscrypt_queries.post --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# source the test var file when it's there
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-#
-# do your teardown here
-PRE="../.."
-. ../common.sh
-# if no dnscrypt; exit
-if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
-        echo "have dnscrypt"
-else
-        echo "no dnscrypt"
-        exit 0
-fi
-
-kill_pid $FWD_PID
-kill_pid $UNBOUND_PID
-kill_pid $PROXY_PID
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.pre b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.pre
deleted file mode 100644
index 288a66541a34..000000000000
--- a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.pre
+++ /dev/null
@@ -1,53 +0,0 @@
-# #-- dnscrypt_queries.pre--#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-. ../common.sh
-# if no dnscrypt; exit
-if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
-        echo "have dnscrypt"
-else
-        echo "no dnscrypt"
-        exit 0
-fi
-
-get_random_port 4
-UNBOUND_PORT=$RND_PORT
-FWD_PORT=$(($RND_PORT + 1))
-DNSCRYPT_PORT=$(($RND_PORT + 2))
-PROXY_PORT=$(($RND_PORT + 3))
-echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
-echo "DNSCRYPT_PORT=$DNSCRYPT_PORT" >> .tpkg.var.test
-echo "PROXY_PORT=$PROXY_PORT" >> .tpkg.var.test
-
-# start forwarder
-get_ldns_testns
-$LDNS_TESTNS -p $FWD_PORT dnscrypt_queries.testns >fwd.log 2>&1 &
-FWD_PID=$!
-echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
-
-dnscrypt-proxy --local-address=127.0.0.1:${PROXY_PORT} \
-    --resolver-address=127.0.0.1:${DNSCRYPT_PORT} \
-    --provider-name=2.dnscrypt-cert.example.com \
-    --provider-key=B85F:41A1:4F23:F7DB:C866:F397:CC6F:44B6:5F9D:65C5:B629:7C27:5403:A6E9:DCF2:4F9D \
-    -m 32 \
-    >dnscryptproxy.log 2>&1 &
-PROXY_PID=$!
-echo "PROXY_PID=$PROXY_PID" >> .tpkg.var.test
-
-# make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' \
-    -e 's/@DNSCRYPT_PORT\@/'$DNSCRYPT_PORT'/' < dnscrypt_queries.conf > ub.conf
-# start unbound in the background
-$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
-UNBOUND_PID=$!
-echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
-
-cat .tpkg.var.test
-wait_ldns_testns_up fwd.log
-wait_unbound_up unbound.log
-wait_server_up dnscryptproxy.log "Proxying from"
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.test b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.test
deleted file mode 100644
index 5614a444da05..000000000000
--- a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.test
+++ /dev/null
@@ -1,107 +0,0 @@
-# #-- dnscrypt_queries.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-. ../common.sh
-# if no dnscrypt; exit
-if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
-        echo "have dnscrypt"
-else
-        echo "no dnscrypt"
-        exit 0
-fi
-
-
-# do the test
-for opt in '' '+tcp'
-do
-    echo "> do queries ${opt}"
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www1.example.com. >outfile1 &
-    digpid1=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www2.example.com. >outfile2 &
-    digpid2=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www3.example.com. >outfile3 &
-    digpid3=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www4.example.com. >outfile4 &
-    digpid4=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www5.example.com. >outfile5 &
-    digpid5=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www6.example.com. >outfile6 &
-    digpid6=$!
-    sleep 1
-    kill -9 $digpid1
-    kill -9 $digpid2
-    kill -9 $digpid3
-    kill -9 $digpid4
-    kill -9 $digpid5
-    kill -9 $digpid6
-
-    echo "> cat outfile1"
-    cat outfile1 
-    echo "> cat outfile2"
-    cat outfile2 
-    echo "> cat outfile3"
-    cat outfile3
-    echo "> cat outfile4"
-    cat outfile4
-    echo "> cat outfile5"
-    cat outfile5
-    echo "> cat outfile6"
-    cat outfile6
-    echo "> cat logfiles"
-    cat fwd.log 
-    cat unbound.log
-
-    echo "> check for ID bit collisions"
-    grep "pending reply" unbound.log > ids
-    numsend=`cat ids | wc -l`
-    cat ids | awk '{print $8};' | sort -u > ids2
-    numuniq=`cat ids2 | wc -l`
-    if test $numuniq -ne $numsend; then
-        echo "got a ID number clash. could not do test, sorry"
-        exit 0
-    fi
-
-    echo "> check answers for queries"
-    if grep "10.20.30.40" outfile1; then
-        echo "1 is OK"
-    else
-        echo "1 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.50" outfile2; then
-        echo "2 is OK"
-    else
-        echo "2 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.60" outfile3; then
-        echo "3 is OK"
-    else
-        echo "3 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.70" outfile4; then
-        echo "4 is OK"
-    else
-        echo "4 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.80" outfile5; then
-        echo "5 is OK"
-    else
-        echo "5 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.90" outfile6; then
-        echo "6 is OK"
-    else
-        echo "6 is not OK"
-        exit 1
-    fi
-done
-
-exit 0
diff --git a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.testns b/testdata/dnscrypt_queries.tdir/dnscrypt_queries.testns
deleted file mode 100644
index f03c15f764ca..000000000000
--- a/testdata/dnscrypt_queries.tdir/dnscrypt_queries.testns
+++ /dev/null
@@ -1,63 +0,0 @@
-; nameserver test file
-$ORIGIN example.com.
-$TTL 3600
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www1	IN	A
-SECTION ANSWER
-www1	IN	A	10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www2	IN	A
-SECTION ANSWER
-www2	IN	A	10.20.30.50
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www3	IN	A
-SECTION ANSWER
-www3	IN	A	10.20.30.60
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www4	IN	A
-SECTION ANSWER
-www4	IN	A	10.20.30.70
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www5	IN	A
-SECTION ANSWER
-www5	IN	A	10.20.30.80
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www6	IN	A
-SECTION ANSWER
-www6	IN	A	10.20.30.90
-ENTRY_END
diff --git a/testdata/dnscrypt_queries_chacha.tdir/1.key b/testdata/dnscrypt_queries_chacha.tdir/1.key
deleted file mode 100644
index 165262c86e53..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/1.key
+++ /dev/null
@@ -1 +0,0 @@
-����K��#��4�s�	p������x!��A�"mM
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries_chacha.tdir/1_chacha.cert b/testdata/dnscrypt_queries_chacha.tdir/1_chacha.cert
deleted file mode 100644
index 3da5c612d060..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/1_chacha.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries_chacha.tdir/1_salsa.cert b/testdata/dnscrypt_queries_chacha.tdir/1_salsa.cert
deleted file mode 100644
index 17e447fc339b..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/1_salsa.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries_chacha.tdir/2.key b/testdata/dnscrypt_queries_chacha.tdir/2.key
deleted file mode 100644
index c299f550ae95..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/2.key
+++ /dev/null
@@ -1 +0,0 @@
-m7�����x;�%׸���*��R��ӯ�mD��
\ No newline at end of file
diff --git a/testdata/dnscrypt_queries_chacha.tdir/2_chacha.cert b/testdata/dnscrypt_queries_chacha.tdir/2_chacha.cert
deleted file mode 100644
index ed4ec26065a6..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/2_chacha.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries_chacha.tdir/2_salsa.cert b/testdata/dnscrypt_queries_chacha.tdir/2_salsa.cert
deleted file mode 100644
index 6e71fe97864d..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/2_salsa.cert
+++ /dev/null
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.conf b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.conf
deleted file mode 100644
index 9e269ba60ce3..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-server:
-	verbosity: 2
-	# num-threads: 1
-	port: @PORT@
-    interface: 0.0.0.0
-    interface: 0.0.0.0@@DNSCRYPT_PORT@
-	use-syslog: no
-	directory: .
-	pidfile: "unbound.pid"
-	chroot: ""
-	username: ""
-	do-not-query-localhost: no
-
-forward-zone:
-	name: "."
-	forward-addr: "127.0.0.1@@TOPORT@"
-
-dnscrypt:
-    dnscrypt-enable: yes
-    dnscrypt-port: @DNSCRYPT_PORT@
-    dnscrypt-provider: 2.dnscrypt-cert.example.com.
-    dnscrypt-secret-key: 2.key
-    dnscrypt-provider-cert: 2_salsa.cert
-    dnscrypt-provider-cert: 2_chacha.cert
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.dsc b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.dsc
deleted file mode 100644
index 372126bc3e41..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: dnscrypt_queries_chacha
-Version: 1.0
-Description: dnscrypt queries using xchacha
-CreationDate: Thu Jun 01 10:08:08 CEST 2017
-Maintainer: Emmanuel Bretelle
-Category: 
-Component:
-CmdDepends: 
-Depends: 
-Help:
-Pre: dnscrypt_queries_chacha.pre
-Post: dnscrypt_queries_chacha.post
-Test: dnscrypt_queries_chacha.test
-AuxFiles: 
-Passed:
-Failure:
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.post b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.post
deleted file mode 100644
index 1ca6a7e3f1de..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.post
+++ /dev/null
@@ -1,17 +0,0 @@
-# #-- dnscrypt_queries_chacha.post --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# source the test var file when it's there
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-#
-# do your teardown here
-PRE="../.."
-. ../common.sh
-
-# Check if we can run the test.
-. ./precheck.sh
-
-
-kill_pid $FWD_PID
-kill_pid $UNBOUND_PID
-kill_pid $PROXY_PID
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.pre b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.pre
deleted file mode 100644
index 6474c540dd6e..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.pre
+++ /dev/null
@@ -1,52 +0,0 @@
-# #-- dnscrypt_queries_chacha.pre--#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-. ../common.sh
-# Check if we can run the test.
-. ./precheck.sh
-
-get_random_port 4
-UNBOUND_PORT=$RND_PORT
-FWD_PORT=$(($RND_PORT + 1))
-DNSCRYPT_PORT=$(($RND_PORT + 2))
-PROXY_PORT=$(($RND_PORT + 3))
-echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
-echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
-echo "DNSCRYPT_PORT=$DNSCRYPT_PORT" >> .tpkg.var.test
-echo "PROXY_PORT=$PROXY_PORT" >> .tpkg.var.test
-
-# start forwarder
-get_ldns_testns
-$LDNS_TESTNS -p $FWD_PORT dnscrypt_queries_chacha.testns >fwd.log 2>&1 &
-FWD_PID=$!
-echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
-
-dnscrypt-proxy --local-address=127.0.0.1:${PROXY_PORT} \
-    --resolver-address=127.0.0.1:${DNSCRYPT_PORT} \
-    --provider-name=2.dnscrypt-cert.example.com \
-    --provider-key=C352:1F20:F2D2:FD65:B5F4:7BF6:6C1A:88C1:4BCB:80CE:1E3A:3572:5CB1:7D4B:12D3:E783 \
-    -m 32 \
-    >dnscryptproxy.log 2>&1 &
-PROXY_PID=$!
-echo "PROXY_PID=$PROXY_PID" >> .tpkg.var.test
-
-# make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' \
-    -e 's/@DNSCRYPT_PORT\@/'$DNSCRYPT_PORT'/' < dnscrypt_queries_chacha.conf > ub.conf
-# start unbound in the background
-$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
-UNBOUND_PID=$!
-echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
-
-cat .tpkg.var.test
-wait_ldns_testns_up fwd.log
-wait_unbound_up unbound.log
-wait_server_up dnscryptproxy.log "Proxying from"
-if ! grep 'Using version 2.0 of the DNSCrypt protocol' dnscryptproxy.log; then
-    echo "Failed to select xchacha cert"
-    exit 1
-fi
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.test b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.test
deleted file mode 100644
index 455c506a0d49..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.test
+++ /dev/null
@@ -1,101 +0,0 @@
-# #-- dnscrypt_queries_chacha.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-. ../common.sh
-# Check if we can run the test.
-. ./precheck.sh
-
-# do the test
-for opt in '' '+tcp'
-do
-    echo "> do queries ${opt}"
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www1.example.com. >outfile1 &
-    digpid1=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www2.example.com. >outfile2 &
-    digpid2=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www3.example.com. >outfile3 &
-    digpid3=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www4.example.com. >outfile4 &
-    digpid4=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www5.example.com. >outfile5 &
-    digpid5=$!
-    dig @127.0.0.1 ${opt} -p $PROXY_PORT www6.example.com. >outfile6 &
-    digpid6=$!
-    sleep 1
-    kill -9 $digpid1
-    kill -9 $digpid2
-    kill -9 $digpid3
-    kill -9 $digpid4
-    kill -9 $digpid5
-    kill -9 $digpid6
-
-    echo "> cat outfile1"
-    cat outfile1 
-    echo "> cat outfile2"
-    cat outfile2 
-    echo "> cat outfile3"
-    cat outfile3
-    echo "> cat outfile4"
-    cat outfile4
-    echo "> cat outfile5"
-    cat outfile5
-    echo "> cat outfile6"
-    cat outfile6
-    echo "> cat logfiles"
-    cat fwd.log 
-    cat unbound.log
-
-    echo "> check for ID bit collisions"
-    grep "pending reply" unbound.log > ids
-    numsend=`cat ids | wc -l`
-    cat ids | awk '{print $8};' | sort -u > ids2
-    numuniq=`cat ids2 | wc -l`
-    if test $numuniq -ne $numsend; then
-        echo "got a ID number clash. could not do test, sorry"
-        exit 0
-    fi
-
-    echo "> check answers for queries"
-    if grep "10.20.30.40" outfile1; then
-        echo "1 is OK"
-    else
-        echo "1 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.50" outfile2; then
-        echo "2 is OK"
-    else
-        echo "2 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.60" outfile3; then
-        echo "3 is OK"
-    else
-        echo "3 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.70" outfile4; then
-        echo "4 is OK"
-    else
-        echo "4 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.80" outfile5; then
-        echo "5 is OK"
-    else
-        echo "5 is not OK"
-        exit 1
-    fi
-    if grep "10.20.30.90" outfile6; then
-        echo "6 is OK"
-    else
-        echo "6 is not OK"
-        exit 1
-    fi
-done
-
-exit 0
diff --git a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.testns b/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.testns
deleted file mode 100644
index f03c15f764ca..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/dnscrypt_queries_chacha.testns
+++ /dev/null
@@ -1,63 +0,0 @@
-; nameserver test file
-$ORIGIN example.com.
-$TTL 3600
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www1	IN	A
-SECTION ANSWER
-www1	IN	A	10.20.30.40
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www2	IN	A
-SECTION ANSWER
-www2	IN	A	10.20.30.50
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www3	IN	A
-SECTION ANSWER
-www3	IN	A	10.20.30.60
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www4	IN	A
-SECTION ANSWER
-www4	IN	A	10.20.30.70
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www5	IN	A
-SECTION ANSWER
-www5	IN	A	10.20.30.80
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www6	IN	A
-SECTION ANSWER
-www6	IN	A	10.20.30.90
-ENTRY_END
diff --git a/testdata/dnscrypt_queries_chacha.tdir/precheck.sh b/testdata/dnscrypt_queries_chacha.tdir/precheck.sh
deleted file mode 100644
index 8288d9516eb1..000000000000
--- a/testdata/dnscrypt_queries_chacha.tdir/precheck.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-# dnscrypt precheck.sh
-
-# if no dnscrypt; exit
-if grep "define USE_DNSCRYPT 1" $PRE/config.h; then
-        echo "have dnscrypt"
-else
-        echo "no dnscrypt"
-        exit 0
-fi
-
-# if no xchacha20 support in unbound; exit
-if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then
-        echo "have xchacha20"
-        xchacha20=1
-else
-        echo "no xchacha20"
-        xchacha20=0
-        exit 0
-fi
-
-# if dnscrypt-proxy does not support xchacha20; exit
-if (dnscrypt-proxy -h 2>&1 | grep -q 'XChaCha20-Poly1305 cipher: present'); then
-		echo "dnscrypt-proxy has xchacha20"
-else
-		echo "dnscrypt-proxy does not have xchacha20"
-		exit 0
-fi
diff --git a/testdata/remote-threaded.tdir/remote-threaded.test b/testdata/remote-threaded.tdir/remote-threaded.test
index 7392fa9097ca..e2f6b2783aaa 100644
--- a/testdata/remote-threaded.tdir/remote-threaded.test
+++ b/testdata/remote-threaded.tdir/remote-threaded.test
@@ -25,7 +25,7 @@ if grep "10.20.30.40" outfile; then
 	echo "OK"
 else
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
@@ -37,7 +37,7 @@ $PRE/unbound-control -c ub.conf blablargh
 if test $? -ne 1; then
 	echo "wrong exit value on error."
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	exit 1
 else
@@ -61,7 +61,7 @@ if grep "5.6.7.8" outfile; then
 	echo "OK"
 else
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
@@ -72,6 +72,8 @@ echo "$PRE/unbound-control -c ub.conf stats"
 $PRE/unbound-control -c ub.conf stats > tmp.$$
 if test $? -ne 0; then
 	echo "wrong exit value after success"
+	cat fwd.log
+	cat unbound.log
 	exit 1
 fi
 if grep "^total.num.queries=[1-9][0-9]*$" tmp.$$; then
@@ -90,7 +92,7 @@ if test $? -ne 0; then
 	exit 1
 fi
 
-# check syntax error in parse 
+# check syntax error in parse
 echo "$PRE/unbound-control -c ub.conf verbosity jkdf"
 $PRE/unbound-control -c ub.conf verbosity jkdf
 if test $? -ne 1; then
@@ -135,7 +137,7 @@ if grep "192.0.2.1" outfile; then
 	echo "OK"
 else
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
@@ -149,7 +151,7 @@ if grep "NXDOMAIN" outfile; then
 	echo "OK"
 else
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
@@ -169,7 +171,7 @@ if grep "NXDOMAIN" outfile; then
 	echo "OK"
 else
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
@@ -189,7 +191,7 @@ if grep "SERVFAIL" outfile; then
 	echo "OK"
 else
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "Not OK"
 	exit 1
@@ -216,7 +218,7 @@ else
 	exit 1
 fi
 
-# test lookup 
+# test lookup
 echo "$PRE/unbound-control -c ub.conf lookup www.example.com"
 $PRE/unbound-control -c ub.conf lookup www.example.com
 if test $? -ne 0; then
@@ -282,7 +284,7 @@ done
 if kill -0 $UNBOUND_PID; then
 	echo "still up!"
 	echo "> cat logfiles"
-	cat fwd.log 
+	cat fwd.log
 	cat unbound.log
 	echo "not stopped, failure"
 	exit 1
@@ -294,7 +296,7 @@ else
 			echo "lock-verify test worked."
 		else
 			echo "lock-verify test failed."
-			cat fwd.log 
+			cat fwd.log
 			cat unbound.log
 			exit 1
 		fi
@@ -302,7 +304,7 @@ else
 fi
 
 echo "> cat logfiles"
-cat fwd.log 
+cat fwd.log
 cat unbound.log
 echo "> OK"
 exit 0
diff --git a/testdata/rpz_axfr.rpl b/testdata/rpz_axfr.rpl
new file mode 100644
index 000000000000..b5b84bfd3af9
--- /dev/null
+++ b/testdata/rpz_axfr.rpl
@@ -0,0 +1,362 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	master: 10.20.30.40
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN rpz.example.com.
+a	IN	CNAME *.
+c	IN	TXT	"hello from initial RPZ"
+c	IN	TXT	"another hello from initial RPZ"
+d	IN	CNAME .
+32.1.123.0.10.rpz-ip	CNAME *.
+32.3.123.0.10.rpz-ip	A 10.66.0.3
+32.3.123.0.10.rpz-ip	A 10.66.0.4
+32.4.123.0.10.rpz-ip	CNAME .
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 10.20.30.40
+
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ QNAME trigger, loaded using AXFR
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+.	IN	NS	ns.
+SECTION ADDITIONAL
+ns.	IN	NS	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	TXT	"hello from upstream"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	TXT	"hello from upstream"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+a.rpz-ip.	IN	A	10.0.123.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A	10.0.123.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+d.rpz-ip.	IN	A
+SECTION ANSWER
+d.rpz-ip.	IN	A	10.0.123.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+rpz.example.com. IN SOA
+SECTION ANSWER
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+rpz.example.com. IN AXFR
+SECTION ANSWER
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+b.rpz.example.com. TXT "hello from RPZ"
+c.rpz.example.com. TXT "hello from RPZ"
+a.rpz.example.com. CNAME .
+32.1.123.0.10.rpz-ip.rpz.example.com.	CNAME .
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.5
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.6
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	IN	TXT	"hello from upstream"
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 5 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 7 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 8 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+c.	IN	TXT "another hello from initial RPZ"
+c.	IN	TXT "hello from initial RPZ"
+ENTRY_END
+
+STEP 9 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.rpz-ip.	IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A 10.66.0.4
+c.rpz-ip.	IN	A 10.66.0.3
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 13 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 30 TIME_PASSES ELAPSE 10
+STEP 40 TRAFFIC
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	IN	TXT	"hello from RPZ"
+ENTRY_END
+
+STEP 52 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 54 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 55 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 56 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 57 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+c.	IN	TXT "hello from RPZ"
+ENTRY_END
+
+STEP 58 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 59 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A 10.66.0.6
+c.rpz-ip.	IN	A 10.66.0.5
+ENTRY_END
+
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	IN	TXT "hello from upstream"
+ENTRY_END
+
+STEP 62 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 63 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.rpz-ip.	IN	A
+SECTION ANSWER
+d.rpz-ip.	IN	A 10.0.123.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_ixfr.rpl b/testdata/rpz_ixfr.rpl
new file mode 100644
index 000000000000..3f7cb3d3561e
--- /dev/null
+++ b/testdata/rpz_ixfr.rpl
@@ -0,0 +1,378 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	master: 10.20.30.40
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+rpz.example.com. 3600 IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+rpz.example.com.	3600	IN	NS	ns.rpz.example.net.
+a.rpz.example.com.	IN	CNAME *.
+c.rpz.example.com.	IN	TXT	"hello from initial RPZ"
+c.rpz.example.com.	IN	TXT	"another hello from initial RPZ"
+c.rpz.example.com.	IN	TXT	"yet another hello from initial RPZ"
+d.rpz.example.com.	IN	CNAME .
+32.1.123.0.10.rpz-ip.rpz.example.com.	CNAME *.
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.3
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.4
+32.4.123.0.10.rpz-ip.rpz.example.com.	CNAME .
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 10.20.30.40
+
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ QNAME trigger, loaded using IXFR
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+.	IN	NS	ns.
+SECTION ADDITIONAL
+ns.	IN	NS	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	TXT	"hello from upstream"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	TXT	"hello from upstream"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+a.rpz-ip.	IN	A	10.0.123.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A	10.0.123.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+d.rpz-ip.	IN	A
+SECTION ANSWER
+d.rpz-ip.	IN	A	10.0.123.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+rpz.example.com. IN SOA
+SECTION ANSWER
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+rpz.example.com. IN IXFR
+SECTION ANSWER
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+a.rpz.example.com.	IN	CNAME *.
+c.rpz.example.com.	IN	TXT	"hello from initial RPZ"
+c.rpz.example.com.	IN	TXT	"another hello from initial RPZ"
+d.rpz.example.com.	IN	CNAME .
+32.1.123.0.10.rpz-ip.rpz.example.com.	CNAME *.
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.3
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.4
+32.4.123.0.10.rpz-ip.rpz.example.com.	CNAME .
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
+b.rpz.example.com. TXT "hello from RPZ"
+c.rpz.example.com. TXT "hello from RPZ"
+a.rpz.example.com. CNAME .
+32.1.123.0.10.rpz-ip.rpz.example.com.	CNAME .
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.5
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.6
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	IN	TXT	"hello from upstream"
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 5 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 7 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 8 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+c.	IN	TXT "yet another hello from initial RPZ"
+c.	IN	TXT "another hello from initial RPZ"
+c.	IN	TXT "hello from initial RPZ"
+ENTRY_END
+
+STEP 9 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.rpz-ip.	IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A 10.66.0.4
+c.rpz-ip.	IN	A 10.66.0.3
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 13 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+
+STEP 15 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 16 TIME_PASSES ELAPSE 1
+STEP 30 TIME_PASSES ELAPSE 3600
+STEP 40 TRAFFIC
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	IN	TXT	"hello from RPZ"
+ENTRY_END
+
+STEP 52 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 54 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 55 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 56 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 57 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+c.	IN	TXT "hello from RPZ"
+c.	IN	TXT "yet another hello from initial RPZ"
+ENTRY_END
+
+STEP 58 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 59 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A 10.66.0.6
+c.rpz-ip.	IN	A 10.66.0.5
+ENTRY_END
+
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	IN	TXT "hello from upstream"
+ENTRY_END
+
+STEP 62 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 63 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.rpz-ip.	IN	A
+SECTION ANSWER
+d.rpz-ip.	IN	A 10.0.123.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_qname.rpl b/testdata/rpz_qname.rpl
new file mode 100644
index 000000000000..7940e93926a8
--- /dev/null
+++ b/testdata/rpz_qname.rpl
@@ -0,0 +1,304 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+a	CNAME 	.
+a	CNAME 	*. ; duplicate CNAME here on purpose
+*.a	TXT	"wildcard local data"
+b.a	CNAME 	*.
+c.a	CNAME	rpz-passthru.
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz2.example.com.
+a	TXT	"local data 2nd zone"
+d	TXT	"local data 2nd zone"
+e	CNAME	*.a.example.
+*.e	CNAME	*.b.example.
+drop	CNAME	rpz-drop.
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+stub-zone:
+	name: "example."
+	stub-addr: 10.20.30.50
+CONFIG_END
+
+SCENARIO_BEGIN Test all support RPZ action for QNAME trigger
+
+; a.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN NS
+SECTION ANSWER
+a. IN NS ns.a.
+SECTION ADDITIONAL
+ns.a IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.a. IN TXT
+SECTION ANSWER
+c.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.b.a. IN TXT
+SECTION ANSWER
+x.b.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+RANGE_END
+
+; example.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.50
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example. IN NS
+SECTION ANSWER
+example. IN NS ns.example.
+SECTION ADDITIONAL
+ns.example IN A 10.20.30.50
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e.a.example. IN TXT
+SECTION ANSWER
+e.a.example. IN TXT "e.a.example. answer from upstream ns"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+something.e.b.example. IN TXT
+SECTION ANSWER
+something.e.b.example. IN TXT "*.b.example. answer from upstream ns"
+ENTRY_END
+
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a.	IN	TXT
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.a.	IN	TXT
+SECTION ANSWER
+a.a.	IN	TXT	"wildcard local data"
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.a.	IN	TXT
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+x.a.	IN	TXT
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+x.a.	IN	TXT
+SECTION ANSWER
+x.a.	IN	TXT	"wildcard local data"
+ENTRY_END
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+x.a.a.	IN	TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+x.a.a.	IN	TXT
+SECTION ANSWER
+x.a.a.	IN	TXT	"wildcard local data"
+ENTRY_END
+
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.a.	IN	TXT
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.a.	IN	TXT
+SECTION ANSWER
+c.a.	IN	TXT	"answer from upstream ns"
+ENTRY_END
+
+STEP 70 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+x.b.a.	IN	TXT
+ENTRY_END
+
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+x.b.a.	IN	TXT
+SECTION ANSWER
+x.b.a.	IN	TXT	"answer from upstream ns"
+ENTRY_END
+
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	IN	TXT	"local data 2nd zone"
+ENTRY_END
+
+STEP 82 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.	IN	TXT
+ENTRY_END
+
+STEP 83 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+e.	IN	TXT
+SECTION ANSWER
+e.	IN	CNAME	e.a.example.
+e.a.example.	IN	TXT	"e.a.example. answer from upstream ns"
+ENTRY_END
+
+STEP 84 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+something.e.	IN	TXT
+ENTRY_END
+
+STEP 85 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+something.e.	IN	TXT
+SECTION ANSWER
+something.e.	IN	CNAME	something.e.b.example.
+something.e.b.example.	IN	TXT	"*.b.example. answer from upstream ns"
+ENTRY_END
+
+; deny zone
+STEP 90 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+drop. IN TXT
+ENTRY_END
+; no answer is checked at exit of testbound.
+SCENARIO_END
diff --git a/testdata/rpz_qname_override.rpl b/testdata/rpz_qname_override.rpl
new file mode 100644
index 000000000000..b2608e251002
--- /dev/null
+++ b/testdata/rpz_qname_override.rpl
@@ -0,0 +1,197 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	rpz-action-override: disabled
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN rpz.example.com.
+a	TXT	"record zone rpz.example.com"
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN rpz2.example.com.
+a	TXT	"record zone rpz2.example.com"
+TEMPFILE_END
+
+rpz:
+	name: "rpz3.example.com."
+	rpz-action-override: nodata
+	zonefile:
+TEMPFILE_NAME rpz3.example.com
+TEMPFILE_CONTENTS rpz3.example.com
+$ORIGIN rpz3.example.com.
+b	CNAME .
+TEMPFILE_END
+
+rpz:
+	name: "rpz4.example.com."
+	rpz-action-override: nxdomain
+	zonefile:
+TEMPFILE_NAME rpz4.example.com
+TEMPFILE_CONTENTS rpz4.example.com
+$ORIGIN rpz4.example.com.
+c	CNAME *.
+TEMPFILE_END
+
+rpz:
+	name: "rpz5.example.com."
+	rpz-action-override: passthru
+	zonefile:
+TEMPFILE_NAME rpz5.example.com
+TEMPFILE_CONTENTS rpz5.example.com
+$ORIGIN rpz5.example.com.
+d	TXT "should be override by passthru"
+TEMPFILE_END
+
+rpz:
+	name: "rpz6.example.com."
+	rpz-action-override: cname
+	rpz-cname-override: "d."
+	zonefile:
+TEMPFILE_NAME rpz6.example.com
+TEMPFILE_CONTENTS rpz6.example.com
+$ORIGIN rpz6.example.com.
+e	TXT "should be override by cname"
+TEMPFILE_END
+
+rpz:
+	name: "rpz7.example.com."
+	rpz-action-override: drop
+	zonefile:
+TEMPFILE_NAME rpz7.example.com
+TEMPFILE_CONTENTS rpz7.example.com
+$ORIGIN rpz7.example.com.
+f	TXT "should be override by drop policy"
+TEMPFILE_END
+
+stub-zone:
+	name: "d."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ action overrides for QNAME trigger
+
+; d.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d. IN TXT
+SECTION ANSWER
+d. IN TXT "answer from upstream ns"
+ENTRY_END
+
+RANGE_END
+
+; check disabled override, should be answered using next policy zone
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+a	TXT	"record zone rpz2.example.com"
+ENTRY_END
+
+; check nodata override, would be NXDOMAIN without override 
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+; check nxdomain override, would be NODATA without override 
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+; check passthru override, would be localdata without override 
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d. IN TXT "answer from upstream ns"
+ENTRY_END
+
+; check cname override, would be localdata without override 
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.	IN	TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+e.	IN	TXT
+SECTION ANSWER
+e. IN CNAME d.
+d. IN TXT "answer from upstream ns"
+ENTRY_END
+
+; check drop override, would be localdata without override
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.	IN	TXT
+ENTRY_END
+; no answer is checked at exit of testbound.
+
+SCENARIO_END
diff --git a/testdata/rpz_respip.rpl b/testdata/rpz_respip.rpl
new file mode 100644
index 000000000000..94f998be66a4
--- /dev/null
+++ b/testdata/rpz_respip.rpl
@@ -0,0 +1,449 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+
+rpz:
+	name: "rpz.example.com."
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+8.0.0.0.10.rpz-ip CNAME	*.
+16.0.0.10.10.rpz-ip CNAME .
+24.0.10.10.10.rpz-ip CNAME rpz-drop.
+32.10.10.10.10.rpz-ip CNAME rpz-passthru.
+32.zz.db8.2001.rpz-ip CNAME *.
+48.zz.aa.db8.2001.rpz-ip CNAME .
+64.zz.bb.aa.db8.2001.rpz-ip CNAME rpz-drop.
+128.1.zz.cc.bb.aa.db8.2001.rpz-ip CNAME rpz-passthru.
+128.123.zz.cc.bb.aa.db8.2001.rpz-ip AAAA 2001:db8::123
+128.124.0.0.cc.bb.aa.db8.2001.rpz-ip AAAA 2001:db8::124
+
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2	3600	IN	SOA	ns1.rpz2.example.com. hostmaster.rpz2.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz2.example.com.
+	3600	IN	NS	ns2.rpz2.example.com.
+$ORIGIN rpz2.example.com.
+32.10.10.10.10.rpz-ip A	203.0.113.123
+32.123.2.0.192.rpz-ip A	203.0.113.123
+128.1.zz.cc.bb.aa.db8.2001.rpz-ip AAAA 2001:db1::123
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test all supported RPZ action for response IP address trigger
+
+; c.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS ns.
+SECTION ADDITIONAL
+ns. IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN A
+SECTION ANSWER
+a. IN A 10.0.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN AAAA
+SECTION ANSWER
+a. IN AAAA 2001:db8::123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+b. IN A
+SECTION ANSWER
+b. IN A 10.1.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+b. IN AAAA
+SECTION ANSWER
+b. IN AAAA 2001:db8:1::123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c. IN A
+SECTION ANSWER
+c. IN A 10.11.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c. IN AAAA
+SECTION ANSWER
+c. IN AAAA 2001:db8:ff::123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d. IN A
+SECTION ANSWER
+d. IN A 10.10.0.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d. IN AAAA
+SECTION ANSWER
+d. IN AAAA 2001:db8:aa::123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e. IN A
+SECTION ANSWER
+e. IN A 10.10.10.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e. IN AAAA
+SECTION ANSWER
+e. IN AAAA 2001:db8:aa:bb::123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f. IN A
+SECTION ANSWER
+f. IN A 10.10.10.10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f. IN AAAA
+SECTION ANSWER
+f. IN AAAA 2001:db8:aa:bb:cc::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+g. IN A
+SECTION ANSWER
+g. IN A 192.0.2.123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+g. IN AAAA
+SECTION ANSWER
+g. IN AAAA 2001:db8:aa:bb:cc::123
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+h. IN AAAA
+SECTION ANSWER
+h. IN AAAA 2001:db8:aa:bb:cc::124
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	AAAA
+ENTRY_END
+
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.	IN	AAAA
+SECTION ANSWER
+ENTRY_END
+
+STEP 5 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	A
+ENTRY_END
+
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 7 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	AAAA
+ENTRY_END
+
+STEP 8 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	AAAA
+SECTION ANSWER
+ENTRY_END
+
+STEP 9 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	AAAA
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.	IN	AAAA
+SECTION ANSWER
+ENTRY_END
+
+STEP 13 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	A
+ENTRY_END
+
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+d.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 15 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	AAAA
+ENTRY_END
+
+STEP 16 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+d.	IN	AAAA
+SECTION ANSWER
+ENTRY_END
+
+STEP 17 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.	IN	A
+ENTRY_END
+
+STEP 18 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+f.	IN	A
+SECTION ANSWER
+f.	IN	A 10.10.10.10
+ENTRY_END
+
+STEP 19 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.	IN	AAAA
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+f.	IN	AAAA
+SECTION ANSWER
+f.	IN	AAAA 2001:db8:aa:bb:cc::1
+ENTRY_END
+
+STEP 21 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+g.	IN	A
+ENTRY_END
+
+STEP 22 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+g.	IN	A
+SECTION ANSWER
+g.	IN	A 203.0.113.123
+ENTRY_END
+
+STEP 23 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+g.	IN	AAAA
+ENTRY_END
+
+STEP 24 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+g.	IN	AAAA
+SECTION ANSWER
+g.	IN	AAAA 2001:db8::123
+ENTRY_END
+
+STEP 25 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+h.	IN	AAAA
+ENTRY_END
+
+STEP 26 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+h.	IN	AAAA
+SECTION ANSWER
+h.	IN	AAAA 2001:db8::124
+ENTRY_END
+
+; should be dropped
+STEP 27 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.	IN	A
+ENTRY_END
+STEP 28 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.	IN	AAAA
+ENTRY_END
+STEP 29 TIME_PASSES ELAPSE 12
+SCENARIO_END
diff --git a/testdata/rpz_respip_override.rpl b/testdata/rpz_respip_override.rpl
new file mode 100644
index 000000000000..16d91378a29a
--- /dev/null
+++ b/testdata/rpz_respip_override.rpl
@@ -0,0 +1,265 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	rpz-action-override: disabled
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN rpz.example.com.
+32.1.113.0.203.rpz-ip A 192.0.2.1
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN rpz2.example.com.
+32.1.113.0.203.rpz-ip A 192.0.2.2
+TEMPFILE_END
+
+rpz:
+	name: "rpz3.example.com."
+	rpz-action-override: nodata
+	zonefile:
+TEMPFILE_NAME rpz3.example.com
+TEMPFILE_CONTENTS rpz3.example.com
+$ORIGIN rpz3.example.com.
+32.3.113.0.203.rpz-ip CNAME .
+TEMPFILE_END
+
+rpz:
+	name: "rpz4.example.com."
+	rpz-action-override: nxdomain
+	zonefile:
+TEMPFILE_NAME rpz4.example.com
+TEMPFILE_CONTENTS rpz4.example.com
+$ORIGIN rpz4.example.com.
+32.4.113.0.203.rpz-ip CNAME *.
+TEMPFILE_END
+
+rpz:
+	name: "rpz5.example.com."
+	rpz-action-override: passthru
+	zonefile:
+TEMPFILE_NAME rpz5.example.com
+TEMPFILE_CONTENTS rpz5.example.com
+$ORIGIN rpz5.example.com.
+32.5.113.0.203.rpz-ip A 192.0.2.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz6.example.com."
+	rpz-action-override: cname
+	rpz-cname-override: ns.
+	zonefile:
+TEMPFILE_NAME rpz6.example.com
+TEMPFILE_CONTENTS rpz6.example.com
+$ORIGIN rpz6.example.com.
+32.6.113.0.203.rpz-ip A 192.0.2.6
+TEMPFILE_END
+
+rpz:
+	name: "rpz7.example.com."
+	rpz-action-override: drop
+	zonefile:
+TEMPFILE_NAME rpz7.example.com
+TEMPFILE_CONTENTS rpz7.example.com
+$ORIGIN rpz7.example.com.
+32.7.113.0.203.rpz-ip A 192.0.2.7
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test all supported RPZ action for response IP address trigger
+
+; c.
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS ns.
+SECTION ADDITIONAL
+ns. IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns. IN A
+SECTION ANSWER
+ns. IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a. IN A
+SECTION ANSWER
+a. IN A 203.0.113.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+b. IN A
+SECTION ANSWER
+b. IN A 203.0.113.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c. IN A
+SECTION ANSWER
+c. IN A 203.0.113.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d. IN A
+SECTION ANSWER
+d. IN A 203.0.113.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e. IN A
+SECTION ANSWER
+e. IN A 203.0.113.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+f. IN A
+SECTION ANSWER
+f. IN A 203.0.113.7
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	A
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.	IN	A
+SECTION ANSWER
+a.	IN	A 192.0.2.2
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	A
+ENTRY_END
+
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 5 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	A
+ENTRY_END
+
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+c.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 7 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	A
+ENTRY_END
+
+STEP 8 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.	IN	A
+SECTION ANSWER
+d.	IN	A 203.0.113.5
+ENTRY_END
+
+STEP 9 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.	IN	A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+e.	IN	A
+SECTION ANSWER
+e.	IN	CNAME ns.
+ns.	IN	A 10.20.30.40
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+f.	IN	A
+ENTRY_END
+; no answer is checked at exit of testbound.
+
+STEP 12 TIME_PASSES ELAPSE 10
+
+SCENARIO_END
diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl
new file mode 100644
index 000000000000..167470335212
--- /dev/null
+++ b/testdata/serve_expired.rpl
@@ -0,0 +1,122 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	access-control: 127.0.0.1/32 allow_snoop
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again (without the RD bit) right after the TTL expired
+; - check that we get the expired cached answer (this should trigger prefetching)
+; - query with RD bit and check that the cached record was updated
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 11 TIME_PASSES ELAPSE 3601
+
+; Query again without RD bit
+STEP 30 QUERY
+ENTRY_BEGIN
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got a stale answer
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  30 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 30 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 30 IN A 1.2.3.4
+ENTRY_END
+
+; Query with RD bit (the record should have been prefetched)
+STEP 50 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl
new file mode 100644
index 000000000000..3f3163afb823
--- /dev/null
+++ b/testdata/serve_expired_client_timeout.rpl
@@ -0,0 +1,127 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-client-timeout: 1
+	serve-expired-reply-ttl: 123
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with client-timeout and reply-ttl
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again right after the TTL expired
+; - check that we get the expired cached answer with the configured reply ttl
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+	ADDRESS 1.2.3.4
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 11 TIME_PASSES ELAPSE 3600
+
+; Query again
+STEP 30 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Allow the client timer to expire
+STEP 31 TIME_PASSES ELAPSE 1
+
+; Check that we got a stale answer
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  123 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 123 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 123 IN A 1.2.3.4
+ENTRY_END
+
+; Reply to the outstanding query so that the test doesn't fail with
+; pending messages.
+STEP 41 REPLY
+ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	; authoritative answer
+	REPLY QR AA RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  3600 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 3600 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 3600 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl
new file mode 100644
index 000000000000..c45b8383e390
--- /dev/null
+++ b/testdata/serve_expired_reply_ttl.rpl
@@ -0,0 +1,103 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-reply-ttl: 123
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with reply-ttl
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again right after the TTL expired
+; - check that we get the expired cached answer with the configured TTL
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 11 TIME_PASSES ELAPSE 3601
+
+; Query again
+STEP 30 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got a stale answer
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  123 A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 123 NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 123 A 1.2.3.4
+ENTRY_END
+
+; Give time for the pending query to get answered
+STEP 41 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/serve_expired_servfail.rpl b/testdata/serve_expired_servfail.rpl
new file mode 100644
index 000000000000..80ffcde74666
--- /dev/null
+++ b/testdata/serve_expired_servfail.rpl
@@ -0,0 +1,117 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-client-timeout: 1800
+	serve-expired-reply-ttl: 123
+	log-servfail: yes
+
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again right after the TTL expired
+; - answer from upstream is servfail
+; - check that we get the expired cached answer instead
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+	ADDRESS 1.2.3.4
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA SERVFAIL
+		SECTION QUESTION
+			example.com. IN A
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 11 TIME_PASSES ELAPSE 3601
+
+; Query again
+STEP 30 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got a stale answer
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  123 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 123 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 123 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl
new file mode 100644
index 000000000000..df4ecb89d48a
--- /dev/null
+++ b/testdata/serve_expired_ttl.rpl
@@ -0,0 +1,100 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-ttl: 10
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again right after the TTL expired + serve-expired-ttl
+; - check that we get an updated answer and not the cached one
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire + serve-expired-ttl
+STEP 11 TIME_PASSES ELAPSE 3611
+
+; Query again
+STEP 30 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got an updated answer
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl
new file mode 100644
index 000000000000..169d070ead14
--- /dev/null
+++ b/testdata/serve_expired_ttl_client_timeout.rpl
@@ -0,0 +1,128 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-ttl: 10
+	serve-expired-client-timeout: 1
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again right after the TTL expired + serve-expired-ttl
+; - check that we get an updated answer and not the cached one
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+	ADDRESS 1.2.3.4
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire + serve-expired-ttl
+STEP 11 TIME_PASSES ELAPSE 3611
+
+; Query again
+STEP 30 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Allow the client timer to expire
+STEP 31 TIME_PASSES ELAPSE 1
+
+; We shouldn't get a reply here.
+; There is cached data but serve-expired-ttl has passed.
+
+STEP 40 REPLY
+ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	; authoritative answer
+	REPLY QR AA RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  3600 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 3600 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 3600 IN A 1.2.3.4
+ENTRY_END
+
+; Check that we got the updated answer
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl
new file mode 100644
index 000000000000..846435f3841c
--- /dev/null
+++ b/testdata/serve_expired_zerottl.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-reply-ttl: 123
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test 0 TLL with serve-expired
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct 0 TTL
+; - query again; this time the answer has >0 TTL
+; - check the answer
+; - query one last time after expiration
+; - check that the configured reply ttl is used
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 10
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 0 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. 0 IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. 0 IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 11 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. 10 IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. 10 IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Let some time to pass so that timenow > 0
+STEP 1 TIME_PASSES ELAPSE 3600
+
+; Query with RD flag
+STEP 2 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer with 0 TTL
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 0 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com.  0 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 0 IN A 1.2.3.4
+ENTRY_END
+
+; Let some time to pass
+STEP 11 TIME_PASSES ELAPSE 1
+
+; Query with RD flag
+STEP 20 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 29 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 10 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 30 TIME_PASSES ELAPSE 11
+
+; Query with RD flag
+STEP 40 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 49 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 123 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 123 IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 123 IN A 1.2.3.4
+ENTRY_END
+
+; Give time for the pending query to get answered
+STEP 50 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl
index a0d89af51c1e..209831335b8a 100644
--- a/testdata/subnet_cached.crpl
+++ b/testdata/subnet_cached.crpl
@@ -10,6 +10,8 @@ server:
 	max-client-subnet-ipv4: 17
 	module-config: "subnetcache validator iterator"
 	verbosity: 3
+	fake-sha1: yes
+	fake-dsa: yes
 	access-control: 127.0.0.1 allow_snoop
 	qname-minimisation: "no"
 	minimal-responses: no
diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl
index afec59933d91..01456e58b89a 100644
--- a/testdata/subnet_val_positive.crpl
+++ b/testdata/subnet_val_positive.crpl
@@ -9,6 +9,8 @@ server:
 	max-client-subnet-ipv4: 17
 	module-config: "subnetcache validator iterator"
 	verbosity: 3
+	fake-sha1: yes
+	fake-dsa: yes
 	qname-minimisation: "no"
 	minimal-responses: no
 
diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl
index e631a64e6a29..b573742b7067 100644
--- a/testdata/subnet_val_positive_client.crpl
+++ b/testdata/subnet_val_positive_client.crpl
@@ -10,6 +10,8 @@ server:
 	max-client-subnet-ipv4: 17
 	module-config: "subnetcache validator iterator"
 	verbosity: 3
+	fake-sha1: yes
+	fake-dsa: yes
 	qname-minimisation: "no"
 	minimal-responses: no
 
diff --git a/testdata/tcp_req_size.tdir/tcp_req_size.test b/testdata/tcp_req_size.tdir/tcp_req_size.test
index 0260b2117ff3..4417771563a2 100644
--- a/testdata/tcp_req_size.tdir/tcp_req_size.test
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.test
@@ -95,6 +95,33 @@ else
 	echo "result contents not OK"
 	exit 1
 fi
+echo "OK"
+
+# check that the server is still up
+echo ""
+echo "> query www1.example.net. (again check if server up)"
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
 
 echo "OK"
 exit 0