vendor/unbound/1.13.1

20 files changed, 1024 insertions, 11 deletions

diff --git a/testdata/auth_zonefile_down.rpl b/testdata/auth_zonefile_down.rpl
index 09e7fd061407..9c5ecbb1c8ba 100644
--- a/testdata/auth_zonefile_down.rpl
+++ b/testdata/auth_zonefile_down.rpl
@@ -1,6 +1,12 @@
 ; config options
 server:
 	target-fetch-policy: "0 0 0 0 0"
+	; Options for signed zone. The zone is partially copied from val_negcache_nxdomain.rpl
+	trust-anchor: "testzone.nlnetlabs.nl.	IN	DS	2926 8 2 6f8512d1e82eecbd684fc4a76f39f8c5b411af385494873bdead663ddb78a88b"
+	val-override-date: "20180213111425"
+	qname-minimisation: "no"
+	trust-anchor-signaling: no
+	aggressive-nsec: yes
 
 auth-zone:
 	name: "example.com."
@@ -41,6 +47,50 @@ ns1	3600	IN	A	1.2.3.4
 ns2	3600	IN	AAAA	::2
 TEMPFILE_END
 
+auth-zone:
+	name: "soa.high.com."
+	for-downstream: yes
+	for-upstream: no
+	zonefile:
+TEMPFILE_NAME soa.high.com
+TEMPFILE_CONTENTS soa.high.com
+$ORIGIN high.com.
+soa	500	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
+		1379078166 28800 7200 604800 200 )
+	3600	IN	NS	ns1.example.com.
+	3600	IN	NS	ns2.example.com.
+TEMPFILE_END
+
+auth-zone:
+	name: "soa.low.com."
+	for-downstream: yes
+	for-upstream: no
+	zonefile:
+TEMPFILE_NAME soa.low.com
+TEMPFILE_CONTENTS soa.low.com
+$ORIGIN low.com.
+soa	200	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
+		1379078166 28800 7200 604800 500 )
+	3600	IN	NS	ns1.example.com.
+	3600	IN	NS	ns2.example.com.
+TEMPFILE_END
+
+auth-zone:
+	name: "testzone.nlnetlabs.nl."
+	for-downstream: yes
+	for-upstream: no
+	zonefile:
+TEMPFILE_NAME testzone.nlnetlabs.nl
+TEMPFILE_CONTENTS testzone.nlnetlabs.nl
+$ORIGIN testzone.nlnetlabs.nl.
+testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
+testzone.nlnetlabs.nl.  3600    IN      RRSIG   NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
+alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
+alligator.testzone.nlnetlabs.nl.        3600    IN      RRSIG   NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
+testzone.nlnetlabs.nl.  4600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+testzone.nlnetlabs.nl.  4600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
+TEMPFILE_END
+
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
@@ -50,7 +100,7 @@ SCENARIO_BEGIN Test authority zone with zonefile for downstream responses
 
 ; K.ROOT-SERVERS.NET.
 RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
+	ADDRESS 193.0.14.129
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@@ -182,4 +232,109 @@ SECTION ANSWER
 www.example.com. IN A	1.2.3.4
 ENTRY_END
 
+; check SOA TTL to be the minimum of the SOA.minimum and the SOA TTL
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nonexistent.soa.high.com. IN A
+ENTRY_END
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+nonexistent.soa.high.com IN A
+SECTION AUTHORITY
+soa.high.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 200
+ENTRY_END
+; check that the original SOA is also returned
+STEP 32 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+soa.high.com. IN SOA
+ENTRY_END
+STEP 33 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+soa.high.com. IN SOA
+SECTION ANSWER
+soa.high.com. 500 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 200
+ENTRY_END
+
+; check SOA TTL to be the minimum of the SOA.minimum and the SOA TTL
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nonexistent.soa.low.com. IN A
+ENTRY_END
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+nonexistent.soa.low.com. IN A
+SECTION AUTHORITY
+soa.low.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 500
+ENTRY_END
+; check that the original SOA is also returned
+STEP 42 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+soa.low.com. IN SOA
+ENTRY_END
+STEP 43 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+soa.low.com. IN SOA
+SECTION ANSWER
+soa.low.com. 200 IN SOA dns.example.de. hostmaster.dns.example.de. 1379078166 28800 7200 604800 500
+ENTRY_END
+
+; check SOA TTL to be minimum of the SOA.minimum and the SOA TTL for DNSSEC
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN A
+ENTRY_END
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD DO RA AA NXDOMAIN
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN A
+SECTION AUTHORITY
+testzone.nlnetlabs.nl.  3600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+testzone.nlnetlabs.nl.  3600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
+alligator.testzone.nlnetlabs.nl.        3600    IN      NSEC    cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
+alligator.testzone.nlnetlabs.nl.        3600    IN      RRSIG   NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
+testzone.nlnetlabs.nl.  3600    IN      NSEC    alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
+testzone.nlnetlabs.nl.  3600    IN      RRSIG   NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
+ENTRY_END
+; check that the original SOA is also returned
+STEP 52 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+testzone.nlnetlabs.nl. IN SOA
+ENTRY_END
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD DO RA AA NOERROR
+SECTION QUESTION
+testzone.nlnetlabs.nl. IN SOA
+SECTION ANSWER
+testzone.nlnetlabs.nl.  4600    IN      SOA     ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+testzone.nlnetlabs.nl.  4600    IN      RRSIG   SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
+ENTRY_END
+
 SCENARIO_END
diff --git a/testdata/common.sh b/testdata/common.sh
index f6d72c2f046a..f6d72c2f046a 100755..100644
--- a/testdata/common.sh
+++ b/testdata/common.sh
diff --git a/testdata/fwd_ancil.tdir/fwd_ancil.post b/testdata/fwd_ancil.tdir/fwd_ancil.post
index a74ba856e3b6..6578151af737 100644
--- a/testdata/fwd_ancil.tdir/fwd_ancil.post
+++ b/testdata/fwd_ancil.tdir/fwd_ancil.post
@@ -14,5 +14,9 @@ fi
 kill_pid $FWD_PID
 if fgrep "service stopped" unbound.log; then
 	exit 0
-fi      
+fi
+if fgrep "disable interface-automatic" unbound.log; then
+	echo "skip test"
+	exit 0
+fi
 kill_pid $UNBOUND_PID
diff --git a/testdata/localdata.rpl b/testdata/localdata.rpl
index a2e7eeba2949..047fbeebadd4 100644
--- a/testdata/localdata.rpl
+++ b/testdata/localdata.rpl
@@ -35,6 +35,9 @@ server:
 	local-zone: "redirect.top." redirect
 	local-data: "redirect.top. A 20.30.40.54"
 
+	; null zone
+	local-zone: "null.top." always_null
+
 	; create implicit data in the IN domain as well
 	local-data: "a.a.implicit. A 20.30.41.50"
 	local-data: "b.a.implicit. A 20.30.42.50"
@@ -85,12 +88,12 @@ local. IN A
 ENTRY_END
 STEP 6 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 local. IN A
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 
 ; positive SOA
@@ -101,7 +104,7 @@ local. IN SOA
 ENTRY_END
 STEP 8 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 local. IN SOA
@@ -133,12 +136,12 @@ serv.local. IN MX
 ENTRY_END
 STEP 12 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 serv.local. IN MX
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 
 ; no such type, empty nonterminal
@@ -149,12 +152,12 @@ bla.local. IN MX
 ENTRY_END
 STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA
 SECTION QUESTION
 bla.local. IN MX
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 
 ; nxdomain with SOA
@@ -165,12 +168,12 @@ doing.local. IN MX
 ENTRY_END
 STEP 16 CHECK_ANSWER
 ENTRY_BEGIN
-MATCH all
+MATCH all ttl
 REPLY QR RA AA NXDOMAIN
 SECTION QUESTION
 doing.local. IN MX
 SECTION AUTHORITY
-local. 3600 IN SOA nobody nobody 1 2 3 4 5
+local. 5 IN SOA nobody nobody 1 2 3 4 5
 ENTRY_END
 
 ; nxdomain without SOA
@@ -355,4 +358,36 @@ SECTION ANSWER
 www.redirect.top. IN A 20.30.40.54
 ENTRY_END
 
+; always_null zone
+STEP 60 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+null.top. IN A
+ENTRY_END
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+null.top. IN A
+SECTION ANSWER
+null.top. IN A 0.0.0.0
+ENTRY_END
+
+; always_null zone AAAA
+STEP 62 QUERY
+ENTRY_BEGIN
+SECTION QUESTION
+foo.null.top. IN AAAA
+ENTRY_END
+STEP 63 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+foo.null.top. IN AAAA
+SECTION ANSWER
+foo.null.top. IN AAAA ::0
+ENTRY_END
+
 SCENARIO_END
diff --git a/testdata/nsid_ascii.rpl b/testdata/nsid_ascii.rpl
new file mode 100644
index 000000000000..f357db5aec2a
--- /dev/null
+++ b/testdata/nsid_ascii.rpl
@@ -0,0 +1,54 @@
+; config options
+server:
+	nsid: "ascii_hopsa kidee"
+
+stub-zone:
+	name: "example."
+	stub-addr: 192.0.2.1
+CONFIG_END
+
+SCENARIO_BEGIN Test EDNS string tag option
+
+RANGE_BEGIN 0 1000
+	ADDRESS 192.0.2.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example. IN A
+SECTION ANSWER
+example. IN A 198.51.100.1
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03 ; Opcode NSID (3)
+		00 00 ; Length 0
+	HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example. IN A
+SECTION ANSWER
+example. IN A 198.51.100.1
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03             ; Opcode NSID (3)
+		00 0b             ; Length 11
+		68 6F 70 73 61 20 ; "hopsa "
+		6B 69 64 65 65    ; "kidee"
+	HEX_EDNSDATA_END
+ENTRY_END
+SCENARIO_END
diff --git a/testdata/nsid_hex.rpl b/testdata/nsid_hex.rpl
new file mode 100644
index 000000000000..0d5e8f40d9cf
--- /dev/null
+++ b/testdata/nsid_hex.rpl
@@ -0,0 +1,54 @@
+; config options
+server:
+	nsid: "0123456789abcdef"
+
+stub-zone:
+	name: "example."
+	stub-addr: 192.0.2.1
+CONFIG_END
+
+SCENARIO_BEGIN Test EDNS string tag option
+
+RANGE_BEGIN 0 1000
+	ADDRESS 192.0.2.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example. IN A
+SECTION ANSWER
+example. IN A 198.51.100.1
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03 ; Opcode NSID (3)
+		00 00 ; Length 0
+	HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example. IN A
+SECTION ANSWER
+example. IN A 198.51.100.1
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03       ; Opcode NSID (3)
+		00 08       ; Length 8
+		01 23 45 67 ;
+		89 ab cd ef ;
+	HEX_EDNSDATA_END
+ENTRY_END
+SCENARIO_END
diff --git a/testdata/nsid_not_set.rpl b/testdata/nsid_not_set.rpl
new file mode 100644
index 000000000000..06abe5985adb
--- /dev/null
+++ b/testdata/nsid_not_set.rpl
@@ -0,0 +1,47 @@
+; config options
+stub-zone:
+	name: "example."
+	stub-addr: 192.0.2.1
+CONFIG_END
+
+SCENARIO_BEGIN Test EDNS string tag option
+
+RANGE_BEGIN 0 1000
+	ADDRESS 192.0.2.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example. IN A
+SECTION ANSWER
+example. IN A 198.51.100.1
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example. IN A
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+		00 03 ; Opcode NSID (3)
+		00 00 ; Length 0
+	HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example. IN A
+SECTION ANSWER
+example. IN A 198.51.100.1
+SECTION ADDITIONAL
+	HEX_EDNSDATA_BEGIN
+	HEX_EDNSDATA_END
+ENTRY_END
+SCENARIO_END
diff --git a/testdata/padding.tdir/padding.conf b/testdata/padding.tdir/padding.conf
new file mode 100644
index 000000000000..c310d355d737
--- /dev/null
+++ b/testdata/padding.tdir/padding.conf
@@ -0,0 +1,27 @@
+server:
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	tls-cert-bundle: "unbound_server.pem"
+	tls-upstream: yes
+
+remote-control:
+        control-enable: yes
+        control-interface: 127.0.0.1
+        control-port: @CONTROL_PORT@
+        server-key-file: "unbound_server.key"
+        server-cert-file: "unbound_server.pem"
+        control-key-file: "unbound_control.key"
+        control-cert-file: "unbound_control.pem"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@#unbound"
+
+
diff --git a/testdata/padding.tdir/padding.conf2 b/testdata/padding.tdir/padding.conf2
new file mode 100644
index 000000000000..98be8fec748b
--- /dev/null
+++ b/testdata/padding.tdir/padding.conf2
@@ -0,0 +1,47 @@
+# this is the upstream server that has pipelining and responds to queries.
+server:
+	verbosity: 1
+	# num-threads: 1
+	interface: 127.0.0.1@@PORT@
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound2.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	tls-port: @PORT@
+	tls-service-key: "unbound_server.key"
+	tls-service-pem: "unbound_server.pem"
+	tcp-idle-timeout: 10000
+	log-queries: yes
+	log-replies: yes
+	log-identity: "upstream"
+
+remote-control:
+        control-enable: yes
+        control-interface: 127.0.0.1
+        # control-interface: ::1
+        control-port: @CONTROL_PORT2@
+        server-key-file: "unbound_server.key"
+        server-cert-file: "unbound_server.pem"
+        control-key-file: "unbound_control.key"
+        control-cert-file: "unbound_control.pem"
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
+
+dnstap:
+        dnstap-enable: yes
+        dnstap-socket-path: "dnstap.socket"
+        dnstap-send-identity: yes
+        dnstap-send-version: yes
+        #dnstap-identity
+        #dnstap-version
+        dnstap-log-resolver-query-messages: no
+        dnstap-log-resolver-response-messages: no
+        dnstap-log-client-query-messages: yes
+        dnstap-log-client-response-messages: yes
+        dnstap-log-forwarder-query-messages: no
+        dnstap-log-forwarder-response-messages: no
diff --git a/testdata/padding.tdir/padding.dsc b/testdata/padding.tdir/padding.dsc
new file mode 100644
index 000000000000..37aceb353bc2
--- /dev/null
+++ b/testdata/padding.tdir/padding.dsc
@@ -0,0 +1,16 @@
+BaseName: padding
+Version: 1.0
+Description: Test EDNS0 padding option (RFC7830 and RFC8467).
+CreationDate: Sun Jan 24 16:41:42 CET 2021
+Maintainer: Willem Toorop
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: padding.pre
+Post: padding.post
+Test: padding.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/padding.tdir/padding.msgsizes b/testdata/padding.tdir/padding.msgsizes
new file mode 100644
index 000000000000..f0d4a496d4b5
--- /dev/null
+++ b/testdata/padding.tdir/padding.msgsizes
@@ -0,0 +1,20 @@
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 468
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 936
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 60
+;; MSG SIZE  rcvd: 128
+;; MSG SIZE  rcvd: 502
+;; MSG SIZE  rcvd: 44
+;; MSG SIZE  rcvd: 60
+;; MSG SIZE  rcvd: 44
+;; MSG SIZE  rcvd: 502
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 64
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 512
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 512
+;; MSG SIZE  rcvd: 48
+;; MSG SIZE  rcvd: 512
diff --git a/testdata/padding.tdir/padding.post b/testdata/padding.tdir/padding.post
new file mode 100644
index 000000000000..826798a8f4f8
--- /dev/null
+++ b/testdata/padding.tdir/padding.post
@@ -0,0 +1,23 @@
+# #-- padding.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+PRE="../.."
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+kill_pid $DNSTAP_SOCKET_PID
+kill_pid $FWD_PID
+kill_pid `cat unbound2.pid`
+if test -f unbound2.log; then
+	echo ">>> upstream log"
+	cat unbound2.log
+fi
+#kill_pid $UNBOUND_PID
+kill_pid `cat unbound.pid`
+if test -f unbound.log; then
+	echo ">>> unbound log"
+	cat unbound.log
+fi
diff --git a/testdata/padding.tdir/padding.pre b/testdata/padding.tdir/padding.pre
new file mode 100644
index 000000000000..4a13d0229b11
--- /dev/null
+++ b/testdata/padding.tdir/padding.pre
@@ -0,0 +1,69 @@
+# #-- padding.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 5
+UNBOUND_PORT=$RND_PORT
+UPSTREAM_PORT=$(($RND_PORT + 1))
+FWD_PORT=$(($RND_PORT + 2))
+CONTROL_PORT=$(($RND_PORT + 3))
+CONTROL_PORT2=$(($RND_PORT + 4))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "UPSTREAM_PORT=$UPSTREAM_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT2=$CONTROL_PORT2" >> .tpkg.var.test
+
+# start ldns-testnd
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT padding.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# start the dnstap log server
+# the -vvvv flag prints protocol and connection information from the
+# unbound-dnstap-socket server.
+# the -l flag prints the DNS info in the DNSTAP packet in multiline output.
+# stderr is the '-vvvv' server logs and errors.
+# stdout is the one-line packet logs (or with -l, multiline).
+$PRE/unbound-dnstap-socket -u dnstap.socket -l -vvvv 2>tap.errlog >tap.log &
+if test $? -ne 0; then
+        echo "could not start unbound-dnstap-socket server"
+        exit 1
+fi
+DNSTAP_SOCKET_PID=$!
+echo "DNSTAP_SOCKET_PID=$DNSTAP_SOCKET_PID" >> .tpkg.var.test
+# wait for the server to go up and make the dnstap.socket file
+wait_server_up "tap.errlog" "creating unix socket"
+if test ! -S dnstap.socket; then 
+        echo "the dnstap.socket file does not exist!"
+fi
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < padding.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+#$PRE/unbound -d -c ub.conf 2>&1 | tee unbound.log &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+# make upstream config file
+sed -e 's/@PORT\@/'$UPSTREAM_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@CONTROL_PORT2\@/'$CONTROL_PORT2'/' < padding.conf2 > ub2.conf
+# start upstream unbound in the background
+$PRE/unbound -d -c ub2.conf >unbound2.log 2>&1 &
+#$PRE/unbound -d -c ub2.conf 2>&1 | tee unbound2.log &
+UPSTREAM_PID=$!
+echo "UPSTREAM_PID=$UPSTREAM_PID" >> .tpkg.var.test
+
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+wait_unbound_up unbound2.log
+
+cat .tpkg.var.test
+
diff --git a/testdata/padding.tdir/padding.test b/testdata/padding.tdir/padding.test
new file mode 100644
index 000000000000..5111d8139ca9
--- /dev/null
+++ b/testdata/padding.tdir/padding.test
@@ -0,0 +1,170 @@
+echo There we go...
+
+# #-- padding.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+        echo "OK"
+else
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+	cat unbound2.log 
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+echo "> wait for log to happen on timer"
+sleep 3
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "www.example.com" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "www.example.com" tap.log; then echo "yes it is in tap.log";
+else
+        echo "information not in tap.log"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> check answer"
+if grep "Lorem ipsum" outfile; then
+        echo "OK"
+else
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+	cat unbound2.log 
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "txt.example.com" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "txt.example.com" tap.log; then echo "yes it is in tap.log";
+else
+        echo "information not in tap.log"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> disable padding of responses."
+$PRE/unbound-control -c ub2.conf set_option pad-responses: no
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> enable padding of responses."
+$PRE/unbound-control -c ub2.conf set_option pad-responses: yes
+echo "> set pad responses block size to 64"
+$PRE/unbound-control -c ub2.conf set_option pad-responses-block-size: 64
+echo "> disable padding of queries."
+$PRE/unbound-control -c ub.conf set_option pad-queries: no
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> enable padding of queries."
+$PRE/unbound-control -c ub.conf set_option pad-queries: yes
+echo "> set pad queries block size to 48"
+$PRE/unbound-control -c ub.conf set_option pad-queries-block-size: 48
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query txt.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT txt.example.com. TXT | tee outfile
+echo "> flush cache entries."
+$PRE/unbound-control -c ub.conf flush_type www.example.com A
+$PRE/unbound-control -c ub.conf flush_type txt.example.com TXT
+echo "> set pad responses block size to 512"
+$PRE/unbound-control -c ub2.conf set_option pad-responses-block-size: 512
+echo "> query www.example.com. A"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. A | tee outfile
+echo "> query fin.example.com. TXT"
+dig @127.0.0.1 -p $UNBOUND_PORT fin.example.com. TXT | tee outfile
+echo "> check tap.log for dnstap info"
+# see if it logged the information in tap.log
+# wait for a moment for filesystem to catch up.
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 1; fi
+if grep "fini" tap.log >/dev/null; then :; else sleep 10; fi
+if grep "fini" tap.log; then echo "yes it is in tap.log";
+else
+        echo "information not in tap.log"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
+
+grep '^;; MSG SIZE  rcvd: ' tap.log > message.sizes
+
+if diff message.sizes padding.msgsizes
+then
+	echo "OK - Message sizes matched expected sizes"
+	exit 0
+else
+        echo "unexpected message sizes"
+        echo "failed"
+        echo "> cat logfiles"
+        cat tap.log
+        cat tap.errlog
+        cat fwd.log
+        cat unbound.log
+        echo "Not OK"
+        exit 1
+fi
diff --git a/testdata/padding.tdir/padding.testns b/testdata/padding.tdir/padding.testns
new file mode 100644
index 000000000000..bd3718ff6d48
--- /dev/null
+++ b/testdata/padding.tdir/padding.testns
@@ -0,0 +1,34 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+txt	IN	TXT
+SECTION ANSWER
+txt	IN	TXT	"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur." "Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum."
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+fin	IN	TXT
+SECTION ANSWER
+fin	IN	TXT	"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua." "Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat." "Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur." "Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "fini"
+ENTRY_END
+
diff --git a/testdata/padding.tdir/unbound_control.key b/testdata/padding.tdir/unbound_control.key
new file mode 100644
index 000000000000..753a4ef6162e
--- /dev/null
+++ b/testdata/padding.tdir/unbound_control.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
+lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
+tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
+U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
+Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
+Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
+ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
+1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
+b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
+ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
+TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
+tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
+aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
+A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
+LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
+R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
+7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
+7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
+jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
+BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
+kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
+qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
+VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
+MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
+C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/padding.tdir/unbound_control.pem b/testdata/padding.tdir/unbound_control.pem
new file mode 100644
index 000000000000..a1edf7017f1d
--- /dev/null
+++ b/testdata/padding.tdir/unbound_control.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
+TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
+nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
+4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
+hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
+9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
+ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
+pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
+72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
+muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
+uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
+-----END CERTIFICATE-----
diff --git a/testdata/padding.tdir/unbound_server.key b/testdata/padding.tdir/unbound_server.key
new file mode 100644
index 000000000000..370a7bbb2f22
--- /dev/null
+++ b/testdata/padding.tdir/unbound_server.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
+YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
+7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
+gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
+5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
+ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
+oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
+s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
+zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
+ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
+oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
+BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
+mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
+kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
+7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
+RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
+jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
+O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
+MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/padding.tdir/unbound_server.pem b/testdata/padding.tdir/unbound_server.pem
new file mode 100644
index 000000000000..986807310f2b
--- /dev/null
+++ b/testdata/padding.tdir/unbound_server.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
+84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
+JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
+fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
+XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
+qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
+sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
+yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
+CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
+-----END CERTIFICATE-----
diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl
new file mode 100644
index 000000000000..630fb39a4ef0
--- /dev/null
+++ b/testdata/serve_original_ttl.rpl
@@ -0,0 +1,136 @@
+; config options
+server:
+	access-control: 127.0.0.1 allow_snoop
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-original-ttl: yes
+	cache-max-ttl: 1000
+	cache-min-ttl: 20
+	serve-expired: yes
+	serve-expired-reply-ttl: 123
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-original-ttl
+; Scenario overview:
+; - query for example.com. IN A
+; - check that we get an answer for example.com. IN A with the correct TTL
+; - query again after a couple seconds and check that we get the original TTL
+; (next steps are combination with serve-expired)
+; - query again after the TTL expired
+; - check that we get the expired cached answer with the original TTL
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com. 10 IN A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait a couple of seconds (< 10)
+STEP 11 TIME_PASSES ELAPSE 5
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+	REPLY
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got the cached answer with the original TTL
+; (Passively checks that minimum and maximum TTLs are ignored)
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  10 A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. 3600 NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. 3600 A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 31 TIME_PASSES ELAPSE 3601
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+	REPLY
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we got a stale answer with the original TTL
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ttl
+	REPLY QR RA NOERROR
+	SECTION QUESTION
+		example.com. IN A
+	SECTION ANSWER
+		example.com.  10 A 5.6.7.8
+	SECTION AUTHORITY
+		example.com. NS ns.example.com.
+	SECTION ADDITIONAL
+		ns.example.com. A 1.2.3.4
+ENTRY_END
+
+; Give time for the pending query to get answered
+STEP 51 TRAFFIC
+
+SCENARIO_END