68 files changed, 2367 insertions, 181 deletions

diff --git a/testdata/07-confroot.tdir/07-confroot.test b/testdata/07-confroot.tdir/07-confroot.test
index 5238435167a8..d940aa873d83 100644
--- a/testdata/07-confroot.tdir/07-confroot.test
+++ b/testdata/07-confroot.tdir/07-confroot.test
@@ -153,7 +153,7 @@ server:
 EOF
 
 $PRE/unbound-checkconf test.conf
-if test $? -ne 1; then
+if test $? -ne 0; then
 	echo "Checkconf of config with chroot inside it failed"
 	exit 1
 fi
diff --git a/testdata/auth_nsec3_wild.rpl b/testdata/auth_nsec3_wild.rpl
new file mode 100644
index 000000000000..acfe63bae8ce
--- /dev/null
+++ b/testdata/auth_nsec3_wild.rpl
@@ -0,0 +1,203 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+
+auth-zone:
+	name: "test-ns-signed.dev.internet.nl."
+	## zonefile (or none).
+	## zonefile: "example.com.zone"
+	## master by IP address or hostname
+	## can list multiple masters, each on one line.
+	## master:
+	## url for http fetch
+	## url:
+	## queries from downstream clients get authoritative answers.
+	## for-downstream: yes
+	for-downstream: yes
+	## queries are used to fetch authoritative answers from this zone,
+	## instead of unbound itself sending queries there.
+	## for-upstream: yes
+	for-upstream: yes
+	## on failures with for-upstream, fallback to sending queries to
+	## the authority servers
+	## fallback-enabled: no
+
+	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
+	zonefile:
+TEMPFILE_NAME test-ns-signed.dev.internet.nl
+	## this is the inline file /tmp/xxx.test-ns-signed.dev.internet.nl
+	## the tempfiles are deleted when the testrun is over.
+TEMPFILE_CONTENTS test-ns-signed.dev.internet.nl
+test-ns-signed.dev.internet.nl.	3600	IN	SOA	ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600
+test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg=
+test-ns-signed.dev.internet.nl.	3600	IN	NS	ns.test-ns-signed.dev.internet.nl.
+test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NS 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. KqiwTF3hKm1ZHGbgx6MVzZYHlS1p7+Xrikx4izMHFbWiD6ki6lrJBJsnH9j/hH1cwHxjXslOeJh0hdBdbn8la0meZPsebOyUbEjoLPzRLzKNLDBuA4BUJnRGQJy21CX7XooXAMAmR8YFipO8CojI9EogU2m2o9YkfbpacFWQoTk=
+test-ns-signed.dev.internet.nl.	3600	IN	DNSKEY	256 3 8 AwEAAc6c8tpMXBSOFLu/9n4aUUDK43wN4B7A2UDqZi0IOkyptxWCFghleyZeeN5uq6p9MoUt8lS73mFmIYC0ux5zBO3uVaJQ9u+00qRAEVg/RgBwa58y2f/zNtFV/f7mBSPcPTiEjUh0bwHSiTvUn/8JkrvjyAcbQMO0YOsRof5q6tzl ;{id = 32784 (zsk), size = 1024b}
+test-ns-signed.dev.internet.nl.	3600	IN	DNSKEY	257 3 8 AwEAAdC0hBJP1U8lbZ6JFXn0ouK6VipiraN7I8oog62SuEd/fqAupys7A/Ih6WK/UoJorjlnccEL8euNMaS4kNogvoBrFx8ciIWKcbot5mtwc4WDr3cnR+HIZNCUFVkIxsMqE7HCD0yn0zhkB60shED+ZHs8zpyU+cjnsOSizxOnIY+F ;{id = 54502 (ksk), size = 1024b}
+test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	DNSKEY 8 4 3600 20190205132351 20190108132351 54502 test-ns-signed.dev.internet.nl. X3qN+plfjf45FA4pr/tcUqUCR9ajDqwtNe4TS19WOJogVL/Gf/N5/ToOCrs3s+a7VrJl58WvSJquDM8xAS8f4oJggKgHFhopce8tMTGRxkRvJo4y+tt3vCveh/zjHLAnbOaBGA4CJ/IPhRqzHzcX/SjSv0EACWd6XpQIWogRv6c=
+test-ns-signed.dev.internet.nl.	3600	IN	NSEC3PARAM	1 0 1 - 
+test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3PARAM 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. A/1xUGO46uIz+9vjPGfWVD99akwU9bd/UlnVG9LPfoTzG7TMWSoZ4ksg8k8ub8K1TrkDmQokNHSW0Gt6qwoRh17c+p1h/SFlDVL83wgTc4NqG43OQjgGU9RV035XU+VESlO3lavifhlu8rHWBJTlhiXcMGq6H+zvoz4sx9p5GNM=
+93stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl.	3600	IN	NSEC3	1 0 1 -  fee0c2kfhi6bnljce6vehaenqq3pbupu NS SOA RRSIG DNSKEY NSEC3PARAM 
+93stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. YoTRDQ7sSvERcY1WwAH4oRRR7DmaAwA8/H70jdMeSU4wsnM/VM03kDcc2sgq5edmHiZoTWnq7nEb/1Y7Ro0YrqTUQdYFZvXi6UjZQrKI9nqAGnhdXZWlZJHmYpn2+2Emd+bYHkwvKaPnfnnKjUoGVBH8Hly0HBYKPUF1/viquB0=
+kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl.	3600	IN	NSEC3	1 0 1 -  7ag3p2pfrvq09dpn63cvga8ub1rnrrg1
+kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. NI5zJ/k1kPVZ1abms5OoME/wazb77Ltduyk6ZevAnt4tKydZYwSsjEd0Ixknw9xnakCABn5rAYEXctARN0KCwCkNHR7TYlTAJT14hlDYjbad2u2HT9L1kzAnfj3BeLZl/LRADeMbTtzrkTSF3Dnezurb94fMnUnKt2hPfQfj560=
+fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl.	3600	IN	NSEC3	1 0 1 -  i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv
+fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ=
+*.a.b.test-ns-signed.dev.internet.nl.	3600	IN	TXT	"a"
+*.a.b.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE=
+7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl.	3600	IN	NSEC3	1 0 1 -  93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG 
+7ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k=
+ns.test-ns-signed.dev.internet.nl.	3600	IN	A	185.49.141.11
+ns.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	A 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F9sXEVAmlRn+/84WbuvegiCwstNxMDMQLl0Obv2CTPpee4U6psbmXrlzczjjjkE6aLjsIHYdcXCzEWTrmukT+V9jzaGPRJvxNvC0ASWyzggAoh0Z++Hl4cVa9587o6I9ODayehFI9Pgdem+RVdb4zlWuzi9FmKXgeTlgWN54tPg=
+ns.test-ns-signed.dev.internet.nl.	3600	IN	AAAA	2a04:b900:0:100::11
+ns.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	AAAA 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F1XRrx/QgfzJ1RS7d0m23QoIPx1G8WL1SrlTOm7pk5vWTL07w7HEw2TETblkjnitJGKfN9ebsIum/cDPUZc3UqLkguP2UCWpePnlllTJuwmG0Z+wyINIR4xF4PQlqttvzThBkD2JKWb/o0W8dQyXTj+jJ1vCZ0NjjA2N4+iJIQE=
+i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl.	3600	IN	NSEC3	1 0 1 -  kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG 
+i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU=
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test authority zone with NSEC3 wildcard
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN A
+SECTION ANSWER
+ns.example.net. IN A	1.2.3.44
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+www.example.net. IN A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+something.a.b.test-ns-signed.dev.internet.nl. IN TXT
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR AA RD RA DO NOERROR
+SECTION QUESTION
+something.a.b.test-ns-signed.dev.internet.nl. IN TXT
+SECTION ANSWER
+something.a.b.test-ns-signed.dev.internet.nl. IN TXT "a"
+something.a.b.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE=
+SECTION AUTHORITY
+i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - KL94UOFQ16T2VLQ0BMAMPF6E4O9K5HBI  A AAAA RRSIG
+i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl.	3600	IN	RRSIG	NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU=
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/black_ds_entry.rpl b/testdata/black_ds_entry.rpl
index 8b4fa9bd7c23..e2367a980d31 100644
--- a/testdata/black_ds_entry.rpl
+++ b/testdata/black_ds_entry.rpl
@@ -19,7 +19,7 @@ SCENARIO_BEGIN Test validator with blacked key entry for DS and further queries
 ; until the key entry expires.
 
 ; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -47,7 +47,7 @@ ENTRY_END
 RANGE_END
 
 ; a.gtld-servers.net.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -116,7 +116,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -228,7 +228,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.blabla.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.3.5
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -336,7 +336,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.sub.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.4.6
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -402,7 +402,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.foo.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.4.7
 ENTRY_BEGIN
 MATCH opcode qtype qname
diff --git a/testdata/black_key_entry.rpl b/testdata/black_key_entry.rpl
index 4fb3c719d9ad..37946c008cfd 100644
--- a/testdata/black_key_entry.rpl
+++ b/testdata/black_key_entry.rpl
@@ -19,7 +19,7 @@ SCENARIO_BEGIN Test validator with blacked key entry and further queries
 ; until the key entry expires.
 
 ; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -47,7 +47,7 @@ ENTRY_END
 RANGE_END
 
 ; a.gtld-servers.net.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -116,7 +116,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -228,7 +228,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.blabla.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.3.5
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -336,7 +336,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.sub.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.4.6
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -402,7 +402,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.foo.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.4.7
 ENTRY_BEGIN
 MATCH opcode qtype qname
diff --git a/testdata/black_prime_entry.rpl b/testdata/black_prime_entry.rpl
index c3f93266fb10..8221d2db6b58 100644
--- a/testdata/black_prime_entry.rpl
+++ b/testdata/black_prime_entry.rpl
@@ -18,7 +18,7 @@ SCENARIO_BEGIN Test validator with blacklist prime gives bad key entry
 ; comes from an 'expired signatures' name server.
 
 ; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -46,7 +46,7 @@ ENTRY_END
 RANGE_END
 
 ; a.gtld-servers.net.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -96,7 +96,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -177,7 +177,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.blabla.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 1.2.3.5
 ENTRY_BEGIN
 MATCH opcode qtype qname
diff --git a/testdata/clang-analysis.tdir/clang-analysis.test b/testdata/clang-analysis.tdir/clang-analysis.test
index de29bb525dbc..09c935860c47 100644
--- a/testdata/clang-analysis.tdir/clang-analysis.test
+++ b/testdata/clang-analysis.tdir/clang-analysis.test
@@ -6,11 +6,21 @@
 # common functions
 . ../common.sh
 
+PRE="../.."
 if test ! -x "`which clang 2>&1`"; then
 	echo "No clang in path"
 	exit 0
 fi
 #echo "have clang"
+# test if assertions are enabled
+if grep "^#define UNBOUND_DEBUG" $PRE/config.h >/dev/null; then
+	:
+else
+	echo "UNBOUND_DEBUG is not enabled, skip test"
+	# no unbound debug means no assertions, and clang analyzer uses
+	# the assertions to make inferences.
+	exit 0
+fi
 
 # read value from Makefile
 # $1: result variable name
@@ -23,7 +33,6 @@ read_value () {
 	#echo $1"="'"'"`eval echo '$'$1`"'"'
 }
 
-PRE="../.."
 # read some values from the Makefile
 read_value srcdir '^srcdir=' $PRE/Makefile
 read_value CPPFLAGS '^CPPFLAGS=' $PRE/Makefile
@@ -41,17 +50,21 @@ compatfiles=`echo "$LIBOBJS" | sed -e 's?..LIBOBJDIR.?compat/?g' -e 's/.U.o/.c/g
 if test "$WITH_PYTHONMODULE" = "yes"; then PYTHONMOD_SRC="pythonmod/*.c"; fi
 if test ! -z "$WINAPPS"; then WIN_SRC="winrc/*.c"; fi
 
-cd $PRE; cd $srcdir
+cd $PRE;
+odir=`pwd`
+cd $srcdir
 # check the files in the srcdir
 fail="no"
 for x in cachedb/*.c daemon/*.c dns64/*.c $DNSCRYPT_SRC $DNSTAP_SRC edns-subnet/*.c ipsecmod/*.c iterator/*.c libunbound/*.c $PYTHONMOD_SRC respip/*.c services/*.c services/*/*.c sldns/*.c smallapp/*.c util/*.c util/*/*.c validator/*.c $WIN_SRC $compatfiles testcode/*.c; do
 	if test "$x" = "util/configlexer.c"; then continue; fi
 	if test "$x" = "util/configparser.c"; then continue; fi
 	if test "$x" = "testcode/signit.c"; then continue; fi
+	if test "$x" = "compat/reallocarray.c"; then continue; fi
 	echo clang --analyze $CPPFLAGS $x
 	plist=`basename $x .c`.plist
 	rm -rf $plist
-	clang --analyze $CPPFLAGS $x 2>&1 | tee tmp.$$
+	#echo "(cd $odir; clang --analyze $CPPFLAGS $srcdir/$x 2>&1 ) | tee tmp.$$"
+	(cd "$odir"; clang --analyze $CPPFLAGS $srcdir/$x 2>&1 ) | tee tmp.$$
 	if grep -e warning -e error tmp.$$ >/dev/null; then
 		fail="yes"
 		fails="$fails $x"
diff --git a/testdata/edns_cache.tdir/edns_cache.conf b/testdata/edns_cache.tdir/edns_cache.conf
index 101b9751ffc6..baeee5f54f2c 100644
--- a/testdata/edns_cache.tdir/edns_cache.conf
+++ b/testdata/edns_cache.tdir/edns_cache.conf
@@ -12,9 +12,6 @@ server:
 stub-zone:
 	name: "example.net"
 	stub-addr: "127.0.0.1@@STUB2_PORT@"
-stub-zone:
-	name: "example.com"
-	stub-addr: "127.0.0.1@@STUB2_PORT@"
 # a k a root hints
 stub-zone:
 	name: "."
diff --git a/testdata/edns_cache.tdir/edns_cache.stub1 b/testdata/edns_cache.tdir/edns_cache.stub1
index 23653c3b3d53..2cce1bd656ad 100644
--- a/testdata/edns_cache.tdir/edns_cache.stub1
+++ b/testdata/edns_cache.tdir/edns_cache.stub1
@@ -17,17 +17,6 @@ SECTION ADDITIONAL
 root.server.	IN	A	127.0.0.1
 ENTRY_END
 
-; referral to example.com
-ENTRY_BEGIN
-MATCH opcode subdomain
-REPLY QR NOERROR
-ADJUST copy_id copy_query
-SECTION QUESTION
-example.com.	IN	A
-SECTION AUTHORITY
-example.com.	IN 	NS	netdns.example.net.
-ENTRY_END
-
 ; referral to example.net
 ENTRY_BEGIN
 MATCH opcode subdomain
diff --git a/testdata/edns_cache.tdir/edns_cache.stub2 b/testdata/edns_cache.tdir/edns_cache.stub2
index f70eb98e7456..549560aa0f4c 100644
--- a/testdata/edns_cache.tdir/edns_cache.stub2
+++ b/testdata/edns_cache.tdir/edns_cache.stub2
@@ -1,5 +1,5 @@
 ; nameserver test file
-$ORIGIN example.com.
+$ORIGIN example.net.
 $TTL 3600
 
 ENTRY_BEGIN
@@ -7,9 +7,9 @@ MATCH opcode qtype qname noedns
 REPLY QR AA NOERROR
 ADJUST copy_id
 SECTION QUESTION
-www.example.com.	IN	A
+www.example.net.	IN	A
 SECTION ANSWER
-www.example.com.	IN	A	10.20.30.40
+www.example.net.	IN	A	10.20.30.40
 ENTRY_END
 
 ENTRY_BEGIN
diff --git a/testdata/edns_cache.tdir/edns_cache.test b/testdata/edns_cache.tdir/edns_cache.test
index 53931ded2eb7..d154d5277eac 100644
--- a/testdata/edns_cache.tdir/edns_cache.test
+++ b/testdata/edns_cache.tdir/edns_cache.test
@@ -11,8 +11,8 @@ PRE="../.."
 # do the test
 echo "> dig netdns.example.net."
 dig @::1 -p $UNBOUND_PORT netdns.example.net. | tee outfile
-echo "> dig www.example.com."
-dig @::1 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> dig www.example.net."
+dig @::1 -p $UNBOUND_PORT www.example.net. | tee outfile
 echo "> cat stub1.log"
 cat stub1.log 
 echo "> cat stub2.log"
diff --git a/testdata/edns_lame.tdir/edns_lame.conf b/testdata/edns_lame.tdir/edns_lame.conf
deleted file mode 100644
index 9cd19c0d9d1c..000000000000
--- a/testdata/edns_lame.tdir/edns_lame.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-server:
-	verbosity: 2
-	# num-threads: 1
-	interface: 127.0.0.1
-	port: @PORT@
-	use-syslog: no
-	directory: ""
-	pidfile: "unbound.pid"
-	chroot: ""
-	username: ""
-	do-not-query-localhost: no
-forward-zone:
-	name: "."
-	forward-addr: "127.0.0.1@@TOPORT@"
-
diff --git a/testdata/edns_lame.tdir/edns_lame.dsc b/testdata/edns_lame.tdir/edns_lame.dsc
deleted file mode 100644
index 83f972562b6b..000000000000
--- a/testdata/edns_lame.tdir/edns_lame.dsc
+++ /dev/null
@@ -1,16 +0,0 @@
-BaseName: edns_lame
-Version: 1.0
-Description: Forward UDP but EDNS packets time out
-CreationDate: Mon Sep 29 16:39:15 CEST 2008
-Maintainer: dr. W.C.A. Wijngaards
-Category: 
-Component:
-CmdDepends: 
-Depends: 
-Help:
-Pre: edns_lame.pre
-Post: edns_lame.post
-Test: edns_lame.test
-AuxFiles: 
-Passed:
-Failure:
diff --git a/testdata/edns_lame.tdir/edns_lame.test b/testdata/edns_lame.tdir/edns_lame.test
deleted file mode 100644
index 92d669267402..000000000000
--- a/testdata/edns_lame.tdir/edns_lame.test
+++ /dev/null
@@ -1,24 +0,0 @@
-# #-- edns_lame.test --#
-# source the master var file when it's there
-[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
-# use .tpkg.var.test for in test variable passing
-[ -f .tpkg.var.test ] && source .tpkg.var.test
-
-PRE="../.."
-# do the test
-echo "> dig www.example.com."
-dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-echo "> dig www.example.com."
-dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile
-echo "> cat logfiles"
-cat fwd.log 
-cat unbound.log
-echo "> check answer"
-if grep "10.20.30.40" outfile; then
-	echo "OK"
-else
-	echo "Not OK"
-	exit 1
-fi
-
-exit 0
diff --git a/testdata/edns_lame.tdir/edns_lame.testns b/testdata/edns_lame.tdir/edns_lame.testns
deleted file mode 100644
index cd248c3b37eb..000000000000
--- a/testdata/edns_lame.tdir/edns_lame.testns
+++ /dev/null
@@ -1,14 +0,0 @@
-; nameserver test file
-$ORIGIN example.com.
-$TTL 3600
-
-ENTRY_BEGIN
-MATCH opcode qtype qname noedns
-REPLY QR AA NOERROR
-ADJUST copy_id
-SECTION QUESTION
-www	IN	A
-SECTION ANSWER
-www	IN	A	10.20.30.40
-ENTRY_END
-
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post
index e6dda048d77d..897f8cf70687 100644
--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.post
@@ -8,3 +8,4 @@
 . ../common.sh
 kill_pid $FWD_PID
 kill_pid $UNBOUND_PID
+cat unbound.log
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test
index 67354d014fff..de4250c3e9eb 100644
--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.test
@@ -6,9 +6,9 @@
 
 # check what sort of netcat we have
 if nc -h 2>&1 | grep "q secs"; then
-	ncopt="-q 3 -w 2"
+	ncopt="-q 3 -i 2"
 else
-	ncopt="-w 2"
+	ncopt="-i 2"
 fi
 
 PRE="../.."
diff --git a/testdata/fwd_no_cache.rpl b/testdata/fwd_no_cache.rpl
new file mode 100644
index 000000000000..8a68c54618d3
--- /dev/null
+++ b/testdata/fwd_no_cache.rpl
@@ -0,0 +1,78 @@
+; This is a comment.
+; config options go here.
+forward-zone: name: "." forward-addr: 216.0.0.1
+	forward-no-cache: yes
+CONFIG_END
+
+SCENARIO_BEGIN Forward with no_cache set
+RANGE_BEGIN 0 10
+	ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+www.example.com. IN A
+	SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+	SECTION AUTHORITY
+www.example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+ns.example.com. IN A 10.20.30.50
+	ENTRY_END
+RANGE_END
+RANGE_BEGIN 200 300
+RANGE_END
+
+RANGE_BEGIN 20 100
+	ENTRY_BEGIN
+	MATCH opcode qtype qname
+	ADJUST copy_id
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+www.example.com. IN A
+	SECTION ANSWER
+www.example.com. IN A 10.20.30.44
+	SECTION AUTHORITY
+www.example.com. IN NS ns.example.com.
+	SECTION ADDITIONAL
+ns.example.com. IN A 10.20.30.50
+	ENTRY_END
+RANGE_END
+RANGE_BEGIN 200 300
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+REPLY QR RD RA
+MATCH opcode qname qtype all
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+
+; make some time pass but not enough to timeout a cached record
+STEP 10 TIME_PASSES ELAPSE 10
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+STEP 24 CHECK_ANSWER
+ENTRY_BEGIN
+REPLY QR RD RA
+MATCH opcode qname qtype all
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.44
+ENTRY_END
+SCENARIO_END
diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl
index be05e2f4363d..6110148a3c82 100644
--- a/testdata/iter_domain_sale.rpl
+++ b/testdata/iter_domain_sale.rpl
@@ -241,9 +241,9 @@ SECTION ANSWER
 SECTION AUTHORITY
 ; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
 example.com.	5 IN SOA	a. b. 1 2 3 4 5
-example.com.	1800 IN NS	ns.example.com.
+;example.com.	1800 IN NS	ns.example.com.
 SECTION ADDITIONAL
-ns.example.com.	1800 	IN 	A	1.2.3.4
+;ns.example.com.	1800 	IN 	A	1.2.3.4
 ENTRY_END
 
 ; after another 1900 seconds the domain must have timed out.
diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl
index 5af54efb9855..5664855d50b8 100644
--- a/testdata/iter_domain_sale_nschange.rpl
+++ b/testdata/iter_domain_sale_nschange.rpl
@@ -288,9 +288,9 @@ SECTION ANSWER
 SECTION AUTHORITY
 ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
 example.com.	5 IN SOA	a. b. 1 2 3 4 5
-example.com.	3600 IN NS	nsb.example.com.
+;example.com.	3600 IN NS	nsb.example.com.
 SECTION ADDITIONAL
-nsb.example.com.	3600 	IN 	A	1.2.3.4
+;nsb.example.com.	3600 	IN 	A	1.2.3.4
 ENTRY_END
 
 STEP 62 QUERY 
@@ -310,9 +310,9 @@ SECTION ANSWER
 SECTION AUTHORITY
 ; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
 example.com.	5 IN SOA	a. b. 1 2 3 4 5
-example.com.	1800 IN NS	nsb.example.com.
+;example.com.	1800 IN NS	nsb.example.com.
 SECTION ADDITIONAL
-nsb.example.com.	3600 	IN 	A	1.2.3.4
+;nsb.example.com.	3600 	IN 	A	1.2.3.4
 ENTRY_END
 
 ; after another 1900 seconds the domain must have timed out.
diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl
index 1aba95b07aa7..098ae0bb5449 100644
--- a/testdata/iter_pcnamech.rpl
+++ b/testdata/iter_pcnamech.rpl
@@ -109,8 +109,8 @@ ENTRY_END
 
 RANGE_END
 
-; the working version, until time 50.
-RANGE_BEGIN 0 50
+; the working version, until time 49.
+RANGE_BEGIN 0 49
 	ADDRESS 1.2.3.44
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -220,7 +220,7 @@ RANGE_END
 
 ; Broken.   Does not respond to anything (servfail instead
 ; of timeouts since this is easier to encode in .rpl file format).
-RANGE_BEGIN 0 50
+RANGE_BEGIN 0 49
 	ADDRESS 1.2.3.55
 ENTRY_BEGIN
 MATCH opcode 
diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl
index 90745fcf3eb2..ca996bb389a5 100644
--- a/testdata/iter_pcnamechrec.rpl
+++ b/testdata/iter_pcnamechrec.rpl
@@ -110,8 +110,8 @@ ENTRY_END
 
 RANGE_END
 
-; the working version, until time 50.
-RANGE_BEGIN 0 50
+; the working version, until time 49.
+RANGE_BEGIN 0 49
 	ADDRESS 1.2.3.44
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -221,7 +221,7 @@ RANGE_END
 
 ; Broken.   Does not respond to anything (servfail instead
 ; of timeouts since this is easier to encode in .rpl file format).
-RANGE_BEGIN 0 50
+RANGE_BEGIN 0 49
 	ADDRESS 1.2.3.55
 ENTRY_BEGIN
 MATCH opcode 
diff --git a/testdata/net_signed_servfail.rpl b/testdata/net_signed_servfail.rpl
index 925dceee25ec..ada445574da7 100644
--- a/testdata/net_signed_servfail.rpl
+++ b/testdata/net_signed_servfail.rpl
@@ -19,7 +19,7 @@ SCENARIO_BEGIN Test validator with DS introduction for .net
 ; after introduction of a .NET DS in the root for a running validator.
 
 ; K.ROOT-SERVERS.NET. (before .net DS introduction)
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 99
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
diff --git a/testdata/pylib.tdir/pylib.lookup.py b/testdata/pylib.tdir/pylib.lookup.py
index 5f69c58abd18..114bb49a0902 100755
--- a/testdata/pylib.tdir/pylib.lookup.py
+++ b/testdata/pylib.tdir/pylib.lookup.py
@@ -12,7 +12,7 @@ qname = "www.example.com"
 qtype = unbound.RR_TYPE_A
 qclass = unbound.RR_CLASS_IN
 
-def create_context(config_file="ub.lookup.conf", async=False):
+def create_context(config_file="ub.lookup.conf", asyncflag=False):
     """
     Create an unbound context to use for testing.
 
@@ -22,7 +22,7 @@ def create_context(config_file="ub.lookup.conf", async=False):
     if status != 0:
         print("read config failed with status: {}".format(status))
         sys.exit(1)
-    ctx.set_async(async)
+    ctx.set_async(asyncflag)
     return ctx
 
 
@@ -132,10 +132,10 @@ def test_ratelimit_bg_off(ctx):
 
 
 test_resolve(create_context())
-test_async_resolve(create_context(async=True))
+test_async_resolve(create_context(asyncflag=True))
 test_ratelimit_fg_on(create_context())
 test_ratelimit_fg_off(create_context())
-test_ratelimit_bg_on(create_context(async=True))
-test_ratelimit_bg_off(create_context(async=True))
+test_ratelimit_bg_on(create_context(asyncflag=True))
+test_ratelimit_bg_off(create_context(asyncflag=True))
 
 sys.exit(0)
diff --git a/testdata/pylib.tdir/pylib.test b/testdata/pylib.tdir/pylib.test
index 9456691aa6e1..893aaf64f252 100644
--- a/testdata/pylib.tdir/pylib.test
+++ b/testdata/pylib.tdir/pylib.test
@@ -19,9 +19,13 @@ fi
 #echo export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:../../.libs:."
 #export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:../../.libs:."
 
+if grep "PY_MAJOR_VERSION=3" $PRE/Makefile; then
+	PYTHON="python3"; else PYTHON="python2"; fi
+if test ! -x `which $PYTHON` 2>&1; then PYTHON="python"; fi
+
 # do the test
 echo "> pylib.lookup.py www.example.com."
-./pylib.lookup.py www.example.com. | tee outfile
+$PYTHON pylib.lookup.py www.example.com. | tee outfile
 
 echo "> cat logfiles"
 cat fwd.log
diff --git a/testdata/pymod.tdir/pymod.py b/testdata/pymod.tdir/pymod.py
index 3f6fed1c696b..a8018e7f75e7 100644
--- a/testdata/pymod.tdir/pymod.py
+++ b/testdata/pymod.tdir/pymod.py
@@ -59,12 +59,15 @@ def setTTL(qstate, ttl):
 
 def dataHex(data, prefix=""):
     res = ""
-    for i in range(0, (len(data)+15)/16):
+    for i in range(0, int((len(data)+15)/16)):
         res += "%s0x%02X | " % (prefix, i*16)
-        d = map(lambda x:ord(x), data[i*16:i*16+17])
+        if type(data[0]) == type(1):
+            d = map(lambda x:int(x), data[i*16:i*16+17])
+        else:
+            d = map(lambda x:ord(x), data[i*16:i*16+17])
         for ch in d:
             res += "%02X " % ch
-        for i in range(0,17-len(d)):
+        for i in range(0,17-len(data[i*16:i*16+17])):
             res += "   "
         res += "| "
         for ch in d:
@@ -76,35 +79,35 @@ def dataHex(data, prefix=""):
     return res
 
 def printReturnMsg(qstate):
-    print "Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount,qstate.return_msg.rep.security, qstate.return_msg.rep.ttl)
-    print "           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str
+    print ("Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount, qstate.return_msg.rep.security, qstate.return_msg.rep.ttl))
+    print ("           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str)
     if (qstate.return_msg.rep):
-        print "RRSets:",qstate.return_msg.rep.rrset_count
+        print ("RRSets:",qstate.return_msg.rep.rrset_count)
         prevkey = None
         for i in range(0,qstate.return_msg.rep.rrset_count):
             r = qstate.return_msg.rep.rrsets[i]
             rk = r.rk
-            print i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,
-            print "type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class)
+            print (i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags)
+            print ("type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class))
 
             d = r.entry.data
-            print "    RRDatas:",d.count+d.rrsig_count
+            print ("    RRDatas:",d.count+d.rrsig_count)
             for j in range(0,d.count+d.rrsig_count):
-                print "    ",j,":","TTL=",d.rr_ttl[j],"RR data:"
-                print dataHex(d.rr_data[j],"         ")
+                print ("    ",j,":","TTL=",d.rr_ttl[j],"RR data:")
+                print (dataHex(d.rr_data[j],"         "))
 
 
 def operate(id, event, qstate, qdata):
     log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))
-    #print "pythonmod: per query data", qdata
+    #print ("pythonmod: per query data", qdata)
 
-    print "Query:", ''.join(map(lambda x:chr(max(32,ord(x))),qstate.qinfo.qname)), qstate.qinfo.qname_list, qstate.qinfo.qname_str,
-    print "Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype,
-    print "Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass
-    print
+    print ("Query:", qstate.qinfo.qname, qstate.qinfo.qname_list, qstate.qinfo.qname_str)
+    print ("Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype)
+    print ("Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass)
+    print ()
 
     if (event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS) and (qstate.qinfo.qname_str.endswith("www2.example.com.")):
-        print qstate.qinfo.qname_str
+        print (qstate.qinfo.qname_str)
 
         qstate.ext_state[id] = MODULE_FINISHED 
 
@@ -121,6 +124,7 @@ def operate(id, event, qstate, qdata):
         if (qstate.qinfo.qtype == RR_TYPE_TXT) or (qstate.qinfo.qtype == RR_TYPE_ANY):
             msg.answer.append("%s 10 IN TXT path=/" % qstate.qinfo.qname_str)
 
+        print(msg.answer)
         if not msg.set_return_msg(qstate):
             qstate.ext_state[id] = MODULE_ERROR 
             return True
diff --git a/testdata/pymod_thread.tdir/pymod_thread.py b/testdata/pymod_thread.tdir/pymod_thread.py
index 31e1d43f64ae..30c2588758f5 100644
--- a/testdata/pymod_thread.tdir/pymod_thread.py
+++ b/testdata/pymod_thread.tdir/pymod_thread.py
@@ -59,12 +59,15 @@ def setTTL(qstate, ttl):
 
 def dataHex(data, prefix=""):
     res = ""
-    for i in range(0, (len(data)+15)/16):
+    for i in range(0, int((len(data)+15)/16)):
         res += "%s0x%02X | " % (prefix, i*16)
-        d = map(lambda x:ord(x), data[i*16:i*16+17])
+        if type(data[0]) == type(1):
+            d = map(lambda x:int(x), data[i*16:i*16+17])
+        else:
+            d = map(lambda x:ord(x), data[i*16:i*16+17])
         for ch in d:
-            res += "%02X " % ch
-        for i in range(0,17-len(d)):
+            res += "%02X " % int(ch)
+        for i in range(0,17-len(data[i*16:i*16+17])):
             res += "   "
         res += "| "
         for ch in d:
@@ -76,43 +79,43 @@ def dataHex(data, prefix=""):
     return res
 
 def printReturnMsg(qstate):
-    print "Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount,qstate.return_msg.rep.security, qstate.return_msg.rep.ttl)
-    print "           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str
+    print ("Return MSG rep   :: flags: %04X, QDcount: %d, Security:%d, TTL=%d" % (qstate.return_msg.rep.flags, qstate.return_msg.rep.qdcount, qstate.return_msg.rep.security, qstate.return_msg.rep.ttl))
+    print ("           qinfo :: qname:",qstate.return_msg.qinfo.qname_list, qstate.return_msg.qinfo.qname_str, "type:",qstate.return_msg.qinfo.qtype_str, "class:",qstate.return_msg.qinfo.qclass_str)
     if (qstate.return_msg.rep):
-        print "RRSets:",qstate.return_msg.rep.rrset_count
+        print ("RRSets:",qstate.return_msg.rep.rrset_count)
         prevkey = None
         for i in range(0,qstate.return_msg.rep.rrset_count):
             r = qstate.return_msg.rep.rrsets[i]
             rk = r.rk
-            print i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags,
-            print "type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class)
+            print (i,":",rk.dname_list, rk.dname_str, "flags: %04X" % rk.flags)
+            print ("type:",rk.type_str,"(%d)" % ntohs(rk.type), "class:",rk.rrset_class_str,"(%d)" % ntohs(rk.rrset_class))
 
             d = r.entry.data
-            print "    RRDatas:",d.count+d.rrsig_count
+            print ("    RRDatas:",d.count+d.rrsig_count)
             for j in range(0,d.count+d.rrsig_count):
-                print "    ",j,":","TTL=",d.rr_ttl[j],"RR data:"
-                print dataHex(d.rr_data[j],"         ")
+                print ("    ",j,":","TTL=",d.rr_ttl[j],"RR data:")
+                print (dataHex(d.rr_data[j],"         "))
 
 
 def operate(id, event, qstate, qdata):
     log_info("pythonmod: operate called, id: %d, event:%s" % (id, strmodulevent(event)))
-    #print "pythonmod: per query data", qdata
+    #print ("pythonmod: per query data", qdata)
 
-    print "Query:", ''.join(map(lambda x:chr(max(32,ord(x))),qstate.qinfo.qname)), qstate.qinfo.qname_list, qstate.qinfo.qname_str,
-    print "Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype,
-    print "Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass
-    print
+    print ("Query:", qstate.qinfo.qname, qstate.qinfo.qname_list, qstate.qinfo.qname_str)
+    print ("Type:",qstate.qinfo.qtype_str,"(%d)" % qstate.qinfo.qtype)
+    print ("Class:",qstate.qinfo.qclass_str,"(%d)" % qstate.qinfo.qclass)
+    print ()
 
     if (event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS) and (qstate.qinfo.qname_str.endswith("example.com.")):
-        print qstate.qinfo.qname_str
+        print (qstate.qinfo.qname_str)
 
         qstate.ext_state[id] = MODULE_FINISHED 
 
-	# eat time
-	y = 20
-	for z in range(2, 10000):
-		y = y*2 - z/2
-		y = y/2 + z
+        # eat time
+        y = 20
+        for z in range(2, 10000):
+                y = y*2 - z/2
+                y = y/2 + z
 
         msg = DNSMessage(qstate.qinfo.qname_str, RR_TYPE_A, RR_CLASS_IN, PKT_QR | PKT_RA | PKT_AA) #, 300)
         #msg.authority.append("xxx.seznam.cz. 10 IN A 192.168.1.1")
diff --git a/testdata/pymod_thread.tdir/pymod_thread.testns b/testdata/pymod_thread.tdir/pymod_thread.testns
index 55926bb50c9f..c92a07909e7d 100644
--- a/testdata/pymod_thread.tdir/pymod_thread.testns
+++ b/testdata/pymod_thread.tdir/pymod_thread.testns
@@ -22,3 +22,83 @@ SECTION ANSWER
 www2	IN	A	10.20.30.40
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NXDOMAIN
+ADJUST copy_id
+SECTION QUESTION
+www6	IN	A
+SECTION AUTHORITY
+example.com.		3600	IN	SOA	a. b. 2018100719 7200 3600 1209600 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NXDOMAIN
+ADJUST copy_id
+SECTION QUESTION
+www7	IN	A
+SECTION AUTHORITY
+example.com.		3600	IN	SOA	a. b. 2018100719 7200 3600 1209600 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NXDOMAIN
+ADJUST copy_id
+SECTION QUESTION
+www8	IN	A
+SECTION AUTHORITY
+example.com.		3600	IN	SOA	a. b. 2018100719 7200 3600 1209600 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NXDOMAIN
+ADJUST copy_id
+SECTION QUESTION
+www9	IN	A
+SECTION AUTHORITY
+example.com.		3600	IN	SOA	a. b. 2018100719 7200 3600 1209600 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NXDOMAIN
+ADJUST copy_id
+SECTION QUESTION
+www10	IN	A
+SECTION AUTHORITY
+example.com.		3600	IN	SOA	a. b. 2018100719 7200 3600 1209600 3600
+ENTRY_END
+
diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.conf b/testdata/ssl_req_order.tdir/ssl_req_order.conf
new file mode 100644
index 000000000000..3b2e2b1b4fa9
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/ssl_req_order.conf
@@ -0,0 +1,25 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	ssl-port: @PORT@
+	ssl-service-key: "unbound_server.key"
+	ssl-service-pem: "unbound_server.pem"
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	tcp-upstream: yes
+	local-zone: "drop.net" deny
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.dsc b/testdata/ssl_req_order.tdir/ssl_req_order.dsc
new file mode 100644
index 000000000000..2259d0c081ea
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/ssl_req_order.dsc
@@ -0,0 +1,16 @@
+BaseName: ssl_req_order
+Version: 1.0
+Description: Test ssl request order processing.
+CreationDate: Mon Jan 21 14:11:00 CET 2018
+Maintainer: Wouter Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: ssl_req_order.pre
+Post: ssl_req_order.post
+Test: ssl_req_order.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.post b/testdata/ssl_req_order.tdir/ssl_req_order.post
new file mode 100644
index 000000000000..bba50e309196
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/ssl_req_order.post
@@ -0,0 +1,11 @@
+# #-- ssl_req_order.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat unbound.log
diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.pre b/testdata/ssl_req_order.tdir/ssl_req_order.pre
new file mode 100644
index 000000000000..5fb11850144e
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/ssl_req_order.pre
@@ -0,0 +1,31 @@
+# #-- ssl_req_order.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT ssl_req_order.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < ssl_req_order.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.test b/testdata/ssl_req_order.tdir/ssl_req_order.test
new file mode 100644
index 000000000000..65981d16cea4
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/ssl_req_order.test
@@ -0,0 +1,341 @@
+# #-- ssl_req_order.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/streamtcp -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# multiple requests (from localdata)
+echo "> query www1.example.net. www2.example.net. www3.example.net."
+$PRE/streamtcp -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www2.example.com. www3.example.net."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www2.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.com" outfile | grep "10.20.30.42"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www.example.com. www3.example.net."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www3.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www3.example.com. www2.example.net. www3.example.com. www3.example.net."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www3.example.com. A IN www2.example.net A IN www3.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.com" outfile | grep "10.20.30.43"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo ""
+echo "> query www4.example.com. www3.example.net."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www4.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www4.example.com" outfile | grep "10.20.30.44"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo ""
+echo "> query a1.example.com. - a100.example.com."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www6.example.com. A IN a1.a.example.com. A IN a2.a.example.com. A IN a3.a.example.com. A IN a4.a.example.com. A IN a5.a.example.com. A IN a6.a.example.com. A IN a7.a.example.com. A IN a8.a.example.com. A IN a9.a.example.com. A IN a10.a.example.com. A IN a11.a.example.com. A IN a12.a.example.com. A IN a13.a.example.com. A IN a14.a.example.com. A IN a15.a.example.com. A IN a16.a.example.com. A IN a17.a.example.com. A IN a18.a.example.com. A IN a19.a.example.com. A IN a20.a.example.com. A IN a21.a.example.com. A IN a22.a.example.com. A IN a23.a.example.com. A IN a24.a.example.com. A IN a25.a.example.com. A IN a26.a.example.com. A IN a27.a.example.com. A IN a28.a.example.com. A IN a29.a.example.com. A IN a30.a.example.com. A IN a31.a.example.com. A IN a32.a.example.com. A IN a33.a.example.com. A IN a34.a.example.com. A IN a35.a.example.com. A IN a36.a.example.com. A IN a37.a.example.com. A IN a38.a.example.com. A IN a39.a.example.com. A IN a40.a.example.com. A IN a41.a.example.com. A IN a42.a.example.com. A IN a43.a.example.com. A IN a44.a.example.com. A IN a45.a.example.com. A IN a46.a.example.com. A IN a47.a.example.com. A IN a48.a.example.com. A IN a49.a.example.com. A IN a50.a.example.com. A IN a51.a.example.com. A IN a52.a.example.com. A IN a53.a.example.com. A IN a54.a.example.com. A IN a55.a.example.com. A IN a56.a.example.com. A IN a57.a.example.com. A IN a58.a.example.com. A IN a59.a.example.com. A IN a60.a.example.com. A IN a61.a.example.com. A IN a62.a.example.com. A IN a63.a.example.com. A IN a64.a.example.com. A IN a65.a.example.com. A IN a66.a.example.com. A IN a67.a.example.com. A IN a68.a.example.com. A IN a69.a.example.com. A IN a70.a.example.com. A IN a71.a.example.com. A IN a72.a.example.com. A IN a73.a.example.com. A IN a74.a.example.com. A IN a75.a.example.com. A IN a76.a.example.com. A IN a77.a.example.com. A IN a78.a.example.com. A IN a79.a.example.com. A IN a80.a.example.com. A IN a81.a.example.com. A IN a82.a.example.com. A IN a83.a.example.com. A IN a84.a.example.com. A IN a85.a.example.com. A IN a86.a.example.com. A IN a87.a.example.com. A IN a88.a.example.com. A IN a89.a.example.com. A IN a90.a.example.com. A IN a91.a.example.com. A IN a92.a.example.com. A IN a93.a.example.com. A IN a94.a.example.com. A IN a95.a.example.com. A IN a96.a.example.com. A IN a97.a.example.com. A IN a98.a.example.com. A IN a99.a.example.com. A IN a100.a.example.com. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+grep "a.example.com.	IN	A" outfile
+
+echo ""
+echo "> query www5.example.net. www3.example.net. www.drop.net."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www5.example.com. A IN www3.example.net A IN www.drop.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "OK"
+exit 0
diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.testns b/testdata/ssl_req_order.tdir/ssl_req_order.testns
new file mode 100644
index 000000000000..c53941b678bc
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/ssl_req_order.testns
@@ -0,0 +1,74 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
+
+; lots of noerror/nodata answers for other queries (a.. queries)
+ENTRY_BEGIN
+MATCH opcode qtype subdomain
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+a.example.com.	IN	A
+SECTION AUTHORITY
+example.com.	IN SOA ns hostmaster 2019 28800 7200 604800 3600
+ENTRY_END
diff --git a/testdata/ssl_req_order.tdir/unbound_server.key b/testdata/ssl_req_order.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ssl_req_order.tdir/unbound_server.pem b/testdata/ssl_req_order.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/ssl_req_order.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/ssl_req_timeout.tdir/ssl_req_timeout.conf b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.conf
new file mode 100644
index 000000000000..c461db29962a
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.conf
@@ -0,0 +1,25 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+	ssl-port: @PORT@
+	ssl-service-key: "unbound_server.key"
+	ssl-service-pem: "unbound_server.pem"
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	tcp-idle-timeout: 2000
+	local-zone: "drop.net" deny
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/ssl_req_timeout.tdir/ssl_req_timeout.dsc b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.dsc
new file mode 100644
index 000000000000..1e933274b8a4
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.dsc
@@ -0,0 +1,16 @@
+BaseName: ssl_req_timeout
+Version: 1.0
+Description: Test ssl request order timeouts.
+CreationDate: Mon Jan 21 11:23:00 CET 2018
+Maintainer: Wouter Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: ssl_req_timeout.pre
+Post: ssl_req_timeout.post
+Test: ssl_req_timeout.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/ssl_req_timeout.tdir/ssl_req_timeout.post b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.post
new file mode 100644
index 000000000000..e170f4b6e9fa
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.post
@@ -0,0 +1,12 @@
+# #-- ssl_req_timeout.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat fwd.log
+cat unbound.log
diff --git a/testdata/ssl_req_timeout.tdir/ssl_req_timeout.pre b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.pre
new file mode 100644
index 000000000000..b13de5b3abbf
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.pre
@@ -0,0 +1,31 @@
+# #-- ssl_req_timeout.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT ssl_req_timeout.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < ssl_req_timeout.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/ssl_req_timeout.tdir/ssl_req_timeout.test b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.test
new file mode 100644
index 000000000000..5223fc9853b3
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.test
@@ -0,0 +1,136 @@
+# #-- ssl_req_timeout.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+# check what sort of netcat we have
+if nc -h 2>&1 | grep "q secs"; then
+        ncopt="-q 3 -i 4"
+else
+        ncopt="-i 4"
+fi
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/streamtcp -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# multiple requests that are answered immediately and then the timeout
+echo "> query www1.example.net. www2.example.net. www3.example.net. www.example.com."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN www.example.com. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "stream closed" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# multiple requests that are waiting for answers and then the timeout
+echo "> query www2.example.com. www2.example.com. www3.example.com."
+$PRE/streamtcp -a -s -f 127.0.0.1@$UNBOUND_PORT www2.example.com. A IN www2.example.com A IN www3.example.com A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "stream closed" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# wait a bit
+sleep 2
+
+# echo a couple requests to the other side and then wait for the timeout.
+# this creates waiting answers in the reply queue.
+echo "> nc www.example.net www2.example.net www3.example.net"
+( echo "0021eb410100000100000000000003777777076578616d706c65036e657400000100010022eb41010000010000000000000477777732076578616d706c65036e657400000100010022eb41010000010000000000000477777733076578616d706c65036e65740000010001" | xxd -r -p ; sleep 10 ; echo "") | nc $ncopt --ssl 127.0.0.1 $UNBOUND_PORT | xxd | tee outfile
+
+echo "OK"
+exit 0
diff --git a/testdata/ssl_req_timeout.tdir/ssl_req_timeout.testns b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.testns
new file mode 100644
index 000000000000..694600974c0b
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/ssl_req_timeout.testns
@@ -0,0 +1,63 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=4
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=4
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=4
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
diff --git a/testdata/ssl_req_timeout.tdir/unbound_server.key b/testdata/ssl_req_timeout.tdir/unbound_server.key
new file mode 100644
index 000000000000..4256c421dd0d
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/unbound_server.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQC3F7Jsv2u01pLL9rFnjsMU/IaCFUIz/624DcaE84Z4gjMl5kWA
+3axQcqul1wlwSrbKwrony+d9hH/+MX0tZwvl8w3OmhmOAiaQ+SHCsIuOjVwQjX0s
+RLB61Pz5+PAiVvnPa9JIYB5QrK6DVEsxIHj8MOc5JKORrnESsFDh6yeMeQIDAQAB
+AoGAAuWoGBprTOA8UGfl5LqYkaNxSWumsYXxLMFjC8WCsjN1NbtQDDr1uAwodSZS
+6ujzvX+ZTHnofs7y64XC8k34HTOCD2zlW7kijWbT8YjRYFU6o9F5zUGD9RCan0ds
+sVscT2psLSzfdsmFAcbmnGdxYkXk2PC1FHtaqExxehralGUCQQDcqrg9uQKXlhQi
+XAaPr8SiWvtRm2a9IMMZkRfUWZclPHq6fCWNuUaCD+cTat4wAuqeknAz33VEosw3
+fXGsok//AkEA1GjIHXrOcSlpfVJb6NeOBugjRtZ7ZDT5gbtnMS9ob0qntKV6saaL
+CNmJwuD9Q3XkU5j1+uHvYGP2NzcJd2CjhwJACV0hNlVMe9w9fHvFN4Gw6WbM9ViP
+0oS6YrJafYNTu5vGZXVxLoNnL4u3NYa6aPUmuZXjNwBLfJ8f5VboZPf6RwJAINd2
+oYA8bSi/A755MX4qmozH74r4Fx1Nuq5UHTm8RwDe/0Javx8F/j9MWpJY9lZDEF3l
+In5OebPa/NyInSmW/wJAZuP9aRn0nDBkHYri++1A7NykMiJ/nH0mDECbnk+wxx0S
+LwqIetBhxb8eQwMg45+iAH7CHAMQ8BQuF/nFE6eotg==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ssl_req_timeout.tdir/unbound_server.pem b/testdata/ssl_req_timeout.tdir/unbound_server.pem
new file mode 100644
index 000000000000..aeda3ff11882
--- /dev/null
+++ b/testdata/ssl_req_timeout.tdir/unbound_server.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAQQCCQDsNJ1UmphEFzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwd1
+bmJvdW5kMB4XDTA4MDkxMTA5MDk0MFoXDTI4MDUyOTA5MDk0MFowEjEQMA4GA1UE
+AxMHdW5ib3VuZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtxeybL9rtNaS
+y/axZ47DFPyGghVCM/+tuA3GhPOGeIIzJeZFgN2sUHKrpdcJcEq2ysK6J8vnfYR/
+/jF9LWcL5fMNzpoZjgImkPkhwrCLjo1cEI19LESwetT8+fjwIlb5z2vSSGAeUKyu
+g1RLMSB4/DDnOSSjka5xErBQ4esnjHkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAZ
+9N0lnLENs4JMvPS+mn8C5m9bkkFITd32IiLjf0zgYpIUbFXH6XaEr9GNZBUG8feG
+l/6WRXnbnVSblI5odQ4XxGZ9inYY6qtW30uv76HvoKp+QZ1c3460ddR8NauhcCHH
+Z7S+QbLXi+r2JAhpPozZCjBHlRD0ixzA1mKQTJhJZg==
+-----END CERTIFICATE-----
diff --git a/testdata/stream_ssl.tdir/stream_ssl.post b/testdata/stream_ssl.tdir/stream_ssl.post
index 4cdbe726710f..eed0c0e1b5b2 100644
--- a/testdata/stream_ssl.tdir/stream_ssl.post
+++ b/testdata/stream_ssl.tdir/stream_ssl.post
@@ -8,3 +8,5 @@
 . ../common.sh
 kill_pid $UNBOUNDSERV_PID
 kill_pid $UNBOUNDCLIE_PID
+cat unboundserv.log
+cat unboundclie.log
diff --git a/testdata/stream_ssl.tdir/stream_ssl.serv.conf b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
index 9dd169ff78bf..c77e39fc5d59 100644
--- a/testdata/stream_ssl.tdir/stream_ssl.serv.conf
+++ b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
@@ -13,7 +13,8 @@ server:
 	ssl-port: @SERVPORT@
 	ssl-service-key: "unbound_server.key"
 	ssl-service-pem: "unbound_server.pem"
-
+	tls-session-ticket-keys: "ticket1.dat"
+	tls-session-ticket-keys: "ticket2.dat"
 # no other queries should reach here.
 forward-zone:
 	name: "."
diff --git a/testdata/stream_ssl.tdir/ticket1.dat b/testdata/stream_ssl.tdir/ticket1.dat
new file mode 100644
index 000000000000..1cc7902af33b
--- /dev/null
+++ b/testdata/stream_ssl.tdir/ticket1.dat
@@ -0,0 +1 @@
+X��d�,�f}���;�J��q�̌�
��s%�[)�M���o���@���5n_w�������I�K��C��Ӑ���"
\ No newline at end of file
diff --git a/testdata/stream_ssl.tdir/ticket2.dat b/testdata/stream_ssl.tdir/ticket2.dat
new file mode 100644
index 000000000000..7cb5ddff76cf
--- /dev/null
+++ b/testdata/stream_ssl.tdir/ticket2.dat
@@ -0,0 +1 @@
+s����|�N�*�2a{Ii�6��'��� ��i9I���+ȵj"W�z��)s0����D%�h�H��O����K���@
\ No newline at end of file
diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl
index e1c6cf5f99f7..f5c7464ed7b2 100644
--- a/testdata/subnet_max_source.crpl
+++ b/testdata/subnet_max_source.crpl
@@ -145,6 +145,29 @@ RANGE_BEGIN 0 100
 			ns.example.com.		IN 	A	1.2.3.4
 	ENTRY_END
 
+	; client send /17, we return /18
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet increment_ecs_scope
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN TXT
+		SECTION ANSWER
+			www.example.com. IN TXT "longer scope"
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.1.0.1
+				00 08 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				11 00 		; source mask, scopemask
+				7f 01 00   	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
 RANGE_END
 
 STEP 1 QUERY
@@ -229,5 +252,46 @@ ENTRY_BEGIN
 		ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 
+STEP 21 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com TXT? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 10 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0b
+		
+		00 08 00 07			; OPC, optlen
+		00 01 11 00			; ip4, scope 17, source 0
+		7f 01 00  			;127.1.0.0/17
+	HEX_ANSWER_END
+ENTRY_END
+
+
+
+; server returns /18, since we cache the result to max-client-subnet-ipv4 (/17),
+; the initial answer returned to the client should also be capped to /17.
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		www.example.com. IN TXT
+	SECTION ANSWER
+		www.example.com. IN TXT "longer scope"
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.1.0.1
+			00 08 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			11 11 		; source mask, scopemask
+			7f 01 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
 
 SCENARIO_END
diff --git a/testdata/tcp_idle_timeout.tdir/tcp_idle_timeout.testns b/testdata/tcp_idle_timeout.tdir/tcp_idle_timeout.testns
index 14647723fca5..2e240b087be8 100644
--- a/testdata/tcp_idle_timeout.tdir/tcp_idle_timeout.testns
+++ b/testdata/tcp_idle_timeout.tdir/tcp_idle_timeout.testns
@@ -13,7 +13,7 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH TCP opcode qtype qname
 REPLY QR AA NOERROR
-ADJUST copy_id sleep=2
+ADJUST copy_id
 SECTION QUESTION
 www	IN	A
 SECTION ANSWER
diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.conf b/testdata/tcp_req_order.tdir/tcp_req_order.conf
new file mode 100644
index 000000000000..40d6f55c8cde
--- /dev/null
+++ b/testdata/tcp_req_order.tdir/tcp_req_order.conf
@@ -0,0 +1,22 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	tcp-upstream: yes
+	local-zone: "drop.net" deny
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.dsc b/testdata/tcp_req_order.tdir/tcp_req_order.dsc
new file mode 100644
index 000000000000..f24e90073427
--- /dev/null
+++ b/testdata/tcp_req_order.tdir/tcp_req_order.dsc
@@ -0,0 +1,16 @@
+BaseName: tcp_req_order
+Version: 1.0
+Description: Test tcp request order processing.
+CreationDate: Mon Jan 14 13:34:00 CET 2018
+Maintainer: Wouter Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: tcp_req_order.pre
+Post: tcp_req_order.post
+Test: tcp_req_order.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.post b/testdata/tcp_req_order.tdir/tcp_req_order.post
new file mode 100644
index 000000000000..43372764c20b
--- /dev/null
+++ b/testdata/tcp_req_order.tdir/tcp_req_order.post
@@ -0,0 +1,11 @@
+# #-- tcp_req_order.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat unbound.log
diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.pre b/testdata/tcp_req_order.tdir/tcp_req_order.pre
new file mode 100644
index 000000000000..b2191f065fa8
--- /dev/null
+++ b/testdata/tcp_req_order.tdir/tcp_req_order.pre
@@ -0,0 +1,31 @@
+# #-- tcp_req_order.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT tcp_req_order.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < tcp_req_order.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.test b/testdata/tcp_req_order.tdir/tcp_req_order.test
new file mode 100644
index 000000000000..ecbde306f266
--- /dev/null
+++ b/testdata/tcp_req_order.tdir/tcp_req_order.test
@@ -0,0 +1,341 @@
+# #-- tcp_req_order.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# multiple requests (from localdata)
+echo "> query www1.example.net. www2.example.net. www3.example.net."
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www2.example.com. www3.example.net."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www2.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.com" outfile | grep "10.20.30.42"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www.example.com. www2.example.net. www.example.com. www3.example.net."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www.example.com. A IN www2.example.net A IN www.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www.example.com" outfile | grep "10.20.30.40"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www3.example.com present twice, answered twice.
+echo ""
+echo "> query www1.example.net. www3.example.com. www2.example.net. www3.example.com. www3.example.net."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www3.example.com. A IN www2.example.net A IN www3.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.com" outfile | grep "10.20.30.43"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo ""
+echo "> query www4.example.com. www3.example.net."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www4.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www4.example.com" outfile | grep "10.20.30.44"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo ""
+echo "> query a1.example.com. - a100.example.com."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www6.example.com. A IN a1.a.example.com. A IN a2.a.example.com. A IN a3.a.example.com. A IN a4.a.example.com. A IN a5.a.example.com. A IN a6.a.example.com. A IN a7.a.example.com. A IN a8.a.example.com. A IN a9.a.example.com. A IN a10.a.example.com. A IN a11.a.example.com. A IN a12.a.example.com. A IN a13.a.example.com. A IN a14.a.example.com. A IN a15.a.example.com. A IN a16.a.example.com. A IN a17.a.example.com. A IN a18.a.example.com. A IN a19.a.example.com. A IN a20.a.example.com. A IN a21.a.example.com. A IN a22.a.example.com. A IN a23.a.example.com. A IN a24.a.example.com. A IN a25.a.example.com. A IN a26.a.example.com. A IN a27.a.example.com. A IN a28.a.example.com. A IN a29.a.example.com. A IN a30.a.example.com. A IN a31.a.example.com. A IN a32.a.example.com. A IN a33.a.example.com. A IN a34.a.example.com. A IN a35.a.example.com. A IN a36.a.example.com. A IN a37.a.example.com. A IN a38.a.example.com. A IN a39.a.example.com. A IN a40.a.example.com. A IN a41.a.example.com. A IN a42.a.example.com. A IN a43.a.example.com. A IN a44.a.example.com. A IN a45.a.example.com. A IN a46.a.example.com. A IN a47.a.example.com. A IN a48.a.example.com. A IN a49.a.example.com. A IN a50.a.example.com. A IN a51.a.example.com. A IN a52.a.example.com. A IN a53.a.example.com. A IN a54.a.example.com. A IN a55.a.example.com. A IN a56.a.example.com. A IN a57.a.example.com. A IN a58.a.example.com. A IN a59.a.example.com. A IN a60.a.example.com. A IN a61.a.example.com. A IN a62.a.example.com. A IN a63.a.example.com. A IN a64.a.example.com. A IN a65.a.example.com. A IN a66.a.example.com. A IN a67.a.example.com. A IN a68.a.example.com. A IN a69.a.example.com. A IN a70.a.example.com. A IN a71.a.example.com. A IN a72.a.example.com. A IN a73.a.example.com. A IN a74.a.example.com. A IN a75.a.example.com. A IN a76.a.example.com. A IN a77.a.example.com. A IN a78.a.example.com. A IN a79.a.example.com. A IN a80.a.example.com. A IN a81.a.example.com. A IN a82.a.example.com. A IN a83.a.example.com. A IN a84.a.example.com. A IN a85.a.example.com. A IN a86.a.example.com. A IN a87.a.example.com. A IN a88.a.example.com. A IN a89.a.example.com. A IN a90.a.example.com. A IN a91.a.example.com. A IN a92.a.example.com. A IN a93.a.example.com. A IN a94.a.example.com. A IN a95.a.example.com. A IN a96.a.example.com. A IN a97.a.example.com. A IN a98.a.example.com. A IN a99.a.example.com. A IN a100.a.example.com. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+grep "a.example.com.	IN	A" outfile
+
+echo ""
+echo "> query www5.example.net. www3.example.net. www.drop.net."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www5.example.com. A IN www3.example.net A IN www.drop.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+
+echo "OK"
+exit 0
diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.testns b/testdata/tcp_req_order.tdir/tcp_req_order.testns
new file mode 100644
index 000000000000..c53941b678bc
--- /dev/null
+++ b/testdata/tcp_req_order.tdir/tcp_req_order.testns
@@ -0,0 +1,74 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
+
+; lots of noerror/nodata answers for other queries (a.. queries)
+ENTRY_BEGIN
+MATCH opcode qtype subdomain
+REPLY QR AA NOERROR
+ADJUST copy_id copy_query
+SECTION QUESTION
+a.example.com.	IN	A
+SECTION AUTHORITY
+example.com.	IN SOA ns hostmaster 2019 28800 7200 604800 3600
+ENTRY_END
diff --git a/testdata/tcp_req_size.tdir/tcp_req_size.conf b/testdata/tcp_req_size.tdir/tcp_req_size.conf
new file mode 100644
index 000000000000..d8d63ae90133
--- /dev/null
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.conf
@@ -0,0 +1,25 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	# extremely low number to make connections fail
+	stream-wait-size: 10
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	tcp-upstream: yes
+	local-zone: "drop.net" deny
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/tcp_req_size.tdir/tcp_req_size.dsc b/testdata/tcp_req_size.tdir/tcp_req_size.dsc
new file mode 100644
index 000000000000..1b7ca143c034
--- /dev/null
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.dsc
@@ -0,0 +1,16 @@
+BaseName: tcp_req_size
+Version: 1.0
+Description: Test tcp request wait size.
+CreationDate: Tue Jan 22 09:37:00 CET 2018
+Maintainer: Wouter Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: tcp_req_size.pre
+Post: tcp_req_size.post
+Test: tcp_req_size.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/edns_lame.tdir/edns_lame.post b/testdata/tcp_req_size.tdir/tcp_req_size.post
index f71e3c4246e6..16fd736423fd 100644
--- a/testdata/edns_lame.tdir/edns_lame.post
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.post
@@ -1,4 +1,4 @@
-# #-- edns_lame.post --#
+# #-- tcp_req_size.post --#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # source the test var file when it's there
@@ -8,3 +8,4 @@
 . ../common.sh
 kill_pid $FWD_PID
 kill_pid $UNBOUND_PID
+cat unbound.log
diff --git a/testdata/edns_lame.tdir/edns_lame.pre b/testdata/tcp_req_size.tdir/tcp_req_size.pre
index d8c2c076f470..66469170c6f3 100644
--- a/testdata/edns_lame.tdir/edns_lame.pre
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.pre
@@ -1,4 +1,4 @@
-# #-- edns_lame.pre--#
+# #-- tcp_req_size.pre--#
 # source the master var file when it's there
 [ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
 # use .tpkg.var.test for in test variable passing
@@ -13,18 +13,19 @@ echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
 
 # start forwarder
 get_ldns_testns
-$LDNS_TESTNS -p $FWD_PORT -v edns_lame.testns >fwd.log 2>&1 &
+$LDNS_TESTNS -p $FWD_PORT tcp_req_size.testns >fwd.log 2>&1 &
 FWD_PID=$!
 echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
 
 # make config file
-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < edns_lame.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < tcp_req_size.conf > ub.conf
 # start unbound in the background
 PRE="../.."
-$PRE/unbound -d -vvvv -c ub.conf >unbound.log 2>&1 &
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
 UNBOUND_PID=$!
 echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
 
 cat .tpkg.var.test
 wait_ldns_testns_up fwd.log
 wait_unbound_up unbound.log
+
diff --git a/testdata/tcp_req_size.tdir/tcp_req_size.test b/testdata/tcp_req_size.tdir/tcp_req_size.test
new file mode 100644
index 000000000000..0260b2117ff3
--- /dev/null
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.test
@@ -0,0 +1,100 @@
+# #-- tcp_req_size.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# out of order requests, the example.com elements take 2 seconds to wait.
+# www3.example.com present twice, answered twice.
+# this queues one answer in the wait buffers, and that exceeds the buffer.
+echo ""
+echo "> query www1.example.net. www3.example.com. www2.example.net. www3.example.com. www3.example.net."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www3.example.com. A IN www2.example.net A IN www3.example.com. A IN www3.example.net A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "stream closed" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+echo "OK"
+exit 0
diff --git a/testdata/tcp_req_size.tdir/tcp_req_size.testns b/testdata/tcp_req_size.tdir/tcp_req_size.testns
new file mode 100644
index 000000000000..88219e51f94d
--- /dev/null
+++ b/testdata/tcp_req_size.tdir/tcp_req_size.testns
@@ -0,0 +1,63 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=1
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
diff --git a/testdata/tcp_req_timeout.tdir/tcp_req_timeout.conf b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.conf
new file mode 100644
index 000000000000..45db9e17ff1a
--- /dev/null
+++ b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.conf
@@ -0,0 +1,22 @@
+server:
+	verbosity: 2
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: .
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+
+	local-zone: "example.net" static
+	local-data: "www1.example.net. IN A 1.2.3.1"
+	local-data: "www2.example.net. IN A 1.2.3.2"
+	local-data: "www3.example.net. IN A 1.2.3.3"
+	tcp-idle-timeout: 2000
+	local-zone: "drop.net" deny
+
+forward-zone:
+	name: "."
+	forward-addr: "127.0.0.1@@TOPORT@"
diff --git a/testdata/tcp_req_timeout.tdir/tcp_req_timeout.dsc b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.dsc
new file mode 100644
index 000000000000..fb11517f36ca
--- /dev/null
+++ b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.dsc
@@ -0,0 +1,16 @@
+BaseName: tcp_req_timeout
+Version: 1.0
+Description: Test tcp request order timeouts.
+CreationDate: Mon Jan 21 11:23:00 CET 2018
+Maintainer: Wouter Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: tcp_req_timeout.pre
+Post: tcp_req_timeout.post
+Test: tcp_req_timeout.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/tcp_req_timeout.tdir/tcp_req_timeout.post b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.post
new file mode 100644
index 000000000000..7e8309238acf
--- /dev/null
+++ b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.post
@@ -0,0 +1,12 @@
+# #-- tcp_req_timeout.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat fwd.log
+cat unbound.log
diff --git a/testdata/tcp_req_timeout.tdir/tcp_req_timeout.pre b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.pre
new file mode 100644
index 000000000000..d6cfe97ae021
--- /dev/null
+++ b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.pre
@@ -0,0 +1,31 @@
+# #-- tcp_req_timeout.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT tcp_req_timeout.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < tcp_req_timeout.conf > ub.conf
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -vvvv -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
+
diff --git a/testdata/tcp_req_timeout.tdir/tcp_req_timeout.test b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.test
new file mode 100644
index 000000000000..831f8a854cbb
--- /dev/null
+++ b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.test
@@ -0,0 +1,136 @@
+# #-- tcp_req_timeout.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_make
+(cd $PRE; $MAKE streamtcp)
+# check what sort of netcat we have
+if nc -h 2>&1 | grep "q secs"; then
+        ncopt="-q 3 -i 4"
+else
+        ncopt="-i 4"
+fi
+
+# this test query should just work (server is up)
+echo "> query www1.example.net."
+$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+echo "OK"
+
+# multiple requests that are answered immediately and then the timeout
+echo "> query www1.example.net. www2.example.net. www3.example.net. www.example.com."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www1.example.net. A IN www2.example.net A IN www3.example.net A IN www.example.com. A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "www1.example.net" outfile | grep "1.2.3.1"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www2.example.net" outfile | grep "1.2.3.2"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "www3.example.net" outfile | grep "1.2.3.3"; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+if grep "stream closed" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# multiple requests that are waiting for answers and then the timeout
+echo "> query www2.example.com. www2.example.com. www3.example.com."
+$PRE/streamtcp -a -f 127.0.0.1@$UNBOUND_PORT www2.example.com. A IN www2.example.com A IN www3.example.com A IN >outfile 2>&1
+cat outfile
+if test "$?" -ne 0; then
+	echo "exit status not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "Not OK"
+	exit 1
+fi
+if grep "stream closed" outfile; then
+	echo "content OK"
+else
+	echo "result contents not OK"
+	echo "> cat logfiles"
+	cat outfile
+	cat fwd.log 
+	cat unbound.log
+	echo "result contents not OK"
+	exit 1
+fi
+
+# wait a bit
+sleep 2
+
+# echo a couple requests to the other side and then wait for the timeout.
+# this creates waiting answers in the reply queue.
+echo "> nc www.example.net www2.example.net www3.example.net"
+( echo "0021eb410100000100000000000003777777076578616d706c65036e657400000100010022eb41010000010000000000000477777732076578616d706c65036e657400000100010022eb41010000010000000000000477777733076578616d706c65036e65740000010001" | xxd -r -p ; sleep 10 ; echo "") | nc $ncopt 127.0.0.1 $UNBOUND_PORT | xxd | tee outfile
+
+echo "OK"
+exit 0
diff --git a/testdata/tcp_req_timeout.tdir/tcp_req_timeout.testns b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.testns
new file mode 100644
index 000000000000..694600974c0b
--- /dev/null
+++ b/testdata/tcp_req_timeout.tdir/tcp_req_timeout.testns
@@ -0,0 +1,63 @@
+; nameserver test file
+$ORIGIN example.com.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=4
+SECTION QUESTION
+www	IN	A
+SECTION ANSWER
+www	IN	A	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=4
+SECTION QUESTION
+www2	IN	A
+SECTION ANSWER
+www2	IN	A	10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=4
+SECTION QUESTION
+www3	IN	A
+SECTION ANSWER
+www3	IN	A	10.20.30.43
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www4	IN	A
+SECTION ANSWER
+www4	IN	A	10.20.30.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www5	IN	A
+SECTION ANSWER
+www5	IN	A	10.20.30.45
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id sleep=2
+SECTION QUESTION
+www6	IN	A
+SECTION ANSWER
+www6	IN	A	10.20.30.46
+ENTRY_END
diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl
index 17eaca26c548..32569632123f 100644
--- a/testdata/ttl_max.rpl
+++ b/testdata/ttl_max.rpl
@@ -180,11 +180,11 @@ REPLY QR RD RA CD
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
-www.example.com. 248 IN A	10.20.30.40
+www.example.com. 10 IN A	10.20.30.40
 SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
+example.com.	10	IN NS	ns.example.com.
 SECTION ADDITIONAL
-ns.example.com.	IN 	A	1.2.3.4
+ns.example.com.	10	IN 	A	1.2.3.4
 ENTRY_END
 
 ; wait 
@@ -205,10 +205,10 @@ REPLY QR RA
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
-.       3600    IN      NS      K.ROOT-SERVERS.NET.
+.       10    IN      NS      K.ROOT-SERVERS.NET.
 SECTION AUTHORITY
 SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.     3600    IN      A       193.0.14.129
+K.ROOT-SERVERS.NET.     10    IN      A       193.0.14.129
 ENTRY_END
 
 SCENARIO_END