From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 26 Apr 2013 19:22:07 +0000 (+0200)
Subject: Add normal NSEC3 (non opt-out) support.
X-Git-Tag: auth-3.3-rc1~94^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b8adb30dff5fc18b55e27580c07799d8fae1bafb;p=pdns

Add normal NSEC3 (non opt-out) support.
---

diff --git a/.travis.yml b/.travis.yml
index 8908b4d32..7a6627c3c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,12 +16,16 @@ script:
  - ./start-test-stop 5300 bind-dnssec-presigned
  - ./start-test-stop 5300 bind-dnssec-nsec3
  - ./start-test-stop 5300 bind-dnssec-nsec3-presigned
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout-presigned 
  - ./start-test-stop 5300 gmysql-nodnssec
  - ./start-test-stop 5300 gmysql-nodnssec-presigned
  - ./start-test-stop 5300 gmysql
  - ./start-test-stop 5300 gmysql-presigned
  - ./start-test-stop 5300 gmysql-nsec3
  - ./start-test-stop 5300 gmysql-nsec3-presigned
+ - ./start-test-stop 5300 gmysql-nsec3-optout
+ - ./start-test-stop 5300 gmysql-nsec3-optout-presigned 
  - ./start-test-stop 5300 gmysql-nsec3-narrow
 notifications:
   irc:
diff --git a/pdns/backends/bind/bindbackend2.cc b/pdns/backends/bind/bindbackend2.cc
index b4267a41a..6e65847a6 100644
--- a/pdns/backends/bind/bindbackend2.cc
+++ b/pdns/backends/bind/bindbackend2.cc
@@ -969,7 +969,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
 //      cerr<<"Hash: "<<bdr.nsec3hash<<"\t"<< (lqname < bdr.nsec3hash) <<endl;
 //    }
     
-    records_by_hashindex_t::const_iterator iter = hashindex.lower_bound(lqname);
+    records_by_hashindex_t::const_iterator iter = hashindex.upper_bound(lqname);
 
     if(iter != hashindex.begin() && (iter == hashindex.end() || iter->nsec3hash > lqname))
     {
@@ -982,7 +982,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
     }
 
     bool wraponce = false;
-    while(iter == hashindex.end() || !(iter->auth) || iter->nsec3hash.empty())
+    while(iter == hashindex.end() || (!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
     {
       iter--;
       if(iter == hashindex.begin()) {
@@ -1009,7 +1009,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
       iter = hashindex.begin();
     }
 
-    while(!(iter->auth) || iter->nsec3hash.empty())
+    while((!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
     {
       iter++;
       if(iter == hashindex.end())
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 1fabbf49a..4e8230c2a 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -455,9 +455,9 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
 
   DNSResourceRecord rr;
   if(!unhashed.empty()) {
-    B.lookup(QType(QType::ANY), unhashed);
+    B.lookup(QType(QType::ANY), unhashed, NULL, sd.domain_id);
     while(B.get(rr)) {
-      if(rr.domain_id == sd.domain_id && rr.qtype.getCode()) // skip out of zone data and empty non-terminals
+      if(rr.qtype.getCode() && (rr.qtype.getCode() == QType::NS || rr.auth)) // skip empty non-terminals
         n3rc.d_set.insert(rr.qtype.getCode());
     }
 
@@ -467,7 +467,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
     }
   }
 
-  if (n3rc.d_set.size())
+  if (n3rc.d_set.size() && !(n3rc.d_set.size() == 1 && n3rc.d_set.count(QType::NS)))
     n3rc.d_set.insert(QType::RRSIG);
   
   n3rc.d_nexthash=end;
@@ -567,7 +567,7 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
 
 void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
-  // L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl;
+  DLOG(L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl);
   
   SOAData sd;
   sd.db = (DNSBackend*)-1;
@@ -600,7 +600,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     unhashed=(mode == 0 || mode == 5) ? target : closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
   
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -616,7 +616,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     while( chopOff( next ) && !pdns_iequals(next, closest));
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
     DLOG(L<<"Done calling for covering, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -628,7 +628,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     unhashed=dotConcat("*", closest);
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
     
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, (mode != 2), unhashed, before, after);
     DLOG(L<<"Done calling for '*', hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -1006,7 +1006,6 @@ bool PacketHandler::addDSforNS(DNSPacket* p, DNSPacket* r, SOAData& sd, const st
   while(B.get(rr)) {
     gotOne=true;
     rr.d_place = DNSResourceRecord::AUTHORITY;
-    rr.auth=true; // please sign it!
     r->addRecord(rr);
   }
   return gotOne;
@@ -1265,8 +1264,6 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
         continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
 
-      if(rr.qtype.getCode() == QType::DS)
-        rr.auth = 1;
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
       if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) 
         weDone=1;
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index b115dc559..796eb5c9c 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -199,56 +199,47 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
       }
       else
         sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
-      if(realrr)
-      {
-        if (dsnames.count(qname))
-          sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
-        if (!auth || nsset.count(qname)) {
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
-        }
-      }
     }
     else // NSEC
     {
-      if(realrr)
-      {
-        sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
-        if (dsnames.count(qname))
-          sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
-        if (!auth || nsset.count(qname)) {
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
-        }
-      }
-      else
-      {
+      sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
+      if (!realrr)
         sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
-      }
     }
 
-    if(auth && realrr && doent)
+    if(realrr)
     {
-      shorter=qname;
-      while(!pdns_iequals(shorter, zone) && chopOff(shorter))
+      if (dsnames.count(qname))
+        sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
+      if (!auth || nsset.count(qname)) {
+        if(haveNSEC3 && ns3pr.d_flags)
+          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
+        sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
+        sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
+      }
+
+      if(auth && doent)
       {
-        if(!qnames.count(shorter) && !nonterm.count(shorter))
+        shorter=qname;
+        while(!pdns_iequals(shorter, zone) && chopOff(shorter))
         {
-          if(!(maxent))
+          if(!qnames.count(shorter) && !nonterm.count(shorter))
           {
-            cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
-            insnonterm.clear();
-            delnonterm.clear();
-            doent=false;
-            break;
+            if(!(maxent))
+            {
+              cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
+              insnonterm.clear();
+              delnonterm.clear();
+              doent=false;
+              break;
+            }
+            nonterm.insert(shorter);
+            if (!delnonterm.count(shorter))
+              insnonterm.insert(shorter);
+            else
+              delnonterm.erase(shorter);
+            --maxent;
           }
-          nonterm.insert(shorter);
-          if (!delnonterm.count(shorter))
-            insnonterm.insert(shorter);
-          else
-            delnonterm.erase(shorter);
-          --maxent;
         }
       }
     }
@@ -1061,16 +1052,14 @@ try
       cerr<<"Syntax: pdnssec set-nsec3 ZONE 'params' [narrow]"<<endl;
       return 0;
     }
-    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 1 1 ab";
+    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
     bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);
-    if(!ns3pr.d_flags) {
-      cerr<<"PowerDNS only implements opt-out zones, please set the second parameter to '1' (example, '1 1 1 ab')"<<endl;
-      return 0;
-    }
-    
     dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
-    cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+    if (!ns3pr.d_flags)
+      cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+    else
+      cerr<<"NSEC3 (opt-out) set, please rectify-zone if your backend needs it"<<endl;
   }
   else if(cmds[0]=="set-presigned") {
     if(cmds.size() < 2) {
diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index 7462adf73..f610d0036 100644
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -13,11 +13,12 @@ try
   bool dnssec=false;
   bool recurse=false;
   bool tcp=false;
+  bool showflags=false;
 
   reportAllTypes();
 
   if(argc < 5) {
-    cerr<<"Syntax: sdig IP-address port question question-type [dnssec|recurse]\n";
+    cerr<<"Syntax: sdig IP-address port question question-type [dnssec|dnssec-tcp|recurse] [showflags]\n";
     exit(EXIT_FAILURE);
   }
 
@@ -38,6 +39,11 @@ try
     recurse=true;
   }
 
+  if((argc > 5 && strcmp(argv[5], "showflags")==0) || (argc > 6 && strcmp(argv[6], "showflags")==0))
+  {
+    showflags=true;
+  }
+
   vector<uint8_t> packet;
   
   DNSPacketWriter pw(packet, argv[3], DNSRecordContent::TypeToNumber(argv[4]));
@@ -132,6 +138,16 @@ try
       stringtok(parts, zoneRep);
       cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" "<<parts[1]<<" "<<parts[2]<<" "<<parts[3]<<" [expiry] [inception] [keytag] "<<parts[7]<<" ...\n";
     }
+    else if(!showflags && i->first.d_type == QType::NSEC3)
+    {
+      string zoneRep = i->first.d_content->getZoneRepresentation();
+      vector<string> parts;
+      stringtok(parts, zoneRep);
+      cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" [flags] "<<parts[2]<<" "<<parts[3]<<" "<<parts[4];
+      for(vector<string>::iterator iter = parts.begin()+5; iter != parts.end(); ++iter)
+        cout<<" "<<*iter;
+      cout<<"\n";
+    }
     else if(i->first.d_type == QType::DNSKEY)
     {
       string zoneRep = i->first.d_content->getZoneRepresentation();
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index fd92f4934..e20d033e2 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -260,7 +260,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
         }while(chopOff(shorter));
       }
 
-      if(dnssecZone && haveNSEC3)
+      if(haveNSEC3)
       {
         if(!narrow) { 
           hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
@@ -268,47 +268,42 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
         }
         else
           di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
-        if(realrr)
-        {
-          if (dsnames.count(qname))
-            di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
-          if (!auth || nsset.count(qname)) {
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
-          }
-        }
       }
       else // NSEC
       {
-        if(realrr)
-        {
-          di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
-          if (dsnames.count(qname))
-            di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
-          if (!auth || nsset.count(qname)) {
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
-          }
-        }
+        di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
+        if (!realrr)
+          di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
       }
 
-      if(auth && realrr && doent)
+      if(realrr)
       {
-        shorter=qname;
-        while(!pdns_iequals(shorter, domain) && chopOff(shorter))
+        if (dsnames.count(qname))
+          di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
+        if (!auth || nsset.count(qname)) {
+          if(haveNSEC3 && gotOptOutFlag)
+            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
+          di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
+          di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
+        }
+
+        if(auth && doent)
         {
-          if(!qnames.count(shorter) && !nonterm.count(shorter))
+          shorter=qname;
+          while(!pdns_iequals(shorter, domain) && chopOff(shorter))
           {
-            if(!(maxent))
+            if(!qnames.count(shorter) && !nonterm.count(shorter))
             {
-              L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
-              nonterm.empty();
-              doent=false;
-              break;
+              if(!(maxent))
+              {
+                L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
+                nonterm.empty();
+                doent=false;
+                break;
+              }
+              nonterm.insert(shorter);
+              --maxent;
             }
-            nonterm.insert(shorter);
-            --maxent;
           }
         }
       }
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index b8691d592..2df867ff8 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -616,11 +616,14 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
 
+  uint8_t flags;
+
   if(NSEC3Zone) { // now stuff in the NSEC3PARAM
+    flags = ns3pr.d_flags;
     rr.qtype = QType(QType::NSEC3PARAM);
     ns3pr.d_flags = 0;
     rr.content = ns3pr.getZoneRepresentation();
-    ns3pr.d_flags = 1;
+    ns3pr.d_flags = flags;
     string keyname = hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname);
     NSECXEntry& ne = nsecxrepo[keyname];
     
@@ -657,7 +660,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
         keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname);
         NSECXEntry& ne = nsecxrepo[keyname];
         ne.d_ttl = sd.default_ttl;
-        ne.d_auth = (ne.d_auth || rr.auth);
+        ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && !ns3pr.d_flags));
         if (rr.qtype.getCode()) {
           ne.d_set.insert(rr.qtype.getCode());
         }
diff --git a/regression-tests/00dnssec-grabkeys/command b/regression-tests/00dnssec-grabkeys/command
index 414b72d3f..3dba73aa4 100755
--- a/regression-tests/00dnssec-grabkeys/command
+++ b/regression-tests/00dnssec-grabkeys/command
@@ -4,7 +4,10 @@ rm -f trustedkeys
 rm -f unbound-host.conf
 for zone in $(grep zone named.conf  | cut -f2 -d\")
 do
+    if [ "${zone: 0:16}" != "secure-delegated" ]
+    then
        drill -p $port -o rd -D dnskey $zone @$nameserver | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
+    fi
        echo "stub-zone:" >> unbound-host.conf
        echo "  name: $zone" >> unbound-host.conf
        echo "  stub-addr: $nameserver@$port" >> unbound-host.conf
diff --git a/regression-tests/any-nxdomain/expected_result.narrow b/regression-tests/any-nxdomain/expected_result.narrow
index b491f36ff..5d8a786cf 100644
--- a/regression-tests/any-nxdomain/expected_result.narrow
+++ b/regression-tests/any-nxdomain/expected_result.narrow
@@ -1,10 +1,10 @@
-1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
 1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/any-nxdomain/expected_result.nsec3 b/regression-tests/any-nxdomain/expected_result.nsec3
index f14bfaef1..ffa08f320 100644
--- a/regression-tests/any-nxdomain/expected_result.nsec3
+++ b/regression-tests/any-nxdomain/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
 1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/any-wildcard-dnssec/expected_result.narrow b/regression-tests/any-wildcard-dnssec/expected_result.narrow
index 198d560cc..dc937bb7c 100644
--- a/regression-tests/any-wildcard-dnssec/expected_result.narrow
+++ b/regression-tests/any-wildcard-dnssec/expected_result.narrow
@@ -1,6 +1,6 @@
 0	www.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
+1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
 1	7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/any-wildcard-dnssec/expected_result.nsec3 b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
index 779c6ab8b..5d117598e 100644
--- a/regression-tests/any-wildcard-dnssec/expected_result.nsec3
+++ b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
@@ -1,6 +1,6 @@
 0	www.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
+1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
 1	7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/bind-dnssec-setup b/regression-tests/bind-dnssec-setup
index 5246823c1..8dac036a1 100755
--- a/regression-tests/bind-dnssec-setup
+++ b/regression-tests/bind-dnssec-setup
@@ -3,5 +3,14 @@ rm -f dnssec.sqlite3
 ../pdns/pdnssec --config-dir=. create-bind-db dnssec.sqlite3
 for zone in $(grep zone named.conf  | cut -f2 -d\")
 do
-	../pdns/pdnssec --config-dir=. secure-zone $zone 2>&1
+    if [ "${zone: 0:16}" = "secure-delegated" ]
+    then
+        ../pdns/pdnssec --config-dir=. import-zone-key $zone $zone.key ksk 2>&1
+        ../pdns/pdnssec --config-dir=. add-zone-key $zone 1024 zsk 2>&1
+        keyid=`../pdns/pdnssec --config-dir=. show-zone delegated.dnssec-parent.com | grep ZSK | cut -d' ' -f3`
+        ../pdns/pdnssec --config-dir=. activate-zone-key $zone $keyid 2>&1
+        ../pdns/pdnssec --config-dir=. add-zone-key $zone 1024 zsk 2>&1
+    else
+        ../pdns/pdnssec --config-dir=. secure-zone $zone 2>&1
+    fi
 done
diff --git a/regression-tests/cleandig b/regression-tests/cleandig
index 68bc42721..be9def6d3 100755
--- a/regression-tests/cleandig
+++ b/regression-tests/cleandig
@@ -1,7 +1,7 @@
 #!/bin/sh
 if [ ! -e ${testsdir}/${testname}/use.drill ]
 then
-../pdns/sdig $nameserver $port "$1" $2 $3 | LC_ALL=C sort
+../pdns/sdig $nameserver $port "$1" $2 $3 $4 | LC_ALL=C sort
 fi
 ../pdns/nsec3dig $nameserver $port "$1" $2 > ${testsdir}/${testname}/nsec3dig.out 2>&1
 drill -a -p $port -o rd -D -S -k trustedkeys "$1" $2 @$nameserver > ${testsdir}/${testname}/drillchase.out 2>&1 
diff --git a/regression-tests/cname-to-nxdomain/expected_result.narrow b/regression-tests/cname-to-nxdomain/expected_result.narrow
index f94d05dc9..b6e20e70f 100644
--- a/regression-tests/cname-to-nxdomain/expected_result.narrow
+++ b/regression-tests/cname-to-nxdomain/expected_result.narrow
@@ -1,12 +1,12 @@
 0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
 0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
 1	onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/cname-to-nxdomain/expected_result.nsec3 b/regression-tests/cname-to-nxdomain/expected_result.nsec3
index cb50420a3..d66366861 100644
--- a/regression-tests/cname-to-nxdomain/expected_result.nsec3
+++ b/regression-tests/cname-to-nxdomain/expected_result.nsec3
@@ -1,12 +1,12 @@
 0	nxd.example.com.	IN	CNAME	120	nxdomain.example.com.
 0	nxd.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	NSEC3	86400	1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
 1	onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/cname-wildcard-chain/expected_result.narrow b/regression-tests/cname-wildcard-chain/expected_result.narrow
index 0d97f8585..2b1a993a1 100644
--- a/regression-tests/cname-wildcard-chain/expected_result.narrow
+++ b/regression-tests/cname-wildcard-chain/expected_result.narrow
@@ -10,15 +10,15 @@
 0	x.y.z.w4.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
 0	x.y.z.w5.example.com.	IN	A	120	1.2.3.5
 0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	NSEC3	86400	1 1 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
+1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
 1	6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	NSEC3	86400	1 1 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
+1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
 1	atcf56s7ucntm82nht67p3g2nqteplou.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	NSEC3	86400	1 1 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
+1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
 1	b6drqdikagd74fa5eme4sdiek1s06343.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	NSEC3	86400	1 1 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
+1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
 1	lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	NSEC3	86400	1 1 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
+1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
 1	vsfa79vv78gd61567bkcai646ta0p276.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/cname-wildcard-chain/expected_result.nsec3 b/regression-tests/cname-wildcard-chain/expected_result.nsec3
index ebe96a8f4..6d89b279f 100644
--- a/regression-tests/cname-wildcard-chain/expected_result.nsec3
+++ b/regression-tests/cname-wildcard-chain/expected_result.nsec3
@@ -10,15 +10,15 @@
 0	x.y.z.w4.example.com.	IN	RRSIG	120	CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
 0	x.y.z.w5.example.com.	IN	A	120	1.2.3.5
 0	x.y.z.w5.example.com.	IN	RRSIG	120	A 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	NSEC3	86400	1 1 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
+1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
 1	6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	NSEC3	86400	1 1 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
+1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
 1	atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	NSEC3	86400	1 1 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
+1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
 1	b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	NSEC3	86400	1 1 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
+1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
 1	lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	NSEC3	86400	1 1 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
+1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
 1	vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/ds-at-unsecure-delegation/command b/regression-tests/ds-at-unsecure-delegation/command
index 8eee2898c..5eebd9e02 100755
--- a/regression-tests/ds-at-unsecure-delegation/command
+++ b/regression-tests/ds-at-unsecure-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig usa.example.com DS dnssec
+cleandig usa.example.com DS dnssec showflags
diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
index 6805539d8..ee1c7ae72 100644
--- a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
@@ -1,8 +1,8 @@
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	86400	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
-1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.	IN	NSEC3	86400	1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS
+1	t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout
new file mode 100644
index 000000000..6805539d8
--- /dev/null
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	86400	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usa.example.com.', qtype=DS
diff --git a/regression-tests/ds-at-unsecure-zone-cut/command b/regression-tests/ds-at-unsecure-zone-cut/command
index 41c2cbd44..2033c5af8 100755
--- a/regression-tests/ds-at-unsecure-zone-cut/command
+++ b/regression-tests/ds-at-unsecure-zone-cut/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig delegated.dnssec-parent.com DS dnssec
+cleandig delegated.dnssec-parent.com DS dnssec showflags
 
diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
index c8ccc4cba..1f701a8d3 100644
--- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
@@ -1,8 +1,8 @@
-1	7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U NS DS RRSIG
-1	7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com.	IN	NSEC3	86400	1 0 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U NS
+1	be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	86400	1 0 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
 1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
new file mode 100644
index 000000000..c8ccc4cba
--- /dev/null
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+1	7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U NS DS RRSIG
+1	7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	NSEC3	86400	1 1 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
+1	dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
diff --git a/regression-tests/ds-inside-delegation/command b/regression-tests/ds-inside-delegation/command
index a410d8e60..f67731799 100755
--- a/regression-tests/ds-inside-delegation/command
+++ b/regression-tests/ds-inside-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig sub.usa.example.com DS dnssec
+cleandig sub.usa.example.com DS dnssec showflags
diff --git a/regression-tests/ds-inside-delegation/expected_result.nsec3 b/regression-tests/ds-inside-delegation/expected_result.nsec3
index 2e04c2a0b..c676fcb59 100644
--- a/regression-tests/ds-inside-delegation/expected_result.nsec3
+++ b/regression-tests/ds-inside-delegation/expected_result.nsec3
@@ -1,8 +1,8 @@
-1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	86400	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
-1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.	IN	NSEC3	86400	1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS
+1	t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	usa.example.com.	IN	NS	120	usa-ns1.usa.example.com.
 1	usa.example.com.	IN	NS	120	usa-ns2.usa.example.com.
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 2	usa-ns1.usa.example.com.	IN	A	120	192.168.4.1
diff --git a/regression-tests/ds-inside-delegation/expected_result.nsec3-optout b/regression-tests/ds-inside-delegation/expected_result.nsec3-optout
new file mode 100644
index 000000000..2e04c2a0b
--- /dev/null
+++ b/regression-tests/ds-inside-delegation/expected_result.nsec3-optout
@@ -0,0 +1,11 @@
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	NSEC3	86400	1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
+1	t66sektb7egvs7s57m1qged4h6809g8s.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1	usa.example.com.	IN	NS	120	usa-ns1.usa.example.com.
+1	usa.example.com.	IN	NS	120	usa-ns2.usa.example.com.
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+2	usa-ns1.usa.example.com.	IN	A	120	192.168.4.1
+2	usa-ns2.usa.example.com.	IN	A	120	192.168.4.2
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='sub.usa.example.com.', qtype=DS
diff --git a/regression-tests/ent-any/command b/regression-tests/ent-any/command
index 4c54b850e..bed6d9217 100755
--- a/regression-tests/ent-any/command
+++ b/regression-tests/ent-any/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig c.test.com ANY dnssec
+cleandig c.test.com ANY dnssec showflags
diff --git a/regression-tests/ent-any/expected_result.nsec3 b/regression-tests/ent-any/expected_result.nsec3
index 1cc03b561..15621e1f2 100644
--- a/regression-tests/ent-any/expected_result.nsec3
+++ b/regression-tests/ent-any/expected_result.nsec3
@@ -1,4 +1,4 @@
-1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 0 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KB
 1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/ent-any/expected_result.nsec3-optout b/regression-tests/ent-any/expected_result.nsec3-optout
new file mode 100644
index 000000000..1cc03b561
--- /dev/null
+++ b/regression-tests/ent-any/expected_result.nsec3-optout
@@ -0,0 +1,7 @@
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
+1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='c.test.com.', qtype=ANY
diff --git a/regression-tests/ent-axfr/expected_result.nsec3 b/regression-tests/ent-axfr/expected_result.nsec3
index bdcaa78ab..9ff0b4208 100644
--- a/regression-tests/ent-axfr/expected_result.nsec3
+++ b/regression-tests/ent-axfr/expected_result.nsec3
@@ -1,23 +1,25 @@
-2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	86400	IN	NSEC3	1 1 1 abcd  2gks2n3jpqf62qohavfq1pholm3hr7ra NS SOA MX RRSIG DNSKEY NSEC3PARAM 
-2gks2n3jpqf62qohavfq1pholm3hr7ra.test.com.	86400	IN	NSEC3	1 1 1 abcd  79ra8k3g5kai1hg9jlhbr6p0tp933m7v TXT RRSIG 
-79ra8k3g5kai1hg9jlhbr6p0tp933m7v.test.com.	86400	IN	NSEC3	1 1 1 abcd  79u3das6ucctns1br3tvd8qkanni351l A RRSIG 
-79u3das6ucctns1br3tvd8qkanni351l.test.com.	86400	IN	NSEC3	1 1 1 abcd  7mmura8h40be5n4koan7rnmkursamh99
-7mmura8h40be5n4koan7rnmkursamh99.test.com.	86400	IN	NSEC3	1 1 1 abcd  88f1bqrb2iscvfel2sqqcksvflnekap6
-88f1bqrb2iscvfel2sqqcksvflnekap6.test.com.	86400	IN	NSEC3	1 1 1 abcd  a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG 
-a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	86400	IN	NSEC3	1 1 1 abcd  aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG 
-aovp95mr44hqefrqus6nomsd944bm3vb.test.com.	86400	IN	NSEC3	1 1 1 abcd  b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG 
-b022o9dksaj737fh77e7kqqtj3om56ki.test.com.	86400	IN	NSEC3	1 1 1 abcd  dafc69cv5n2tfcf6ovbvtv94drgmqjo5
-dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com.	86400	IN	NSEC3	1 1 1 abcd  eban51bjgugorb20unp5peec7s5d2eka TXT RRSIG 
-eban51bjgugorb20unp5peec7s5d2eka.test.com.	86400	IN	NSEC3	1 1 1 abcd  h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG 
-h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com.	86400	IN	NSEC3	1 1 1 abcd  iai9hin25meh689r5v5gtifk8om5di0e A RRSIG 
-iai9hin25meh689r5v5gtifk8om5di0e.test.com.	86400	IN	NSEC3	1 1 1 abcd  igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG 
-igf4m7otecach14p0a6ingi7dbuas5b2.test.com.	86400	IN	NSEC3	1 1 1 abcd  o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG 
-o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com.	86400	IN	NSEC3	1 1 1 abcd  plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG 
-plud9qqecuril62gcfp8br44i7eoq7c9.test.com.	86400	IN	NSEC3	1 1 1 abcd  qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG 
-qd81ag9inqts1ocs7api0pji94k27btr.test.com.	86400	IN	NSEC3	1 1 1 abcd  s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG 
-s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	86400	IN	NSEC3	1 1 1 abcd  sa5vvpqn1coejgj3hbkfekdnii8kksqa
-sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com.	86400	IN	NSEC3	1 1 1 abcd  sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG 
-sra2sm4pl136bultass7qqnlblipe8am.test.com.	86400	IN	NSEC3	1 1 1 abcd  u02utt5q2bhjcq986f05mbap0pgamt5o CNAME RRSIG 
+2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	86400	IN	NSEC3	1 0 1 abcd  2gks2n3jpqf62qohavfq1pholm3hr7ra NS SOA MX RRSIG DNSKEY NSEC3PARAM 
+2gks2n3jpqf62qohavfq1pholm3hr7ra.test.com.	86400	IN	NSEC3	1 0 1 abcd  79ra8k3g5kai1hg9jlhbr6p0tp933m7v TXT RRSIG 
+79ra8k3g5kai1hg9jlhbr6p0tp933m7v.test.com.	86400	IN	NSEC3	1 0 1 abcd  79u3das6ucctns1br3tvd8qkanni351l A RRSIG 
+79u3das6ucctns1br3tvd8qkanni351l.test.com.	86400	IN	NSEC3	1 0 1 abcd  7mmura8h40be5n4koan7rnmkursamh99
+7mmura8h40be5n4koan7rnmkursamh99.test.com.	86400	IN	NSEC3	1 0 1 abcd  88f1bqrb2iscvfel2sqqcksvflnekap6
+88f1bqrb2iscvfel2sqqcksvflnekap6.test.com.	86400	IN	NSEC3	1 0 1 abcd  a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG 
+a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	86400	IN	NSEC3	1 0 1 abcd  aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG 
+aovp95mr44hqefrqus6nomsd944bm3vb.test.com.	86400	IN	NSEC3	1 0 1 abcd  b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG 
+b022o9dksaj737fh77e7kqqtj3om56ki.test.com.	86400	IN	NSEC3	1 0 1 abcd  dafc69cv5n2tfcf6ovbvtv94drgmqjo5
+dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com.	86400	IN	NSEC3	1 0 1 abcd  de592k86u3hevdj57jpbt7j5kv7doo78 TXT RRSIG 
+de592k86u3hevdj57jpbt7j5kv7doo78.test.com.	86400	IN	NSEC3	1 0 1 abcd  eban51bjgugorb20unp5peec7s5d2eka NS 
+eban51bjgugorb20unp5peec7s5d2eka.test.com.	86400	IN	NSEC3	1 0 1 abcd  h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG 
+h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com.	86400	IN	NSEC3	1 0 1 abcd  iai9hin25meh689r5v5gtifk8om5di0e A RRSIG 
+iai9hin25meh689r5v5gtifk8om5di0e.test.com.	86400	IN	NSEC3	1 0 1 abcd  igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG 
+igf4m7otecach14p0a6ingi7dbuas5b2.test.com.	86400	IN	NSEC3	1 0 1 abcd  o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG 
+o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com.	86400	IN	NSEC3	1 0 1 abcd  plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG 
+plud9qqecuril62gcfp8br44i7eoq7c9.test.com.	86400	IN	NSEC3	1 0 1 abcd  qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG 
+qd81ag9inqts1ocs7api0pji94k27btr.test.com.	86400	IN	NSEC3	1 0 1 abcd  s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG 
+s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	86400	IN	NSEC3	1 0 1 abcd  s96h2qicbt8d9i5aa43kp8sjjresq4kb
+s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com.	86400	IN	NSEC3	1 0 1 abcd  sa5vvpqn1coejgj3hbkfekdnii8kksqa NS 
+sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com.	86400	IN	NSEC3	1 0 1 abcd  sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG 
+sra2sm4pl136bultass7qqnlblipe8am.test.com.	86400	IN	NSEC3	1 0 1 abcd  u02utt5q2bhjcq986f05mbap0pgamt5o CNAME RRSIG 
 test.com.	86400	IN	NSEC3PARAM	1 0 1 abcd 
-u02utt5q2bhjcq986f05mbap0pgamt5o.test.com.	86400	IN	NSEC3	1 1 1 abcd  vlvujatanof6feajoesti9kq4s0crst3 A RRSIG 
-vlvujatanof6feajoesti9kq4s0crst3.test.com.	86400	IN	NSEC3	1 1 1 abcd  2eu2gulbu53h9uvhfalshpbo2a83t6l2
+u02utt5q2bhjcq986f05mbap0pgamt5o.test.com.	86400	IN	NSEC3	1 0 1 abcd  vlvujatanof6feajoesti9kq4s0crst3 A RRSIG 
+vlvujatanof6feajoesti9kq4s0crst3.test.com.	86400	IN	NSEC3	1 0 1 abcd  2eu2gulbu53h9uvhfalshpbo2a83t6l2
diff --git a/regression-tests/ent-axfr/expected_result.nsec3-optout b/regression-tests/ent-axfr/expected_result.nsec3-optout
new file mode 100644
index 000000000..bdcaa78ab
--- /dev/null
+++ b/regression-tests/ent-axfr/expected_result.nsec3-optout
@@ -0,0 +1,23 @@
+2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	86400	IN	NSEC3	1 1 1 abcd  2gks2n3jpqf62qohavfq1pholm3hr7ra NS SOA MX RRSIG DNSKEY NSEC3PARAM 
+2gks2n3jpqf62qohavfq1pholm3hr7ra.test.com.	86400	IN	NSEC3	1 1 1 abcd  79ra8k3g5kai1hg9jlhbr6p0tp933m7v TXT RRSIG 
+79ra8k3g5kai1hg9jlhbr6p0tp933m7v.test.com.	86400	IN	NSEC3	1 1 1 abcd  79u3das6ucctns1br3tvd8qkanni351l A RRSIG 
+79u3das6ucctns1br3tvd8qkanni351l.test.com.	86400	IN	NSEC3	1 1 1 abcd  7mmura8h40be5n4koan7rnmkursamh99
+7mmura8h40be5n4koan7rnmkursamh99.test.com.	86400	IN	NSEC3	1 1 1 abcd  88f1bqrb2iscvfel2sqqcksvflnekap6
+88f1bqrb2iscvfel2sqqcksvflnekap6.test.com.	86400	IN	NSEC3	1 1 1 abcd  a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG 
+a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	86400	IN	NSEC3	1 1 1 abcd  aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG 
+aovp95mr44hqefrqus6nomsd944bm3vb.test.com.	86400	IN	NSEC3	1 1 1 abcd  b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG 
+b022o9dksaj737fh77e7kqqtj3om56ki.test.com.	86400	IN	NSEC3	1 1 1 abcd  dafc69cv5n2tfcf6ovbvtv94drgmqjo5
+dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com.	86400	IN	NSEC3	1 1 1 abcd  eban51bjgugorb20unp5peec7s5d2eka TXT RRSIG 
+eban51bjgugorb20unp5peec7s5d2eka.test.com.	86400	IN	NSEC3	1 1 1 abcd  h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG 
+h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com.	86400	IN	NSEC3	1 1 1 abcd  iai9hin25meh689r5v5gtifk8om5di0e A RRSIG 
+iai9hin25meh689r5v5gtifk8om5di0e.test.com.	86400	IN	NSEC3	1 1 1 abcd  igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG 
+igf4m7otecach14p0a6ingi7dbuas5b2.test.com.	86400	IN	NSEC3	1 1 1 abcd  o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG 
+o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com.	86400	IN	NSEC3	1 1 1 abcd  plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG 
+plud9qqecuril62gcfp8br44i7eoq7c9.test.com.	86400	IN	NSEC3	1 1 1 abcd  qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG 
+qd81ag9inqts1ocs7api0pji94k27btr.test.com.	86400	IN	NSEC3	1 1 1 abcd  s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG 
+s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	86400	IN	NSEC3	1 1 1 abcd  sa5vvpqn1coejgj3hbkfekdnii8kksqa
+sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com.	86400	IN	NSEC3	1 1 1 abcd  sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG 
+sra2sm4pl136bultass7qqnlblipe8am.test.com.	86400	IN	NSEC3	1 1 1 abcd  u02utt5q2bhjcq986f05mbap0pgamt5o CNAME RRSIG 
+test.com.	86400	IN	NSEC3PARAM	1 0 1 abcd 
+u02utt5q2bhjcq986f05mbap0pgamt5o.test.com.	86400	IN	NSEC3	1 1 1 abcd  vlvujatanof6feajoesti9kq4s0crst3 A RRSIG 
+vlvujatanof6feajoesti9kq4s0crst3.test.com.	86400	IN	NSEC3	1 1 1 abcd  2eu2gulbu53h9uvhfalshpbo2a83t6l2
diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow b/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
index 1408e9b46..4e59952c1 100644
--- a/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
+++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
@@ -1,4 +1,4 @@
-1	a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	IN	NSEC3	86400	1 1 1 abcd A5LABAGJJEVR86GH0HF3JG7NUFHGA5AS A RRSIG
+1	a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd A5LABAGJJEVR86GH0HF3JG7NUFHGA5AS A RRSIG
 1	a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3 b/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
index 9c10fb90c..3a6cf6f40 100644
--- a/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
+++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
@@ -1,4 +1,4 @@
-1	a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	IN	NSEC3	86400	1 1 1 abcd AOVP95MR44HQEFRQUS6NOMSD944BM3VB A RRSIG
+1	a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd AOVP95MR44HQEFRQUS6NOMSD944BM3VB A RRSIG
 1	a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/ent-soa/command b/regression-tests/ent-soa/command
index 554149de3..efed782f4 100755
--- a/regression-tests/ent-soa/command
+++ b/regression-tests/ent-soa/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig c.test.com SOA dnssec
+cleandig c.test.com SOA dnssec showflags
diff --git a/regression-tests/ent-soa/expected_result.nsec3 b/regression-tests/ent-soa/expected_result.nsec3
index a9eac7b75..2483433de 100644
--- a/regression-tests/ent-soa/expected_result.nsec3
+++ b/regression-tests/ent-soa/expected_result.nsec3
@@ -1,4 +1,4 @@
-1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 0 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KB
 1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/ent-soa/expected_result.nsec3-optout b/regression-tests/ent-soa/expected_result.nsec3-optout
new file mode 100644
index 000000000..a9eac7b75
--- /dev/null
+++ b/regression-tests/ent-soa/expected_result.nsec3-optout
@@ -0,0 +1,7 @@
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
+1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='c.test.com.', qtype=SOA
diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.narrow b/regression-tests/ent-wildcard-below-ent/expected_result.narrow
index 431d99fe4..d5143be03 100644
--- a/regression-tests/ent-wildcard-below-ent/expected_result.narrow
+++ b/regression-tests/ent-wildcard-below-ent/expected_result.narrow
@@ -1,6 +1,6 @@
 0	something.a.b.c.test.com.	IN	A	3600	8.7.6.5
 0	something.a.b.c.test.com.	IN	RRSIG	3600	A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
-1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	NSEC3	86400	1 1 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
+1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
 1	qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3 b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
index 45bd63917..84c6ef54e 100644
--- a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
+++ b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
@@ -1,6 +1,6 @@
 0	something.a.b.c.test.com.	IN	A	3600	8.7.6.5
 0	something.a.b.c.test.com.	IN	RRSIG	3600	A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
-1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	NSEC3	86400	1 1 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
+1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
 1	qd81ag9inqts1ocs7api0pji94k27btr.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/ent/command b/regression-tests/ent/command
index 2c9876bdf..09730d280 100755
--- a/regression-tests/ent/command
+++ b/regression-tests/ent/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig c.test.com A dnssec
+cleandig c.test.com A dnssec showflags
diff --git a/regression-tests/ent/expected_result.nsec3 b/regression-tests/ent/expected_result.nsec3
index a4e0734ce..379fe8571 100644
--- a/regression-tests/ent/expected_result.nsec3
+++ b/regression-tests/ent/expected_result.nsec3
@@ -1,4 +1,4 @@
-1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 0 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KB
 1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/ent/expected_result.nsec3-optout b/regression-tests/ent/expected_result.nsec3-optout
new file mode 100644
index 000000000..a4e0734ce
--- /dev/null
+++ b/regression-tests/ent/expected_result.nsec3-optout
@@ -0,0 +1,7 @@
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
+1	test.com.	IN	SOA	3600	ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='c.test.com.', qtype=A
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
index c2928f31a..7283555c9 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
@@ -1,6 +1,6 @@
 0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	NSEC3	86400	1 1 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
+1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
 1	pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3 b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
index 8407a981b..3a4e9a1dc 100644
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
@@ -1,6 +1,6 @@
 0	www.a.b.c.d.e.something.wtest.com.	IN	A	3600	4.3.2.1
 0	www.a.b.c.d.e.something.wtest.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/five-levels-wildcard/expected_result.narrow b/regression-tests/five-levels-wildcard/expected_result.narrow
index 2c086cb3e..2736694ec 100644
--- a/regression-tests/five-levels-wildcard/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard/expected_result.narrow
@@ -1,6 +1,6 @@
 0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
 0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	NSEC3	86400	1 1 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
+1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
 1	pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/five-levels-wildcard/expected_result.nsec3 b/regression-tests/five-levels-wildcard/expected_result.nsec3
index 56bc239fa..28c063dcb 100644
--- a/regression-tests/five-levels-wildcard/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard/expected_result.nsec3
@@ -1,6 +1,6 @@
 0	www.a.b.c.d.e.wtest.com.	IN	A	3600	6.7.8.9
 0	www.a.b.c.d.e.wtest.com.	IN	RRSIG	3600	A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/minimal-noerror/expected_result.narrow b/regression-tests/minimal-noerror/expected_result.narrow
index c7c4ef9ec..f8e8714b3 100644
--- a/regression-tests/minimal-noerror/expected_result.narrow
+++ b/regression-tests/minimal-noerror/expected_result.narrow
@@ -1 +1 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/regression-tests/minimal-noerror/expected_result.nsec3 b/regression-tests/minimal-noerror/expected_result.nsec3
index d885980b1..c930bce76 100644
--- a/regression-tests/minimal-noerror/expected_result.nsec3
+++ b/regression-tests/minimal-noerror/expected_result.nsec3
@@ -1 +1 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/regression-tests/minimal-nxdomain/expected_result.narrow b/regression-tests/minimal-nxdomain/expected_result.narrow
index ed29f92c1..c3dd67d07 100644
--- a/regression-tests/minimal-nxdomain/expected_result.narrow
+++ b/regression-tests/minimal-nxdomain/expected_result.narrow
@@ -1,3 +1,3 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
-1	8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR
-1	9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com.	IN	NSEC3	86400	1 [flags] 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR
+1	9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ
diff --git a/regression-tests/minimal-nxdomain/expected_result.nsec3 b/regression-tests/minimal-nxdomain/expected_result.nsec3
index d885980b1..c930bce76 100644
--- a/regression-tests/minimal-nxdomain/expected_result.nsec3
+++ b/regression-tests/minimal-nxdomain/expected_result.nsec3
@@ -1 +1 @@
-1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
+1	09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.	IN	NSEC3	86400	1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
diff --git a/regression-tests/named.conf b/regression-tests/named.conf
index b98d6c2e7..4da137757 100644
--- a/regression-tests/named.conf
+++ b/regression-tests/named.conf
@@ -33,6 +33,11 @@ zone "delegated.dnssec-parent.com"{
 	file "./delegated.dnssec-parent.com";
 };
 
+zone "secure-delegated.dnssec-parent.com"{
+	type master;
+	file "./secure-delegated.dnssec-parent.com";
+};
+
 zone "minimal.com"{
 	type master;
 	file "./minimal.com";
diff --git a/regression-tests/nsec-bitmap/expected_result.narrow b/regression-tests/nsec-bitmap/expected_result.narrow
index d0460525a..bf3f4cbf2 100644
--- a/regression-tests/nsec-bitmap/expected_result.narrow
+++ b/regression-tests/nsec-bitmap/expected_result.narrow
@@ -1,4 +1,4 @@
-1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	86400	1 1 1 abcd 3V4IT454KFH142BI7AFAGNUVIGRPFPTU A RRSIG TYPE65534
+1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 3V4IT454KFH142BI7AFAGNUVIGRPFPTU A RRSIG TYPE65534
 1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
diff --git a/regression-tests/nsec-bitmap/expected_result.nsec3 b/regression-tests/nsec-bitmap/expected_result.nsec3
index 5bc4f6c20..ae6d738ff 100644
--- a/regression-tests/nsec-bitmap/expected_result.nsec3
+++ b/regression-tests/nsec-bitmap/expected_result.nsec3
@@ -1,4 +1,4 @@
-1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	86400	1 1 1 abcd 3V4S43RV1GT28N0F2PPJ8I8482ESMUOB A RRSIG TYPE65534
+1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 3V4S43RV1GT28N0F2PPJ8I8482ESMUOB A RRSIG TYPE65534
 1	3v4it454kfh142bi7afagnuvigrpfptt.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
diff --git a/regression-tests/nsec-glue-at-delegation/command b/regression-tests/nsec-glue-at-delegation/command
index b705a0b59..72bbdb561 100755
--- a/regression-tests/nsec-glue-at-delegation/command
+++ b/regression-tests/nsec-glue-at-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig blah.test.com MX dnssec
+cleandig blah.test.com MX dnssec showflags
diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
index c98c70137..b018eb0f6 100644
--- a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
+++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
@@ -1,8 +1,8 @@
-1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 0 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	blah.test.com.	IN	NS	3600	blah.test.com.
-1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
-1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com.	IN	NSEC3	86400	1 0 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA NS
+1	s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 2	blah.test.com.	IN	A	3600	192.168.6.1
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout
new file mode 100644
index 000000000..c98c70137
--- /dev/null
+++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1	blah.test.com.	IN	NS	3600	blah.test.com.
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	NSEC3	86400	1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1	s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+2	.	IN	OPT	32768	
+2	blah.test.com.	IN	A	3600	192.168.6.1
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='blah.test.com.', qtype=MX
diff --git a/regression-tests/nsec-glue/expected_result.narrow b/regression-tests/nsec-glue/expected_result.narrow
index a2bf76ad4..e462405a4 100644
--- a/regression-tests/nsec-glue/expected_result.narrow
+++ b/regression-tests/nsec-glue/expected_result.narrow
@@ -1,10 +1,10 @@
-1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.	IN	NSEC3	86400	1 1 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3
+1	kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3
 1	kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-glue/expected_result.nsec3 b/regression-tests/nsec-glue/expected_result.nsec3
index 3fd9649f9..5931ae0eb 100644
--- a/regression-tests/nsec-glue/expected_result.nsec3
+++ b/regression-tests/nsec-glue/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.	IN	NSEC3	86400	1 1 1 abcd KT832M4L92B5MCUCJI8QJF16MM2DU3MK A RRSIG
+1	kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd KT832M4L92B5MCUCJI8QJF16MM2DU3MK A RRSIG
 1	kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-middle/expected_result.narrow b/regression-tests/nsec-middle/expected_result.narrow
index bd6a24a87..1d1c05079 100644
--- a/regression-tests/nsec-middle/expected_result.narrow
+++ b/regression-tests/nsec-middle/expected_result.narrow
@@ -1,10 +1,10 @@
-1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.	IN	NSEC3	86400	1 1 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP
+1	sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP
 1	sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-middle/expected_result.nsec3 b/regression-tests/nsec-middle/expected_result.nsec3
index 6cac84aaa..2d5e94760 100644
--- a/regression-tests/nsec-middle/expected_result.nsec3
+++ b/regression-tests/nsec-middle/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.	IN	NSEC3	86400	1 1 1 abcd STKPKJBN0URUBBIM832MF33V5OGJR396 A RRSIG
+1	sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd STKPKJBN0URUBBIM832MF33V5OGJR396 A RRSIG
 1	sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-wildcard/expected_result.narrow b/regression-tests/nsec-wildcard/expected_result.narrow
index a9b175ee4..2809aba98 100644
--- a/regression-tests/nsec-wildcard/expected_result.narrow
+++ b/regression-tests/nsec-wildcard/expected_result.narrow
@@ -1,8 +1,8 @@
-1	368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM
+1	368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM
 1	368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
 1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 1 1 abcd PD15QDSJJBFOSU5FG2OQRNLB8R8OIFL7 A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd PD15QDSJJBFOSU5FG2OQRNLB8R8OIFL7 A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
 1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/nsec-wildcard/expected_result.nsec3 b/regression-tests/nsec-wildcard/expected_result.nsec3
index 3456f6076..0eab68eae 100644
--- a/regression-tests/nsec-wildcard/expected_result.nsec3
+++ b/regression-tests/nsec-wildcard/expected_result.nsec3
@@ -1,8 +1,8 @@
-1	2uspqp0ldid6481h33c7lakfkk2g2rdq.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 44PRS96U2Q7MTAV4DNQMOSMSSI0K7630 A RRSIG
+1	2uspqp0ldid6481h33c7lakfkk2g2rdq.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 44PRS96U2Q7MTAV4DNQMOSMSSI0K7630 A RRSIG
 1	2uspqp0ldid6481h33c7lakfkk2g2rdq.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 1 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
 1	54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	NSEC3	86400	1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1	pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1	wtest.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
 1	wtest.com.	IN	SOA	3600	ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/nsec-wraparound/expected_result.nsec3 b/regression-tests/nsec-wraparound/expected_result.nsec3
index a20b5458d..f54d2fb12 100644
--- a/regression-tests/nsec-wraparound/expected_result.nsec3
+++ b/regression-tests/nsec-wraparound/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.	IN	NSEC3	86400	1 1 1 abcd GNO4LESKG6U7HKEJ9UL71SF1HD7F1P96 A RRSIG
+1	gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd GNO4LESKG6U7HKEJ9UL71SF1HD7F1P96 A RRSIG
 1	gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow b/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
index 24164544d..499548c1b 100644
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
@@ -1,6 +1,6 @@
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3 b/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
index c85202e45..06d27ca00 100644
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
@@ -1,6 +1,6 @@
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nsec-wrong-type/expected_result.narrow b/regression-tests/nsec-wrong-type/expected_result.narrow
index 3c8df4eb8..a736114f3 100644
--- a/regression-tests/nsec-wrong-type/expected_result.narrow
+++ b/regression-tests/nsec-wrong-type/expected_result.narrow
@@ -1,4 +1,4 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
 1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
diff --git a/regression-tests/nsec-wrong-type/expected_result.nsec3 b/regression-tests/nsec-wrong-type/expected_result.nsec3
index 8d051e85f..6100512ae 100644
--- a/regression-tests/nsec-wrong-type/expected_result.nsec3
+++ b/regression-tests/nsec-wrong-type/expected_result.nsec3
@@ -1,4 +1,4 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
 1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
index eedcaaffb..155155a2a 100644
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
@@ -1,10 +1,10 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
 1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.	IN	NSEC3	86400	1 1 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT
+1	sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT
 1	sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	NSEC3	86400	1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
+1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
 1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3 b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
index 9d7140b23..81a1ae2fb 100644
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
 1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.	IN	NSEC3	86400	1 1 1 abcd SDH8FVJ6LQLSVCQCO8QP82I6JTR574H2 A RRSIG
+1	sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd SDH8FVJ6LQLSVCQCO8QP82I6JTR574H2 A RRSIG
 1	sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	86400	1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
 1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/second-level-nxdomain/expected_result.narrow b/regression-tests/second-level-nxdomain/expected_result.narrow
index 1145e1d90..f15b5e6ee 100644
--- a/regression-tests/second-level-nxdomain/expected_result.narrow
+++ b/regression-tests/second-level-nxdomain/expected_result.narrow
@@ -1,10 +1,10 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
 1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.	IN	NSEC3	86400	1 1 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2
+1	k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2
 1	k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	NSEC3	86400	1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
+1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
 1	tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/second-level-nxdomain/expected_result.nsec3 b/regression-tests/second-level-nxdomain/expected_result.nsec3
index d8b6253b3..091a488a8 100644
--- a/regression-tests/second-level-nxdomain/expected_result.nsec3
+++ b/regression-tests/second-level-nxdomain/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
 1	5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	k6r6482mfo4upme9n407c2grb6opp1ip.example.com.	IN	NSEC3	86400	1 1 1 abcd K6TDMVV7BP54FEFUIVR0BVABIBUN0AV9 A RRSIG
+1	k6r6482mfo4upme9n407c2grb6opp1ip.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd K6TDMVV7BP54FEFUIVR0BVABIBUN0AV9 A RRSIG
 1	k6r6482mfo4upme9n407c2grb6opp1ip.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	86400	1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
 1	tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/secure-delegated.dnssec-parent.com b/regression-tests/secure-delegated.dnssec-parent.com
new file mode 100644
index 000000000..004c5b92b
--- /dev/null
+++ b/regression-tests/secure-delegated.dnssec-parent.com
@@ -0,0 +1,16 @@
+$TTL 3600
+$ORIGIN secure-delegated.dnssec-parent.com.
+@		IN	SOA	ns1.secure-delegated.dnssec-parent.com.	ahu.example.com. (  2005092501
+			8H ; refresh
+			2H ; retry
+			1W ; expire
+			1D ; default_ttl
+			)
+
+@			IN	NS	ns1
+@			IN	NS	ns2
+@			IN	A	9.9.9.9
+ns1			IN	A	1.2.3.4
+ns2			IN	A	5.6.7.8
+www			IN	CNAME	@
+
diff --git a/regression-tests/secure-delegated.dnssec-parent.com.key b/regression-tests/secure-delegated.dnssec-parent.com.key
new file mode 100644
index 000000000..0a98e66d1
--- /dev/null
+++ b/regression-tests/secure-delegated.dnssec-parent.com.key
@@ -0,0 +1,11 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: l31HtJZYaoDXagbsuz6HdvT8gDIyP8+qf9m4pYz852nFP9yfbHAsOGR2ao/+lSoDO/IU/J3iROquYt9uiEHADv7TukFVrip/+PGUeK90w1QPvYf51RioGWaEILqXd4b7wVmLa2R3CfyRShr2TIsy2sRoWc53+hRBuY28gOn7xVa/VxKdEnxRcp1cuXSyam8LuHUrYBSILmgYhhBMJhbBhEzXAJtv6rV9sUJ2Rsjs5Bb+Hs+PfR4uki7PRsmPi90pddkcrxyVJ1MwAWbqtCw0MjTDtB0KBoOZOfdvpMXZQmLh4OeHu4NtKlR3WYjldY3DgLpatSZ5sUt+KvLq+p2Ihw==
+PublicExponent: AQAB
+PrivateExponent: DZWxeXNGCH73Uk2+qufnk/ZSMljOAsTnoEFw+n+TKllk094/+aRxgrkXmWTCSrQSyCxkT2cFJHL7Imiw680hoPafHAPB4DV1dmiLjOsHCIEgTDnGYKKuaGC2Fo1FCfXz25nhE8dVmXKpwMB8N87/x3h3dx45yhZI8o/QSKsy5bZGqLISiYqiAlOs0Gqxdqt6t+r7akxeVcs8xitMtKgvf5bmgulJZQlqT5aL32yzTZud7Miy71vmlPGwWlWwzZxW7o2sVIWRptimGPflpmV/SRdD16SlLBUkvzUctchkT95kqXDqdgBchl2ff/UKyg5GuUeuwrAA0lwlOoPthvMfcQ==
+Prime1: 8qckzuOEAmauNtQBDShkOPjE8mH7f84K47TcDNb6Ye6X+xNyeqJQ/ceFuSWUOQJogIjAmfCRQxh7TiP/31EsW4fbr8K2bKq/mUR3xBKU7O2o2aR2hDUv/WiVKHusPgpNwYJouK5NJKw4lM9/1cis/DwINi007wJZ8wkYTyjVIuk=
+Prime2: n9JwmtfuLc/3X+nqkY2e6LqmA+GTXTk4+8epTCk3+8GClj07PWdI3iHkUH5EkfqOwYWQ0pyWaxylYNBIs8m7+cFbx94ShB42l2h45zISZEviVuuxSj1tiLk25WrTu4dq30xZcFtHVeu9+efLsl3FWG2q9B7B3YSa4LK5+wvRye8=
+Exponent1: tF19RLNlCovcbzDC307owFhZvHkMgoFbIsrqzjh1wJmjKqPX8kP4w8qtIWRHeuDJYNFFqKdismbeMMUdipdBy39+0nR/OOLqrDhydbICNOKrIavX1IncdBZq2L6k1zC9f1s6EByvhtTk8egS84vI2WyeBfcwY4Bx7+8QvLZzRxE=
+Exponent2: kr24UCPEd2HEQtdWXTAH4K1HMrcSA/0/OcXXxqrt0QSarvEnjDhh6jp6FAHrWZERM9Q75XSKk2wo2BxFNHYcVrPXXkqi+5V2EEyG/de2lUorVh1vmbeO84MDSV9tanhqgv3p/MSCWfxqYKMYHvwD7y46UYxP+eEAByFyq3Ltuxc=
+Coefficient: C/xjNwvVWlrWX/NCxT80eW09sWsqvxUlwsMlGK4irzRVSBz2u+/0qkNHoWAjaHlllHAjJAmkKoHgRdl7blxn2C5EOuCtTQJvKO0xcyZgtaCyJpKOwHE3kKv+TIErBPHYxPk0exkyEf4s9REhKlYdV8p92AZWLVwGOMRfAPNuryY=
+
diff --git a/regression-tests/secure-delegation-ds-ns/command b/regression-tests/secure-delegation-ds-ns/command
new file mode 100755
index 000000000..aab677481
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/command
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig www.dsdelegation.example.com A dnssec
diff --git a/regression-tests/secure-delegation-ds-ns/description b/regression-tests/secure-delegation-ds-ns/description
new file mode 100644
index 000000000..3ce51e86e
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/description
@@ -0,0 +1,4 @@
+This test checks the DS/NS response for a secure referral.
+It was written specifically to verify that we do not sign NS records
+at secure delegations.
+
diff --git a/regression-tests/secure-delegation-ds-ns/expected_result b/regression-tests/secure-delegation-ds-ns/expected_result
new file mode 100644
index 000000000..4461cabf6
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/expected_result
@@ -0,0 +1,4 @@
+1	dsdelegation.example.com.	IN	NS	120	ns.example.com.
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='www.dsdelegation.example.com.', qtype=A
diff --git a/regression-tests/secure-delegation-ds-ns/expected_result.dnssec b/regression-tests/secure-delegation-ds-ns/expected_result.dnssec
new file mode 100644
index 000000000..a6a5e61ca
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/expected_result.dnssec
@@ -0,0 +1,6 @@
+1	dsdelegation.example.com.	IN	DS	120	28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
+1	dsdelegation.example.com.	IN	NS	120	ns.example.com.
+1	dsdelegation.example.com.	IN	RRSIG	120	DS 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='www.dsdelegation.example.com.', qtype=A
diff --git a/regression-tests/secure-delegation/command b/regression-tests/secure-delegation/command
index aab677481..d244966c8 100755
--- a/regression-tests/secure-delegation/command
+++ b/regression-tests/secure-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig www.dsdelegation.example.com A dnssec
+cleandig secure-delegated.dnssec-parent.com A dnssec
diff --git a/regression-tests/secure-delegation/description b/regression-tests/secure-delegation/description
index 3ce51e86e..3174f5dd0 100644
--- a/regression-tests/secure-delegation/description
+++ b/regression-tests/secure-delegation/description
@@ -1,4 +1,2 @@
-This test checks the DS/NS response for a secure referral.
-It was written specifically to verify that we do not sign NS records
-at secure delegations.
+This test checks a secure delegations.
 
diff --git a/regression-tests/secure-delegation/expected_result b/regression-tests/secure-delegation/expected_result
index 4461cabf6..e488ce73d 100644
--- a/regression-tests/secure-delegation/expected_result
+++ b/regression-tests/secure-delegation/expected_result
@@ -1,4 +1,4 @@
-1	dsdelegation.example.com.	IN	NS	120	ns.example.com.
+0	secure-delegated.dnssec-parent.com.	IN	A	3600	9.9.9.9
 2	.	IN	OPT	32768	
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
-Reply to question for qname='www.dsdelegation.example.com.', qtype=A
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/secure-delegation/expected_result.dnssec b/regression-tests/secure-delegation/expected_result.dnssec
index a6a5e61ca..c371d5932 100644
--- a/regression-tests/secure-delegation/expected_result.dnssec
+++ b/regression-tests/secure-delegation/expected_result.dnssec
@@ -1,6 +1,5 @@
-1	dsdelegation.example.com.	IN	DS	120	28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
-1	dsdelegation.example.com.	IN	NS	120	ns.example.com.
-1	dsdelegation.example.com.	IN	RRSIG	120	DS 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0	secure-delegated.dnssec-parent.com.	IN	A	3600	9.9.9.9
+0	secure-delegated.dnssec-parent.com.	IN	RRSIG	3600	A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 2	.	IN	OPT	32768	
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
-Reply to question for qname='www.dsdelegation.example.com.', qtype=A
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/space-name/expected_result.narrow b/regression-tests/space-name/expected_result.narrow
index 6d1bdb693..949e28cb0 100644
--- a/regression-tests/space-name/expected_result.narrow
+++ b/regression-tests/space-name/expected_result.narrow
@@ -1,10 +1,10 @@
-1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	gl4qf9db2fkivonidgs9954bhkhpvviq.example.com.	IN	NSEC3	86400	1 1 1 abcd GL4QF9DB2FKIVONIDGS9954BHKHPVVIS
+1	gl4qf9db2fkivonidgs9954bhkhpvviq.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd GL4QF9DB2FKIVONIDGS9954BHKHPVVIS
 1	gl4qf9db2fkivonidgs9954bhkhpvviq.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/space-name/expected_result.nsec3 b/regression-tests/space-name/expected_result.nsec3
index 180b5ed4b..a5fe48988 100644
--- a/regression-tests/space-name/expected_result.nsec3
+++ b/regression-tests/space-name/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	gl3vilecelbsri6t44urj9lp6m5853mq.example.com.	IN	NSEC3	86400	1 1 1 abcd GL5I9VH027O95O1M3UTE1A8KR1TJ253D A RRSIG
+1	gl3vilecelbsri6t44urj9lp6m5853mq.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd GL5I9VH027O95O1M3UTE1A8KR1TJ253D A RRSIG
 1	gl3vilecelbsri6t44urj9lp6m5853mq.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop
index 7e4cef396..92c60f0ba 100755
--- a/regression-tests/start-test-stop
+++ b/regression-tests/start-test-stop
@@ -21,6 +21,27 @@ bindwait ()
 	done
 }
 
+securezone ()
+{
+	local zone=$1
+	local configname=$2
+	if [ -n "$configname" ]
+	then
+		configname="--config-name=$configname"
+	fi
+	if [ "${zone: 0:16}" = "secure-delegated" ]
+	then
+		../pdns/pdnssec --config-dir=. $configname import-zone-key $zone $zone.key ksk 2>&1
+		../pdns/pdnssec --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1
+		keyid=`../pdns/pdnssec --config-dir=. $configname show-zone $zone | grep ZSK | cut -d' ' -f3`
+		../pdns/pdnssec --config-dir=. $configname activate-zone-key $zone $keyid 2>&1
+		../pdns/pdnssec --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1
+		../pdns/pdnssec --config-dir=. $configname rectify-zone $zone 2>&1
+	else
+		../pdns/pdnssec --config-dir=. $configname secure-zone $zone 2>&1
+	fi
+}
+
 port=$1
 [ -z "$port" ] && port=5300
 context=$2
@@ -37,8 +58,8 @@ then
 Usage: ./start-test-stop <port> [<context>] [wait]
 
 context is one of:
-bind bind-dnssec bind-dnssec-nsec3 bind-dnssec-nsec3-narrow
-gmysql-nodnssec gmysql gmysql-nsec3 gmysql-nsec3-narrow
+bind bind-dnssec bind-dnssec-nsec3 bind-dnssec-nsec3-optout bind-dnssec-nsec3-narrow
+gmysql-nodnssec gmysql gmysql-nsec3 gmysql-nsec3-optout gmysql-nsec3-narrow
 gpgsql-nodnssec gpgsql gpgsql-nsec3
 gsqlite3-nodnssec gsqlite3 gsqlite3-nsec3
 opendbx-sqlite3
@@ -71,6 +92,14 @@ then
 	context=${context%-presigned}
 fi
 
+optout=0
+
+if [ "${context: -13}" = "-nsec3-optout" ]
+then
+	optout=1
+fi
+
+
 case $context in
 		bind)
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
@@ -81,13 +110,15 @@ case $context in
 			bindwait
 			;;
 
-		bind-dnssec | bind-dnssec-nsec3 | bind-dnssec-nsec3-narrow)
-			./bind-dnssec-setup
+		bind-dnssec | bind-dnssec-nsec3 | bind-dnssec-nsec3-optout | bind-dnssec-nsec3-narrow)
+			rm -f dnssec.sqlite3
+			../pdns/pdnssec --config-dir=. create-bind-db dnssec.sqlite3
 			for zone in $(grep zone named.conf  | cut -f2 -d\")
 			do
-				if [ $context = bind-dnssec-nsec3 ]
+				securezone $zone
+				if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ]
 				then
-					../pdns/pdnssec --config-dir=. set-nsec3 $zone '1 1 1 abcd' 2>&1
+					../pdns/pdnssec --config-dir=. set-nsec3 $zone "1 $optout 1 abcd" 2>&1
 				elif [ $context = bind-dnssec-nsec3-narrow ]
 				then
 					../pdns/pdnssec --config-dir=. set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
@@ -98,6 +129,10 @@ case $context in
 			then
 				extracontexts="bind dnssec nsec3"
 				skipreasons="nsec3"
+			elif [ $context = bind-dnssec-nsec3-optout ]
+			then
+				extracontexts="bind dnssec nsec3 nsec3-optout"
+				skipreasons="optout"
 			elif [ $context = bind-dnssec-nsec3-narrow ]
 			then
 				extracontexts="bind dnssec narrow"
@@ -186,7 +221,7 @@ __EOF__
 			skipreasons="nodnssec noent"
 			;;
 
-		gmysql | gmysql-nsec3 | gmysql-nsec3-narrow)
+		gmysql | gmysql-nsec3 | gmysql-nsec3-optout |gmysql-nsec3-narrow)
 			[ -z "$GMYSQLDB" ] && GMYSQLDB=pdnstest
 			[ -z "$GMYSQLUSER" ] && GMYSQLUSER=root
 			[ -z "$GMYSQLHOST" ] && GMYSQLHOST=localhost
@@ -213,10 +248,10 @@ gmysql-dnssec
 __EOF__
 			for zone in $(grep zone named.conf  | cut -f2 -d\")
 			do
-				../pdns/pdnssec --config-dir=. --config-name=gmysql	secure-zone $zone 2>&1
-				if [ $context = gmysql-nsec3 ]
+				securezone $zone gmysql
+				if [ $context = gmysql-nsec3 ] || [ $context = gmysql-nsec3-optout ]
 				then
-					../pdns/pdnssec --config-dir=. --config-name=gmysql set-nsec3 $zone '1 1 1 abcd' 2>&1
+					../pdns/pdnssec --config-dir=. --config-name=gmysql set-nsec3 $zone "1 $optout 1 abcd" 2>&1
 					../pdns/pdnssec --config-dir=. --config-name=gmysql rectify-zone $zone 2>&1
 				elif [ $context = gmysql-nsec3-narrow ]
 				then
@@ -239,6 +274,10 @@ __EOF__
 			then
 				extracontexts="dnssec nsec3"
 				skipreasons="nsec3"
+			elif [ $context = gmysql-nsec3-optout ]
+			then
+				extracontexts="dnssec nsec3 nsec3-optout"
+				skipreasons="optout"
 			elif [ $context = gmysql-nsec3-narrow ]
 			then
 				extracontexts="dnssec narrow"
@@ -248,7 +287,7 @@ __EOF__
 			fi
 
 			;;	
-		gpgsql | gpgsql-nsec3)
+		gpgsql | gpgsql-nsec3 | gpgsql-nsec3-optout)
 			[ -z "$GPGSQLDB" ] && GPGSQLDB=pdnstest
 			[ -z "$GPGSQLUSER" ] && GPGSQLUSER=$(whoami)
 
@@ -267,10 +306,10 @@ gpgsql-dnssec
 __EOF__
 			for zone in $(grep zone named.conf  | cut -f2 -d\")
 			do
-				../pdns/pdnssec --config-dir=. --config-name=gpgsql secure-zone $zone 2>&1
-				if [ $context = gpgsql-nsec3 ]
+				securezone $zone gpgsql
+				if [ $context = gpgsql-nsec3 ] || [ $context = gpgsql-nsec3-optout ]
 				then
-					../pdns/pdnssec --config-dir=. --config-name=gpgsql set-nsec3 $zone '1 1 1 abcd' 2>&1
+					../pdns/pdnssec --config-dir=. --config-name=gpgsql set-nsec3 $zone "1 $optout 1 abcd" 2>&1
 					../pdns/pdnssec --config-dir=. --config-name=gpgsql rectify-zone $zone 2>&1
 				fi
 			done
@@ -284,6 +323,9 @@ __EOF__
 			if [ $context = gpgsql-nsec3 ]
 			then
 				extracontexts="dnssec nsec3"
+			elif [ $context = gpgsql-nsec3-optout ]
+			then
+				extracontexts="dnssec nsec3 nsec3-optout"
 			elif [ $context = gpgsql-nsec3-narrow ]
 			then
 				extracontexts="dnssec narrow"
@@ -363,7 +405,7 @@ __EOF__
 			skipreasons="nodnssec noent"
 
 			;;									
-		gsqlite3 | gsqlite3-nsec3)
+		gsqlite3 | gsqlite3-nsec3 | gsqlite3-nsec3-optout)
 			rm -f pdns.sqlite3
 			sqlite3 pdns.sqlite3 < ../pdns/no-dnssec.schema.sqlite3.sql
 			sqlite3 pdns.sqlite3 < ../pdns/dnssec.schema.sqlite3.sql
@@ -377,10 +419,10 @@ gsqlite3-dnssec
 __EOF__
 			for zone in $(grep zone named.conf  | cut -f2 -d\")
 			do
-				../pdns/pdnssec --config-dir=. --config-name=gsqlite3	secure-zone $zone 2>&1
-				if [ $context = gsqlite3-nsec3 ]
+				securezone $zone gsqlite3
+				if [ $context = gsqlite3-nsec3 ] || [ $context = gsqlite3-nsec3-optout ]
 				then
-					../pdns/pdnssec --config-dir=. --config-name=gsqlite3 set-nsec3 $zone '1 1 1 abcd' 2>&1
+					../pdns/pdnssec --config-dir=. --config-name=gsqlite3 set-nsec3 $zone "1 $optout 1 abcd" 2>&1
 					../pdns/pdnssec --config-dir=. --config-name=gsqlite3 rectify-zone $zone 2>&1
 				fi
 			done
@@ -393,6 +435,9 @@ __EOF__
 			if [ $context = gsqlite3-nsec3 ]
 			then
 				extracontexts="dnssec nsec3"
+			elif [ $context = gsqlite3-nsec3-optout ]
+			then
+				extracontexts="dnssec nsec3 nsec3-optout"
 			else
 				extracontexts="dnssec"
 			fi
diff --git a/regression-tests/two-level-nxdomain/expected_result.narrow b/regression-tests/two-level-nxdomain/expected_result.narrow
index 1f16385a9..269776acf 100644
--- a/regression-tests/two-level-nxdomain/expected_result.narrow
+++ b/regression-tests/two-level-nxdomain/expected_result.narrow
@@ -1,10 +1,10 @@
-1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1	9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.	IN	NSEC3	86400	1 1 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5
+1	ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5
 1	ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/two-level-nxdomain/expected_result.nsec3 b/regression-tests/two-level-nxdomain/expected_result.nsec3
index f1d66fdb9..2c7e464af 100644
--- a/regression-tests/two-level-nxdomain/expected_result.nsec3
+++ b/regression-tests/two-level-nxdomain/expected_result.nsec3
@@ -1,10 +1,10 @@
-1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1	9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1	ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.	IN	NSEC3	86400	1 1 1 abcd ECTPI4N8UNDE9GNVKHG28NJR512JBD4O A RRSIG
+1	ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd ECTPI4N8UNDE9GNVKHG28NJR512JBD4O A RRSIG
 1	ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/underscore-sorting/expected_result.narrow b/regression-tests/underscore-sorting/expected_result.narrow
index 8e1056a8f..27071b728 100644
--- a/regression-tests/underscore-sorting/expected_result.narrow
+++ b/regression-tests/underscore-sorting/expected_result.narrow
@@ -1,3 +1,3 @@
-1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1	npce7etkesd3umcst08psfape1cnno5o.test.com.	IN	NSEC3	86400	1 1 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
-1	nqf0papl2qmp38upr87f930kmebc0o0n.test.com.	IN	NSEC3	86400	1 1 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	npce7etkesd3umcst08psfape1cnno5o.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
+1	nqf0papl2qmp38upr87f930kmebc0o0n.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
diff --git a/regression-tests/underscore-sorting/expected_result.nsec3 b/regression-tests/underscore-sorting/expected_result.nsec3
index 3f413032c..27092d57f 100644
--- a/regression-tests/underscore-sorting/expected_result.nsec3
+++ b/regression-tests/underscore-sorting/expected_result.nsec3
@@ -1,2 +1,2 @@
-1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1	igf4m7otecach14p0a6ingi7dbuas5b2.test.com.	IN	NSEC3	86400	1 1 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	igf4m7otecach14p0a6ingi7dbuas5b2.test.com.	IN	NSEC3	86400	1 [flags] 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
diff --git a/regression-tests/uppercase-nsec/expected_result.narrow b/regression-tests/uppercase-nsec/expected_result.narrow
index 0733f6a5e..34813f9a0 100644
--- a/regression-tests/uppercase-nsec/expected_result.narrow
+++ b/regression-tests/uppercase-nsec/expected_result.narrow
@@ -1,10 +1,10 @@
-1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.	IN	NSEC3	86400	1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.	IN	NSEC3	86400	1 [flags] 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	Test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	Test.com.	IN	SOA	3600	ns1.Test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1	npce7etkesd3umcst08psfape1cnno5o.Test.com.	IN	NSEC3	86400	1 1 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
+1	npce7etkesd3umcst08psfape1cnno5o.Test.com.	IN	NSEC3	86400	1 [flags] 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
 1	npce7etkesd3umcst08psfape1cnno5o.Test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
-1	nqf0papl2qmp38upr87f930kmebc0o0n.Test.com.	IN	NSEC3	86400	1 1 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
+1	nqf0papl2qmp38upr87f930kmebc0o0n.Test.com.	IN	NSEC3	86400	1 [flags] 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
 1	nqf0papl2qmp38upr87f930kmebc0o0n.Test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/uppercase-nsec/expected_result.nsec3 b/regression-tests/uppercase-nsec/expected_result.nsec3
index 70c5e021e..cfacf4041 100644
--- a/regression-tests/uppercase-nsec/expected_result.nsec3
+++ b/regression-tests/uppercase-nsec/expected_result.nsec3
@@ -1,8 +1,8 @@
-1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.	IN	NSEC3	86400	1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.	IN	NSEC3	86400	1 [flags] 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1	2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1	Test.com.	IN	RRSIG	3600	SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1	Test.com.	IN	SOA	3600	ns1.Test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1	igf4m7otecach14p0a6ingi7dbuas5b2.Test.com.	IN	NSEC3	86400	1 1 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
+1	igf4m7otecach14p0a6ingi7dbuas5b2.Test.com.	IN	NSEC3	86400	1 [flags] 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
 1	igf4m7otecach14p0a6ingi7dbuas5b2.Test.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2	.	IN	OPT	32768	
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
diff --git a/regression-tests/verify-dnssec-zone/expected_result b/regression-tests/verify-dnssec-zone/expected_result
index 038085921..d8121304f 100644
--- a/regression-tests/verify-dnssec-zone/expected_result
+++ b/regression-tests/verify-dnssec-zone/expected_result
@@ -61,6 +61,21 @@ zone delegated.dnssec-parent.com/IN: loaded serial 2005092501 (DNSSEC signed)
 OK
 RETVAL: 0
 
+--- ldns-verify-zone -V2 secure-delegated.dnssec-parent.com
+RETVAL: 0
+
+--- validns secure-delegated.dnssec-parent.com
+RETVAL: 0
+
+--- jdnssec-verifyzone secure-delegated.dnssec-parent.com
+zone verified.
+RETVAL: 0
+
+--- named-checkzone secure-delegated.dnssec-parent.com
+zone secure-delegated.dnssec-parent.com/IN: loaded serial 2005092501 (DNSSEC signed)
+OK
+RETVAL: 0
+
 --- ldns-verify-zone -V2 minimal.com
 RETVAL: 0