From 15a35f448d78b86536ca3486f2c38b60ebe58e28 Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Tue, 7 May 2019 09:54:52 +0200
Subject: [PATCH] auth: test for #7785

---
 modules/tinydnsbackend/data                   |  20 ++++++++++++------
 modules/tinydnsbackend/data.cdb               | Bin 1352616 -> 1353259 bytes
 .../tinydns-data-check/expected_result        |   7 +++---
 regression-tests/backends/bind-master         |  15 +++++++------
 regression-tests/backends/gsql-common         |   2 +-
 regression-tests/named.conf                   |   5 +++++
 regression-tests/tests/axfr/expected_result   |   2 ++
 .../tests/axfr/expected_result.dnssec         |  11 ++++++++--
 .../tests/axfr/expected_result.nsec3          |   7 ++++++
 .../tests/axfr/expected_result.nsec3-optout   |   5 +++++
 .../expected_result.dnssec                    |   2 +-
 .../secure-cname-to-insecure-child/command    |   3 +++
 .../description                               |   1 +
 .../expected_result                           |   5 +++++
 .../expected_result.dnssec                    |   6 ++++++
 .../tests/secure-cname-to-insecure/command    |   3 +++
 .../secure-cname-to-insecure/description      |   1 +
 .../secure-cname-to-insecure/expected_result  |   5 +++++
 .../expected_result.dnssec                    |   6 ++++++
 .../tests/verify-dnssec-zone/command          |   2 +-
 regression-tests/zones/dnssec-parent.com      |   2 ++
 regression-tests/zones/example.com            |   3 +++
 .../zones/insecure.dnssec-parent.com          |  13 ++++++++++++
 23 files changed, 106 insertions(+), 20 deletions(-)
 create mode 100755 regression-tests/tests/secure-cname-to-insecure-child/command
 create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/description
 create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/expected_result
 create mode 100644 regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec
 create mode 100755 regression-tests/tests/secure-cname-to-insecure/command
 create mode 100644 regression-tests/tests/secure-cname-to-insecure/description
 create mode 100644 regression-tests/tests/secure-cname-to-insecure/expected_result
 create mode 100644 regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec
 create mode 100644 regression-tests/zones/insecure.dnssec-parent.com

diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data
index bcbeb035f..8f76c113b 100644
--- a/modules/tinydnsbackend/data
+++ b/modules/tinydnsbackend/data
@@ -20100,7 +20100,6 @@
 +toomuchinfo-b.example.com:192.168.99.90:120
 +usa-ns1.usa.example.com:192.168.4.1:120
 +usa-ns2.usa.example.com:192.168.4.2:120
-3ipv6.example.com:200106a80000000102104bfffe4b4c61:120
 :_imap._tcp.example.com:33:\000\000\000\001\000\217\004blah\004test\003com\000:120
 :dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120
 :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120
@@ -20108,17 +20107,18 @@
 :hightype.example.com:65534:\007\355\046\000\001:120
 :host-0.example.com:108:\000PV\233\000\347:120
 :host-1.example.com:109:\000PV\233\000\347\176W:120
-:hostmaster.mb.example.com:8:\004phil\303\231:120
-:hostmaster.mb.example.com:8:\006sheila\303\231:120
+:hostmaster.mb.example.com:8:\004phil\303\263:120
+:hostmaster.mb.example.com:8:\006sheila\303\263:120
 :hwinfo.example.com:13:\003abc\003def:120
+:ipv6.example.com:28:\040\001\006\250\000\000\000\001\002\020K\377\376KLa:120
 :location.example.com:29:\0002\026\023\213\044\323e\176\273\347\100\000\230\230\020:120
 :location.example.com:29:\000B\026\023t\333\053\274\176\273\347\100\000\230\230\020:120
 :location.example.com:29:\000\022\026\023\213\044\310\373\201D\030\300\000\230\230\020:120
 :location.example.com:29:\000\042\026\023t\3331\320\201D\030\300\000\230\230\020:120
 :multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120
-:phil.mb.example.com:7:\002pc\303\231:120
-:philip.mb.example.com:9:\303\250:120
-:sheila.mb.example.com:7:\004bill\303\231:120
+:phil.mb.example.com:7:\002pc\303\263:120
+:philip.mb.example.com:9:\303\302:120
+:sheila.mb.example.com:7:\004bill\303\263:120
 :text.example.com:16:\025Hi\054\040this\040is\040some\040text:120
 :text0.example.com:16:\014k\075rsa\073\040p\075one:120
 :text1.example.com:16:\014k\075rsa\073\040p\075one:120
@@ -20134,6 +20134,7 @@ C\052.w1.example.com:x.y.z.w2.example.com.:120
 C\052.w2.example.com:x.y.z.w3.example.com.:120
 C\052.w3.example.com:x.y.z.w4.example.com.:120
 C\052.w4.example.com:x.y.z.w5.example.com.:120
+Ccname-to-insecure.example.com:www.insecure.dnssec-parent.com.:120
 Cexternal.example.com:somewhere.else.net.:120
 Cloop1.example.com:loop2.example.com.:120
 Cloop2.example.com:loop3.example.com.:120
@@ -20243,6 +20244,7 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:
 &dnssec-parent.com::ns1.dnssec-parent.com.:3600
 &dnssec-parent.com::ns2.dnssec-parent.com.:3600
 &insecure-delegated.ent.ent.auth-ent.dnssec-parent.com::ns.example.com.:3600
+&insecure.dnssec-parent.com::ns.example.com.:3600
 &secure-delegated.dnssec-parent.com::ns1.secure-delegated.dnssec-parent.com.:3600
 &secure-delegated.dnssec-parent.com::ns2.secure-delegated.dnssec-parent.com.:3600
 +dnssec-parent.com:9.9.9.9:3600
@@ -20254,7 +20256,13 @@ Znztest.com:ns1.nztest.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:
 +ns2.secure-delegated.dnssec-parent.com:5.6.7.8:3600
 +something1.auth-ent.dnssec-parent.com:1.1.2.3:3600
 :secure-delegated.dnssec-parent.com:43:\324\057\010\002\240\271\303\214\323\044\030\052\360\357f\203\015\012\016\205\241\325\211y\311\203N\030\310qw\236\004\010W\267:3600
+Cwww.dnssec-parent.com:www.insecure.dnssec-parent.com.:3600
 Zdnssec-parent.com:ns1.dnssec-parent.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
+#2000081501 auto axfr-get
+&insecure.dnssec-parent.com::ns1.example.com.:120
+&insecure.dnssec-parent.com::ns2.example.com.:120
++www.insecure.dnssec-parent.com:192.0.2.88:120
+Zinsecure.dnssec-parent.com:ns1.example.com.:ahu.example.com.:2000081501:28800:7200:604800:86400:120
 #2005092501 auto axfr-get
 &delegated.dnssec-parent.com::ns1.delegated.dnssec-parent.com.:3600
 &delegated.dnssec-parent.com::ns2.delegated.dnssec-parent.com.:3600
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb
index c41b7e6a89fc684dd5ec66b549a4b5d9de19c92e..317ffaddf2e5134561b0f843acf398475de742c4 100644
GIT binary patch
delta 7486
zcmZ{I30RZI^Z&j{NCE-&&HF|<tw0q;wBm_K6)&LvqoTGdiZ{gz#k*R91}&lm5569}
zDhfgn6%e%^uZjv5uNv>#pn}#D4;0jTQ{gw+4TPudKhLwzWM*e)XFfAK@4oNOvqSSP
z4ArZC!DuN$$n6lNzDF@yZ01j3lmImFSB&D!{27em&Gfv5Ub4(z!)PbSb)^_(15GQ(
zXp5P@htW1Ot+2=|F)9FF^@_?>@5nkm($-+K9wsX5Fj{L~AY;)+pn<k5G34gRlKDc8
zMJZ;vlSS@M^~yY0R1ESmZwqb9qVvG}c4E;bplJat`W0wi5R1+Mtqi8}hyiA*N60vo
zB@q`6XVD5!s2RngSfIwSEQ#1Sk@9JiSb~IZ8s)VybY0*a7HtN7)dH3vp^c*s`YxeV
zmB^xWv)v??Amo-p<u&VBv<>!0HJezJ3N$aBB?tr>ShN!Ov>i0Uh<r-j_F0fPNcFTw
z>BeqFEII}Hfu|_~fkqY`1zvTPMye~N^J%v&NIanPx~DACn<1*KrV$nXMI*|4Pia~W
zl}FdH=m*eqld4e?&}fC4AQqug6Qq2xnndWPQInL_I8(l|8Rd;$YJyN&D>X@NL|Zkf
zjff6vJy{UgRZVhS)?H1INDfk?)v!@bUrM9Dp>nr@)Iiw~s;?VP=PO64NextvR}&;u
zlhp))vgvAc80@6Yq4L6oYElcv#cFg6<ar5ts;En%5k;?7lN@W;s>!K{NL7=RRBl$I
zh2{n6bUrytO-@H%4qca)t43Mo`90LZ=mTn!>*OO83Ec@b%7^)~63QFTQ3Q<oi<Upv
z)TFw#r8Kh2GOAd1mqw_4MCXl9DH6IWx=!~O)pz@#MkincRV|IsO~#SxPqyPoq|q!#
z5Q=Wf5rmT6>Ab$iiz<}0=14>}Z8?(LN<WSuP}7-GRRBkFAJKy&NVxT;da7VL@7A9~
zIpBbH5T&|rIdU2b!#R@c!Z94$3-f`I96=^x3X$tk#0;tsF^8j2|3Ilu$I(6z&ynKt
zUB;2xDEpZsNJXsXNX^u&rR!@14qbo^BGNg6gf^Qa=RG->LpRKh?W6KQks~#rJ<dU&
zfb*ADLZMKd=g4_iU9v=U%@U!>!r!9Q_YQ{=%^TgPh~!mJy|iZ>sq*M*ia^>Mj&{P2
z9I1`uTFOUDdD02XlswvEKL3RdJcWn@0q|)~JVC<OohN-D*@GuYXj}3GiNH2IL89_2
zo-{1qPLwb6=SgmBdhjGdRX?6ozp+10kWdY#^S;A*f{@#29_h`;qih0CTjms=oadTo
zp4Pxjp4Pxz9z6lQKpjt?1$v$!<@OWRQ!S_R$|UM&-Wp1y*VDkFH_^bf>D1AhEXtSd
z;PoUTV?Gt+?c+&KwTGwyRUuDuom@nz>J&9lc#bE<R(X-~Y1inyTPcm)_co1G`+y>#
zdTK$U%7VmO9-T1<R0ENi5vV~L(lCs24LSgPw7rJ*0aim!MYKjkB93;}5Xke~>3p&W
z<&7;gq$X-wYiN)EN<(U)vZIEiw$fiiQfvHLLr#UNkA?)Arw^eDd0GuYB5kmS=6;xl
zR{KaQH;&cN{t!v2aWXX!JzYa;!*@1aS2$loa+{~qkO<3`XlQCz&;V;zX=rV%r+RiZ
zn>6&;Z2RexV)-Wp149Bs3PT3N28JAlc}@w#7KR-R6%2bA4lo?WPYOIFR!mrmKQr?E
zZUCUOFem}Hvz5=C5;b-Dgp&Qj@dVsS&@ROR;>!fQm|^w{GZS%p=2syj5qGxR&%v6O
zFl2(~PuN5JoQT&*U7LfTJq&eZ%!C<H?dHvFH#KH%ROI|QQNq?F?Cv04uwa3*LBwQZ
zUR;@kqn*|6u*kgFIyqz)_7WdwVTIJ*$zs*KT7X3w!EYya{10P7)pk6I*z)+NE$4L+
zO1J<2l*78MO2;PVRXmJ;x#_%4>!s2lNx0e1U>H_Ei9auMu}nzH$GwCZnK)Oh&B5Ld
z%o?%f0qo?&j1+qqaS_90i=QvxR?V11q2)8|uR5NBkwa)vN}u&u$h?JJ#Q10UYdKRc
z9)F1gr5HA8{1Yy}#h${;57=3Of1AGK{sTL*NErVP+X@rjU}s^;8|)+uF2PFS?tARn
zv-jnRJG(j{JSsZDwMdDu+fAb+!nVOA-X8Q+VrPf&>ET;{&{}uHvmQ>HcS$A$y~VEb
zH__XF`Nh_}k!LG>q(i@n`CuqEBYE>QtD$;}xW|#j1rn9eVVgQ&1RnV9(y@79J>*8U
z-!}?`ceGOu|4LP_i*SeaE%OJd5Pr?fcxZ2r@YP$#(o=vw_e#n-4RnJnUwJ`_@Ikln
zS@R%@VH4l?Omrlk1mTB%Q|^W#gcBCj#l8TKP9KaM+RUNBc>N#j<Na*m2U~=bbP|aZ
z7`4lL^r6yG81Vsn4O%!fr*)<^3Or|SN$f<s`lSsN_izrb@@S;z<W;cxuSS8K%+Pl~
zY{`WO<l>9%cfERUfyjbe9i6tv-fGBp$gUQ#Qj#=`55{^|^#i40Cy%>^+Y5UDY<+-a
zf^(!b3j8MJ^t2X^2ydP9cv4Cu4~n{k-nkFaOmUj(eprHV|1IC2QvpOv!@9SL1^wkU
zE&~mi(7+u)ciUHbR{#ni*PHoPwJqLdP`z3+zwi4#lkO>zkaY`+Xxm%t?2qG%?@iAJ
z_fFOZd;7!E*n71@W2~{%2Ze(Z;}7W}%VWK=h7WZR+P}v>!roh$ZH{A(ZNKvroNV9b
zMbn*)f(n?>Dtw8Gpb&(&Ufu1UWP|YWClk_xAOg`=f8tgnWzUgM!oLLbOAFAQ?qIC<
ztSzG_fyd83PkrMcAx8Z1tYz8C3s!g<e9L>-a(uaCJ&SM`ZQt|#AeO3je}A#co-7uW
zAMtfb`*q@-k9d-dsTPB4v6GE-ZocI}E|jw6_RKPI7|Vt!nF?{cGwbinY!`3)u`{KT
zpiSbS&g@uw=9##=7aL~B+!jCoKQ_#s&-@=oo?~tlkHL<}b95K{?0>|bkFa6{dy0t>
z2Zpn2WRfoF;+@fKNPx7{S~@KbPG#-wnObp77TZeB%oUgIWQ!CMF+mL3%TBUke8k-c
z*$g+y?Cs*9tL$nyGgZ7@$_hSxN-{ADE+4S5XA@f#eEjOVu^${zu;Pz&=PZx|oxBt1
zYsG87gDS!wGxH!<@1peNF5wWP{z4LyE1DSf9eXB6Jm{zvq|9D%AgA6FC+RPUwX4;&
za&GKyj3TRw2d}fxbGrq{RCS`=y{#ZGi<8RIh4fUlcbn!Jl>f<0Ki=Kczb)lYTI8QC
zwBt6hDpeh$vJC;qCS5;1@Mke9OI_q(*JV3KQ!}qzShh?2YOmT`>grX1(X`^)sHV^~
zrWv(ezcced6AQ$c{p#ViOqF>0m^wqsoE4*r)sv-?wyVTTCF&4o>Fu8gyq;pWa`mwm
z%&miOxiwPejkrw49gy0rly>c~&0Gww3f<oUVTDo~q0W|bjd^3_@ew)Fy~5Ma_E$7i
zk?wNdHMf}{f2nz=>n=e$=Z|@5FQwM`vpod2DtIOKowp#bzYOVY**k>+Qlw*(XZen^
zLAs*L5p!k0E1PxsYZ>V6SX<bqiJVsBU^~vkNf#V^u-RlAt3~bUtK*hYjhVW>BT~o7
z7^GX7Ju_+xm|Ny^yDqHJ_JL1FiLPKip=;+Tc&O{X%s)EF)fVZp9_$IqY!t@M$P06q
zDUt5C3)RU2==Xfsq6B(D{ZF@0UA8WmA#Q!4W83CBwS-tUE+5u+nyg+2Vwts})J0fr
z$GHlF?KxX-G`LeWd|1$}ocQ;}B*12x+|Q8P$hj7ajAELS7**)rw7FFp!3fp1oJ(_^
zCiA=H@m9<ATj&Cl*1P#pH-ut4PAS*LP3`CzD$FinJL+}&)v4l02x3;hn_;s7l-@7K
z@HZegN!|U|jRb#-J{I3fazMH%rmY5V2r}j9w{;u-V;A&ly5SIjxnh9xw_17q=18}v
zOL$}+#PMNihX-vTu7nMrmJO5C&kMWYsTig+zBzFE9Blr4%#C%+fgYES8BqmJwD;Xm
zGZUN(<crUwI3nG{>Mf7I1}E&V5AB=(A5O?7ISCWw!Z-)cg>+)ME-bEk!4OiK!ZsDa
zE4D34`a^|uH+N17JY~&gy+67YFNPGJlv&`7*Edx)rBxH6i#zwBhX(|bonO%GPw=5)
z@!Kx3jY@1w&$%!9S@{NwokC7jCD<d~`YZnP=Mhg7I+<cfT`Ao~IA_nXLN4_CP~C@n
z@1>Jr3y(9qGcH<l-eAf(e9r!4>lV6EZH`F)1Wbc^{~~<=u<aRlyt@Z|jOumq9)lOW
zfCLVUf9;THHKr@-TK#i-1=212MPtkYjBUI3ZPUwIwGErit9dv7Z!o&$&-|Nq|AF=T
z*|XafTb*fG=lkQara#(=3P-Moo2tti_-vMSIQ`8gdI1t=`EU>A(hcdBZXNH(**8<Y
z&c^8H-#dgB<XObU1G&*kI|KBuqzwy(yvh^2hjS;GIpU+?T=UjUzG$Q8mMf%XYlymw
zxHFM^h?!z>RVo)Ib4%NU(Z;Gy;(ZJC*-QCTdoAj08uvYx+*m69kjwRyb_m&sQQE!_
zy>u2@lm>iU`t;QU6h!{f%#VHba$7mPqk`T(@zHK>rY&<{7$$P<r9P{%`6zV|4~tx9
zH9Y8Eoa3;9*(!d%%spn9@#3SaTp1(mHE~M4Ve03lYreEToDE+*&ixo^iwsdAQM-Es
zeR?sYFwqVf&hMM>lfNS}xcaT)AFGhzw!&fDHz0r1bZKOO12WV_=iCd0`Ct2bhuyPB
zh7jZUAJ2fi&s^KIR@P)1Qv0ub{5PyWu~Ip+2X?McQUf*o`fyyRlw1j26o&3Oioa?c
zg|JdCpq1fJk^HP0Bg2sI>>{6AuLg!{zp1m2!<I*##&){vAOw|iF4)lVrj7Or_;YcF
zt-pj+pbs`wURN*A0Sg7MWz8$-9<2;}UC$fKA=0l(Jb(85_if0~#$IN~u6L+y=if43
zlge=sZd~U)$jw|~2u)Ya>xTu!buK_|c-%8IGLtkjY}gim#*hleBf~>x#4{u<dV~As
z(+l!Jc<%eSzTbj7U8|p}U9Fc-!>Qe4hnxazzv;4R<{=2IW48;wTN~x5_+78)P{6j|
zVx7~}M%XT@zI}5c=pPIE^2ftUWaxEvOmhaXE*N60`vvs-S6tfvgF=rChgaCF3xtWU
z*<L|o8X11|aq^xYz_D&4y)J952-hdaaJuf|@nK;2NolA%_-p8#C7V11?BoVMHh2LY
z^uD#v6>#9d9M2b(px5nFgz63ia@Z&6&scEa+TzHfXivyW=e|Anr!?Al(8h_LuN!!A
zM=2Mql$i3xsz13i4D&)fc#jK{bWDN!Z_chWaerB8Ysh7eb4o?hB}XEEl1t~cd6ag}
z7rQ>>aukwITf{q+TvKo9?ah{>(VFA?G15i!j^-(*@O(CwIHZYPzvN>i(lzx5v$!Sy
zom^rgh)vt_U}w}`@kA%SXLs{in!&f1NTX=m@DvBn;=g8?XmQnSzD_C~pKNIxhv)Nu
zOSl!=Fe>@{D67yy`(=t}7V_`h?Gm8PoOh0E*?*UKW&>}sWv+@_Gx!}IYBm9*-w$op
zNxqYz-%oFv)L$G{%#V;t<tdhqajt})r{ESrGyCIM#gTjq4M`OS8TqE%v{WjO7l3Ab
zoL_Lw+~(WpO`DcDW$%(AQ?Kx|&qf0k&(;kcAV;Q(9XWmPS}U+V;ii+P)_vozK&Gn7
zIFl=bOcw_Bn9|ewEN#$xvio;;Mutp2xu-h1+91=Mjiuo!|9Y6|k;yn}{SB41cbnW|
zKi=H{4jjzr?)MBf^55vb629q~<Sym;qkvy7F5&J<kV&1jZ0%Xln>2TEuf9rTs%iId
zLtCrErf$inz2HJ-D(Vtgn`*V+;NbV(n>1I2^ozV5d9pc~u0(pSTnmPqd@A4aBX~T`
z_{RW^f;?s?n_`Y_+5(TSfBsCnuXTIgMEOrKGSzBtO-ZzdYZ{vq_je3<+3jGP!T{?5
ztzT%GDD+ZRNQ62gPi_URu_;I%ehMy<rt3f2JlRjKMn0`fgFE+3YHdZ^G}@`ffra36
z=I%caI06{&7T@SBr9S(c^53XFuKka_GRA+B#Dj7`V&Ks0fN0_3W`3D~@Xy<~$?hPb
z=py)Fe%NEvvDs(N%>fKM-K+JRC>JhY;9d0&V<sXfF4HudxC4Gr0Km704;=MBQ}Yf^
zA0~jcs(q%HUxD@QB_*uizn{UTE3yb>A?St9Ti5v&>@li(Z2mV;FddErI3g>ergjtV
zm%p*D*PEnQ<6pjom{%1h%(@L>++Vrq3%DKr^Jl79)Vs|U&^wTQ3c=Oc6d2aM94=(0
zCL;~cFZ@#*90@6vuY&IaCe^vepKmxI(||=D$2!9LlIP)VPeLNX$II=~8OR|h#=^UX
z`TIwEQ`)Zb{F?wnY}CzD(GV_^cNac%{mZ<mB5T5Wf0=nvZ_)1xe@w#65MEs4owx#c
zc`Kcw+&LUhzM1}!BR2h=FL3j@4o9`T*OsXdev_f{f+$}Hc=nsABfNu|X{d$9i!ZA9
zHMUacm6lGh@dN+dmYFUtlW6wXNWY|=$5RYfYTTvFesR7^1MjdGgwstlb?V%87(Fca
z>+{S>i5~7fyXc+xM^g=!O6)fY6)qZYNkE$D=&GquaBcTtRI$oVKg~jS?i1x+nlln+
zlyI?y<~?^C-qRkZT?u93Mq{RZ_lTyJnw*vrmrQZ7R#PjJzM`GcMcg=8lWik$$rXDJ
z*ThI9!5LyfxF)qJvrh<~sd?{Gvk9a3ZYPF#l{ujIqmO(0Yz7|a2yxgfO{kru+5g1!
fSj{CBqZMZ)YKjz0p4e`+W-`wth#N9ByyX7?oMD=p

delta 6991
zcmZu$3tWuZ`#<kHHBHmyyf-x_tXh(=DkNEvTjLj!+m8Efk?gwvc4H!J7-8l54n=9g
zpmO)lQj%MdOBN%Sb(ie6xvXVam)|q*iTeHjzxjOL&v%~ZJm<N5&vVXsr*@s|Zz=Ad
zWZ#X^LWGd&06~ovqj?TFAERWzfMXaXI^>fW&39l)4W6qRFT=<J`nanYWdj;-V3h8V
z?_iYaz=t*ZCm7{{Y_BGI`(H99A-f%;wJ>0MkI`zt0GdH2z)B?}J1TKw<ncI$L8%VC
zP@}I;?2L^VbPV*yCN&typtB&C2QlaZpsqcGjsxmDF{lL4)Q#v>|8igwLJ9pCx#GBi
z3^Ia&MbDr)fC<AHx#EP;MAm)F$V>#p5!pVO%&VNrpp9T}oyEvZ*k_Xj%jXfa{=}fo
z4!=f5W~gKZ(OXtCC==o%i^!n$fckVsW}q^YLCZnbZ6y_|b`mVft6^e4v9n7ga7jLc
zPJ(^qal$}l34;!UY`s7#4Y*3ibvJ96xJSkV9y2J(L6PZCQc>J<Qjz{|g1R?EuX)d)
zAHc2zu_y&l<IIvCab;zu%H3JH!V;F1m(1ctWRnk(6B@HJL%OD{ytJx7R_+Z|Yc@%q
zP}zo+*Vq`w%1nfHV$shK$P!6V)05~+{zV)ZV~BmgKr(L9vvLoZMzS&!)^Ayv0b@Li
ztl&pCjp*ZkVC7y&NMuny==BSeh+%+{RHRwX%4=+2$&y{MmX(*pWMWZ*V?sI^56fib
z-J#DW^K=##WjV%kNrIYvti0A?5@8}BpG7$^ZY&~l!fC=lLQ-kXmoirFZu=Edndv$)
zG~Ol^+V7L`gvW%5fGRRC;5o4``I|*YA%OKCQeg?j$=x5O;$$XNo}A2(O5kLM0<>g2
z$<&yWsYvkW<cdszoV>QiuQ-_jQwTvzC?~JIJ)D!7utpF&OII>(?a85SkU(WLK}{?t
z?*{!~PF`#MFb?g3@$%7}%#3}!tcU#{PYmo+IhktXEP|TZoZKwsb2-vn3pu$r5|(g;
zsbw5FH&V%b(>e~Fg8=q4PG+KV3n%aQ01Jo89f{=;efa@S?t#j~9Gnxd|H6t06_#R7
z-tU&unu;#gRCu{Yf2~G;lS7Lg4(|{~!X6U4fJ#p8a(fkFAm9ZjH@E6FC-;Wt9g*#b
zmruetC6Ce_`(NkA%M|GtP=FjzkC&OS*5~DOK+}jPO!)DHiDo=uq9rdMSk@pS$F<|-
zwKaC+<qA!ayxjfzD4v{reaN_V053CS8N#C^$M%RD#mh&gbv!TcXX7MZ?tz5wdASFS
z(|J@0b|neCygMw3JYi}+u`?wTeS(oB8n%L<eHAIpzMd3To<<TiW)eAWE1x7+q~A#t
zVY_*GP0RNa2PP{oueGLtps9#B(4FSxW=kj~_L{Pq@hhZq%MDU#$z8&Lv4WtkiZEe(
z!K2eqkky_<1`<B-@;1>q3FrU}RJsasr6nGMyeleML9V#6o*+{mpe5s~Mnu;6335*)
z_zQA(n_38RFT@22<Q8lv$V;mW7vx=G>@3KI1|)SS1_8YUnF&o_L0)@He}UWy-w?fS
zxF9o8GMb=nJaJGtNsxQPGKI_wn<>a^8!%gtE7T_m^3qxs337o6%LKVMjH`&9IzbfV
zZBxGKr?)Ok-nvlm(C{eWae~Jg9wj`EF%>+n@TlQ&gU1~n4|qJKw=Ot#jwmJL4pQ_&
z{GOsVh`o|=I6!hTZX-QQ#`7Gysf%%I$|7bg#%-w$(v`*7s*vud;K>>()r?=$Djukh
zhDVIth6S-_Cg#MnEX<1?a&c2>q6L?EP$g2>A?)o<DWrbqaUn(Zm6(gTSwkvF46DNJ
z)e}=O@`x%-ty&`n7htWlrV4+pq!vqMFK|c2S9t!hd*5ZdAzbvKhktulgcrty2hQ<?
zi2wb;rv`8OAzJp}k6mMTG?}A7xL5kOC2k%F?|RsD^es<>)w>?q{{Zas^2mfaV&p5#
zdrW&6KkI@M!olrE*;j~>Z$b4k^;CQlusS%$zq-4)B_I3s#dGd`=s(3BVV~=z^f1@Y
zq4B0mxeZdB5$>evQQa7_8|jxdxW7m3c;vM7;S(@qori9RyVvN&U^~_h#?3x7d6n@$
zDv5VC?o-r>QT2Y(OAi|1T=zfxD<DRn0Sia&Qh$!|=?e~C+cc-I7`Y#7#lPNQjo5e}
zR$*NKkDTspl?eY5+<k10O4Po>zK#(_i6bwLwS<b(FJWz8{OC;Fk}rVep5;%2bS?<@
zXm&V$H`E*FJ*j~eVmJ5yJ;4sK&wRJw{)7J!J2$sUMKR2ulE3x#6LHlstX1L{)b|hF
zWtIo6bIMVjg9T|9-R*35a5HG^>xjibaYFxX0bA;nIwxb<#`s$Kb7=*YV>WlLLu+BX
zsN44)Vf@4vcI@i8weu5Nt%kH0&p(u;7Q4R1&Ao7yUrN@gPn;u!t6RNmv_f0}OWb4c
zw_PXPQz1NK=7~9DYs<keCvV-i&yinIfmUB<s^pq<^hTZd9q2KdaWZw{ejv1u?~qFU
zmk_@wBPrZk>+f^^TkrZsq`Q3*5#HWPHTbJq`O^SSG0?QPOqn>#jx`?B7G<l>K|Ysm
z<Zn)uX?4K|eMV=^@(>S04~2FZ(@ehrXdgN`SzD<3<mNNtO*0-(NQL>Gewmj?gWZSX
zkK3BKi~sruKccU%mV)2m2~O08gC@q?nI64U+Uv}`a;I8L7LJKgQGF!4mT9k{Vx*up
z%v1&a#3XGAWk$MFYY%l}V${?Usb3!^#+{2^g^}-w@?#^gC-NQM4zFG1*oJ}P%^}Q5
zN+V?sWmY=TcQ#4EqnMr@=-<ewWHvGG?vzE^lg%_!QVpf@olKz%9lcQ6u#cJGOpQHc
zWiou|@@#3#W#(rk#Y;gq7_oWR@3&yo<5q7|L_Js3qu|n-k#-N%!{zGc;|@LGz-@pp
zTwVknbd%*B4jJ?xYA|oR=<38aqK8?e=1%NwcdDPHVp&l^4V5wlc6TEE*Lo>-75hQS
zMeo9BT=lVj^K0<nE^&;BU94WV3G_D;6?vP)=O)%a@XTf+x5@x~b9Y0pmPDTHkil+y
z4c^L-A~&#8++3f*fj8kwL7z5~HJdH;P^V{OG-*rOxf$D~1^ZZkg%;;v6o2f)c(1;0
zD84j0G}0jh&diaD4zhz?DU+lrWHS`hbjf<0ov5H~%O&5_Y)=jCmF%G2Pg-`H&2K^_
zOF9L&QbBE&%9Y#!g~!^m_Wz!RkimZMwPK=psV5WO$j~`*pW*?94D*w`+`N>ZJICOD
zrGK{^ajz%mGpNbjQYlS^3}?<gT_!4OO`hZLihH?ymOp(l*cS#rXbEBBY@5vf3S@X0
zc;nhI>eDbXFfDg_Hx=)-Vf^|UcDK`y+eO!obxc|76I91`QS;wE#()o1!*+iy0-xJg
zAL&|8i41F}Pj7Y1xprRT)43Vv#Z_L6U#Ow*;;@-cj<}^f{-sVy^Bed3@lPjYkXja|
zTy;Z+#1ea_#xyb%C`Wu#Enb3BoyQNKRIpDBc4M?X4ITScN7r*f2B!($;ur`Sllb(<
zSV$rD@PLo&oN7ZaAN%fn3b=_^2AOw4Sj)I`GZz6}efB>)vsX^3ks)zXh;P*ADaeq(
z-dxiISXUjL(&B-**PRJWGPG$hWa^_jR1{8IcddRMDqNY{M>>H2<%-bYOvvMz@X8Pl
zaW(oG`<FQ*L-eUjqZUD)**SR)?||KP%Y=?6A^(){_G^Yf*)3-0d(Hm;XOkgepHP~m
zY=#V34|aFn;wac9_Tx2}(2+lOI<@wGGDQA4f-e^@y~82$)e>rm@;tB%Lk3kN%GWG`
zYK*-#1EL`VVavcJ^T9!3=+mXGYa7JSqsPI96GckPg!mg!zcx=Tbr@NmJ#~C~odwmr
z*_HN8W-r1Z(L-BYggC8RtovswFx%~$^`o5XFmrL&uRc>D?yP@a{rer{v3pcOcw;p(
zq({vBv%7dNjR_YgV~+7M82^ktQshYN&9NIP9>|cq?(L#MVi9KiA`C5N{kW@F?XrGK
z&G7JP`s1&G&eE3$PL+W3Y2B~KOb0~IzcU{K+D%Iab&Hp~8GOWiv%Lrs9W?)i$Ku+Z
z^4ZsyIfwgdT_J90+wnfIgs$P;0=r<?5zD5v7$xq-9Pg2SC+E5vQmmNwce^>_UNt8)
zeKJ(iLIV5Q_0kZizPOX<Qw@{fb%;5lfCSp~JX)RXF2yrkCm;2lpW$ykS=P-jH;A!T
zI0!Dc;2tXJ&YR^ES$Yt{xi?e~f%9hR<>08a9Yp(OKW?~6t=@`J%DNw8Z|@M7>bav-
z14%c8`yzmPB*iV@mblQ1RywS;lG{@5A*Py1&rDp5lh&Avk*T_kbg>4#@`$`Qk66##
z#C?lt_9y9j4i}*aekNj+w%6XJsfpmEG{D5o-~HU%Mb?`g^2q1UGH)SS9wzDba8q5W
z<)ZZ$t~Gsmg}7JChDbh#xwb6aQ~gRg>_SH^6Bk_Ocxl$J++~VVOS&uEO-f`YGtrJd
zbruJdb3x*sU`C@fukW?|@jLkyDb%bDTERcAy@SmSHlF%1r}o{$-01PnH{<Hane$JZ
z*E?7Z6n)CM#!2R#9Uq(h+>klY-N~HoiOenAp2>JoXTnz}e3$yVBXeGC>BoH@$h=2;
zw)B=O$S<6}r~vzruyZXofj;EAb95QV2WI&G`G*Rb+h#dUj0L};PoJ<_z_#5Y_NRhf
z*bu*q(J(*k?J&37>Lg^g8lBg41OsdH&Ufa3L4M~iXIsI+*G!krBS1dvJ+jSR!0>G@
zfBgdix)hK2f&%+vuewZ*0{!uB{xSC;!Q&4{MJZtXWbVk=lWJr>_3?bcAn?<(boA`g
zV0WlcS<GT&*0tL(^$^(is<^QK2fYh2pWQp=r}i+h>rB_QW?*o1xoT=B!1Ld`wx_{S
z-`4@n%V0uZ(^%gZ;3#Ud%dGA&9y?Gyt_mvob>6tb$uPg<+r(}IK;M0y!F!Upr4`pz
zY5vW{W0X#eErqvJ^O$OnWg)dkmwBAN=lAn#4*>J{p5t>P!QUgVh2uIvoW~JS<F+7V
zuDll209M%i<b1}F#gNaW_X}5kDHh$se*WgCL6fEz)V|`GpTC*7`-eKKH`8i%86x_g
zaJ)_1xB&Uc^ES_Y`rGw{I<r1b-gYm_Q_|kxdZ_3VJEbxAxziLSN&yeK7&_#27Dn54
zoK75SCb$yz*fvdSMal(FS%1|+^kF*)`tFo=RB+o|=-<+$*lNzppI)+&bbOk?cc)<2
z-L1zLV_MoM?P$tRq3Oh$ZPq4$AE=~vua}m7#l!TdJSjMoj|iutq-oRm)-;Xf1Hex@
zF@yh_qUs%*#eY;#>O%>9Gle!J6QdLFA7zcN!D_&hO-A2%x<=e$;CX4Ffxp>6{RfnA
zR+HE?bi35S#M@jcgT!R<+Z(g+qY+&`w9!BhbV8R;ZJ4l7Dml)7qoDWHoEIHW^RryI
zW-BqenqTqD;2M0kPAodldnF0$i9QexhN~HG{+;(LLbfjY;@^iWkgdbwj{UE=AlnSn
zHGL{z#rAF8?z$n{xjvoZB5E&o+x_Kp8^OtFTOuvs?$XFsI&^Khn-j7v-J0oi`_thI
zemlm5-^%%~BVLSfWjqGkeCE8lyH1I0WlqCXM`|a0`exhD+)o}1j&okRnO9?E+md_d
zfM=ZqIxF=jN7Y_lHa2U~>SD)D>4$9}qHn}4hUBH<kNtZq#j}@qZN$*0BXe|+V9#sH
z{Xc=fdPB@r=ODr6J5Ppa>-fo^e!64^5OFXgJm`1uQN7pp>?;@X_cC7FbmX?gcT=Ef
z#ijYr{)XJ5X02)a9Bf;Sxqs`WGqSmrJbqs;7QJV>wzvJ$>fySUKwQ~4-{q^p)?>uj
zop4duDze6`Z4Y^Xd>t0%)5o^rNb<Dbl;Yb9yzc~C#oWliGMLon-iM&EK+>G?*H2Ea
zz13~M4@nx^s`j^sO+Q+x-b^9e))Oa~AV{R><QiRjNIvXf;E@gxG;G-^KX{L^1^?2)
z6F~v-rB{0k;`F^tpwc$nyUBqBvFIYtH~b>l+dk$~Mzv_G{v*+*6&Jk6S}&Wj{;iy$
zbyDd)w{d=m<Ha_lukFaZhCy%!{NImltk^|W0p+CaxRrAq((KnZA|(LIdNr@Stpd`V
zFmqm)ZgtAJGTXUwzc>a`YFgN?<A?P?*MaPl2wqBU8y0wH?*PpGHLR*0RFX0JEj_>X
z1*wtkM3uf}5l~Q>d$|Es+jzEk=fnd+;+Wn{h|*T??XC3Lj#ofGPurCI4e9VQZfkF9
zuzaz|?t|-g|F3*LO?ivcuJYcT9?p|%aVkpzY(@uGZ<RJ&<@0=+&x7rAt4sQ%2WOnn
zt-SFqB!>)WO(*!g1_PyO&-s<E^zmindiME;uX3flB$czU+nGL};?Vj@H`PJ|1vNsl
zdkF9|?*~z*5k9g5*I@MUR#4a9y;bPpp5nQglD@ux74#vKIH`f)Pe0fwt!f}txN!C1
z-%}MU)Jfme;JV$?(k8-bnsO5RH4|QQXW`e(<FvA<_ca)lD-8({wl$?sWJ*+D;e!*M
zCZASX$!CC&?My2zQjuPO!|v&3DR`K$-isP0mP{93*WbDUqt`x1WBqP=px46-{4YCX
qKuRi~Aw;R^;#A3Zu5iH(eg{1>3WYAzAZbskFp;MUBu%!!)BgdCCNRDL

diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result
index bace48899..6dee487ae 100644
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -1,10 +1,11 @@
-16f36b572fcb576e465f061e417626f8  ../regression-tests/zones/example.com
+db93ba72fcc30da0f775183ee9126edf  ../regression-tests/zones/example.com
 fe49d2784b1bcc3b91ddd5619f0b6cc1  ../regression-tests/zones/test.com
 f0df67fa656d33fd85098cbe43893395  ../regression-tests/zones/test.dyndns
 dee3e8b568549d9450134b555ca73990  ../regression-tests/zones/sub.test.dyndns
 e7c0fd528e8aaedb1ea3b6daaead4de2  ../regression-tests/zones/wtest.com
 42b442de632686e94bde75acf66cf524  ../regression-tests/zones/nztest.com
-aeff58ea1eb6e63096e6da18337be312  ../regression-tests/zones/dnssec-parent.com
+b06133eb32c5bdf346223563501ba8f8  ../regression-tests/zones/dnssec-parent.com
+e9be89b6e5e0da8910c69e46f35d20ab  ../regression-tests/zones/insecure.dnssec-parent.com
 6510bf48aa3ca3501b73a1f510852a34  ../regression-tests/zones/delegated.dnssec-parent.com
 a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/zones/secure-delegated.dnssec-parent.com
 24514dc104b22206daeb973ff9303545  ../regression-tests/zones/minimal.com
@@ -12,4 +13,4 @@ a63dc120391d9df0003f2ec4f461a6af  ../regression-tests/zones/secure-delegated.dns
 b1f775045fa2cf0a3b91aa834af06e49  ../regression-tests/zones/stest.com
 a98864b315f16bcf49ce577426063c42  ../regression-tests/zones/cdnskey-cds-test.com
 9aeed2c26d0c3ba3baf22dfa9568c451  ../regression-tests/zones/2.0.192.in-addr.arpa
-dcf9536d23ecffbdb706aa7d95bfb725  ../modules/tinydnsbackend/data.cdb
+8fa20d959485419535d0406fd4df2a56  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/backends/bind-master b/regression-tests/backends/bind-master
index f051d0d1e..579935bfb 100644
--- a/regression-tests/backends/bind-master
+++ b/regression-tests/backends/bind-master
@@ -57,13 +57,16 @@ __EOF__
 				mysql --user="$GMYSQLUSER" --password="$GMYSQLPASSWD" --host="$GMYSQLHOST" \
 					"$GMYSQLDB" -e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
 			fi
-			securezone $zone bind
-			if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+			if [ $zone != insecure.dnssec-parent.com ]
 			then
-				$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
-			elif [ $context = bind-dnssec-nsec3-narrow ]
-			then
-				$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+				securezone $zone bind
+				if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ] || [ $context = bind-hybrid-nsec3 ]
+				then
+					$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone "1 $optout 1 abcd" 2>&1
+				elif [ $context = bind-dnssec-nsec3-narrow ]
+				then
+					$PDNSUTIL --config-dir=. --config-name=bind set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
+				fi
 			fi
 			if [ "$zone" = "tsig.com" ]; then
 				$PDNSUTIL --config-dir=. --config-name=bind import-tsig-key test $ALGORITHM $KEY
diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common
index 1a9e15eda..99eff8ecf 100644
--- a/regression-tests/backends/gsql-common
+++ b/regression-tests/backends/gsql-common
@@ -15,7 +15,7 @@ gsql_master()
 
 	for zone in $(grep 'zone ' named.conf  | cut -f2 -d\")
 	do
-		if [ $context != ${backend}-nodnssec ]
+		if [ $context != ${backend}-nodnssec ] && [ $zone != insecure.dnssec-parent.com ]
 		then
 			if [ $context = ${backend}-nsec3 ] || [ $context = ${backend}-nsec3-optout ]
 			then
diff --git a/regression-tests/named.conf b/regression-tests/named.conf
index 4eaf2a7ca..2a1a754da 100644
--- a/regression-tests/named.conf
+++ b/regression-tests/named.conf
@@ -48,6 +48,11 @@ zone "dnssec-parent.com"{
 	file "dnssec-parent.com";
 };
 
+zone "insecure.dnssec-parent.com"{
+	type master;
+	file "insecure.dnssec-parent.com";
+};
+
 zone "delegated.dnssec-parent.com"{
 	type master;
 	file "delegated.dnssec-parent.com";
diff --git a/regression-tests/tests/axfr/expected_result b/regression-tests/tests/axfr/expected_result
index edeba95de..d831426e4 100644
--- a/regression-tests/tests/axfr/expected_result
+++ b/regression-tests/tests/axfr/expected_result
@@ -6,6 +6,7 @@ dnssec-parent.com.	3600	IN	NS	ns2.dnssec-parent.com.
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 dnssec-parent.com.	3600	IN	SOA	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.secure-delegated.dnssec-parent.com.	3600	IN	A	1.2.3.4
@@ -16,3 +17,4 @@ secure-delegated.dnssec-parent.com.	3600	IN	DS	54319 8 2 a0b9c38cd324182af0ef668
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns1.secure-delegated.dnssec-parent.com.
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns2.secure-delegated.dnssec-parent.com.
 something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
diff --git a/regression-tests/tests/axfr/expected_result.dnssec b/regression-tests/tests/axfr/expected_result.dnssec
index f580f6c6e..e65f64774 100644
--- a/regression-tests/tests/axfr/expected_result.dnssec
+++ b/regression-tests/tests/axfr/expected_result.dnssec
@@ -1,6 +1,6 @@
 delegated.dnssec-parent.com.	3600	IN	NS	ns1.delegated.dnssec-parent.com.
 delegated.dnssec-parent.com.	3600	IN	NS	ns2.delegated.dnssec-parent.com.
-delegated.dnssec-parent.com.	86400	IN	NSEC	ns1.dnssec-parent.com. NS RRSIG NSEC
+delegated.dnssec-parent.com.	86400	IN	NSEC	insecure.dnssec-parent.com. NS RRSIG NSEC
 delegated.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	3600	IN	A	9.9.9.9
 dnssec-parent.com.	3600	IN	NS	ns1.dnssec-parent.com.
@@ -17,6 +17,9 @@ dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 2 86400 [expiry] [inception] [keytag]
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	NSEC	something1.auth-ent.dnssec-parent.com. NS RRSIG NSEC
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 6 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	86400	IN	NSEC	ns1.dnssec-parent.com. NS RRSIG NSEC
+insecure.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.dnssec-parent.com.	3600	IN	RRSIG	A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
@@ -33,9 +36,13 @@ secure-delegated.dnssec-parent.com.	3600	IN	DS	54319 8 2 a0b9c38cd324182af0ef668
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns1.secure-delegated.dnssec-parent.com.
 secure-delegated.dnssec-parent.com.	3600	IN	NS	ns2.secure-delegated.dnssec-parent.com.
 secure-delegated.dnssec-parent.com.	3600	IN	RRSIG	DS 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
-secure-delegated.dnssec-parent.com.	86400	IN	NSEC	dnssec-parent.com. NS DS RRSIG NSEC
+secure-delegated.dnssec-parent.com.	86400	IN	NSEC	www.dnssec-parent.com. NS DS RRSIG NSEC
 secure-delegated.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
 something1.auth-ent.dnssec-parent.com.	3600	IN	RRSIG	A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	86400	IN	NSEC	delegated.dnssec-parent.com. A RRSIG NSEC
 something1.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 4 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
+www.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	86400	IN	NSEC	dnssec-parent.com. CNAME RRSIG NSEC
+www.dnssec-parent.com.	86400	IN	RRSIG	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3 b/regression-tests/tests/axfr/expected_result.nsec3
index ad2d86817..425b2b500 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3
+++ b/regression-tests/tests/axfr/expected_result.nsec3
@@ -25,6 +25,9 @@ ent.ent.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [in
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] NS
+insecure.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.dnssec-parent.com.	3600	IN	RRSIG	A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
@@ -47,3 +50,7 @@ something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
 something1.auth-ent.dnssec-parent.com.	3600	IN	RRSIG	A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] A RRSIG
 something1.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
+www.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	86400	IN	NSEC3	1 0 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/axfr/expected_result.nsec3-optout b/regression-tests/tests/axfr/expected_result.nsec3-optout
index 3e5178ff4..fbd473c1b 100644
--- a/regression-tests/tests/axfr/expected_result.nsec3-optout
+++ b/regression-tests/tests/axfr/expected_result.nsec3-optout
@@ -17,6 +17,7 @@ dnssec-parent.com.	86400	IN	RRSIG	DNSKEY 13 2 86400 [expiry] [inception] [keytag
 dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 dnssec-parent.com.	86400	IN	RRSIG	NSEC3PARAM 13 2 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 insecure-delegated.ent.ent.auth-ent.dnssec-parent.com.	3600	IN	NS	ns.example.com.
+insecure.dnssec-parent.com.	3600	IN	NS	ns.example.com.
 ns1.delegated.dnssec-parent.com.	3600	IN	A	4.5.6.7
 ns1.dnssec-parent.com.	3600	IN	A	1.2.3.4
 ns1.dnssec-parent.com.	3600	IN	RRSIG	A 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
@@ -39,3 +40,7 @@ something1.auth-ent.dnssec-parent.com.	3600	IN	A	1.1.2.3
 something1.auth-ent.dnssec-parent.com.	3600	IN	RRSIG	A 13 4 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 something1.auth-ent.dnssec-parent.com.	86400	IN	NSEC3	1 1 1 abcd [next owner] A RRSIG
 something1.auth-ent.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	3600	IN	CNAME	www.insecure.dnssec-parent.com.
+www.dnssec-parent.com.	3600	IN	RRSIG	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+www.dnssec-parent.com.	86400	IN	NSEC3	1 1 1 abcd [next owner] CNAME RRSIG
+www.dnssec-parent.com.	86400	IN	RRSIG	NSEC3 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec
index 459ce0f08..2b461d47b 100644
--- a/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec
+++ b/regression-tests/tests/ds-at-unsecure-zone-cut/expected_result.dnssec
@@ -1,4 +1,4 @@
-1	delegated.dnssec-parent.com.	IN	NSEC	86400	ns1.dnssec-parent.com. NS RRSIG NSEC
+1	delegated.dnssec-parent.com.	IN	NSEC	86400	insecure.dnssec-parent.com. NS RRSIG NSEC
 1	delegated.dnssec-parent.com.	IN	RRSIG	86400	NSEC 13 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	IN	RRSIG	3600	SOA 13 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1	dnssec-parent.com.	IN	SOA	3600	ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/command b/regression-tests/tests/secure-cname-to-insecure-child/command
new file mode 100755
index 000000000..0a9161560
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig www.dnssec-parent.com A dnssec
+
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/description b/regression-tests/tests/secure-cname-to-insecure-child/description
new file mode 100644
index 000000000..57ed85c34
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/description
@@ -0,0 +1 @@
+Signed CNAME to an A record in an unsigned child zone.
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result b/regression-tests/tests/secure-cname-to-insecure-child/expected_result
new file mode 100644
index 000000000..288e33ba1
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result
@@ -0,0 +1,5 @@
+0	www.dnssec-parent.com.	IN	CNAME	3600	www.insecure.dnssec-parent.com.
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec
new file mode 100644
index 000000000..937f3a3c0
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure-child/expected_result.dnssec
@@ -0,0 +1,6 @@
+0	www.dnssec-parent.com.	IN	CNAME	3600	www.insecure.dnssec-parent.com.
+0	www.dnssec-parent.com.	IN	RRSIG	3600	CNAME 13 3 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='www.dnssec-parent.com.', qtype=A
diff --git a/regression-tests/tests/secure-cname-to-insecure/command b/regression-tests/tests/secure-cname-to-insecure/command
new file mode 100755
index 000000000..9ad71facf
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig cname-to-insecure.example.com A dnssec
+
diff --git a/regression-tests/tests/secure-cname-to-insecure/description b/regression-tests/tests/secure-cname-to-insecure/description
new file mode 100644
index 000000000..a00dbfb8b
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/description
@@ -0,0 +1 @@
+Signed CNAME to an unsigned A.
diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result b/regression-tests/tests/secure-cname-to-insecure/expected_result
new file mode 100644
index 000000000..7bcd93036
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/expected_result
@@ -0,0 +1,5 @@
+0	cname-to-insecure.example.com.	IN	CNAME	120	www.insecure.dnssec-parent.com.
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
diff --git a/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec
new file mode 100644
index 000000000..76458ceac
--- /dev/null
+++ b/regression-tests/tests/secure-cname-to-insecure/expected_result.dnssec
@@ -0,0 +1,6 @@
+0	cname-to-insecure.example.com.	IN	CNAME	120	www.insecure.dnssec-parent.com.
+0	cname-to-insecure.example.com.	IN	RRSIG	120	CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ...
+0	www.insecure.dnssec-parent.com.	IN	A	120	192.0.2.88
+2	.	IN	OPT	32768	
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='cname-to-insecure.example.com.', qtype=A
diff --git a/regression-tests/tests/verify-dnssec-zone/command b/regression-tests/tests/verify-dnssec-zone/command
index 98cf3d9a0..30dbe1955 100755
--- a/regression-tests/tests/verify-dnssec-zone/command
+++ b/regression-tests/tests/verify-dnssec-zone/command
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\)$')
+for zone in $(grep 'zone ' named.conf  | cut -f2 -d\" | grep -v '^\(example.com\|nztest.com\|insecure.dnssec-parent.com\)$')
 do
 	TFILE=$(mktemp tmp.XXXXXXXXXX)
 	drill -p $port axfr $zone @$nameserver | ldns-read-zone -z -u CDS -u CDNSKEY > $TFILE
diff --git a/regression-tests/zones/dnssec-parent.com b/regression-tests/zones/dnssec-parent.com
index 1a6e88b6c..0800ccf1e 100644
--- a/regression-tests/zones/dnssec-parent.com
+++ b/regression-tests/zones/dnssec-parent.com
@@ -23,3 +23,5 @@ ns1.secure-delegated	IN	A	1.2.3.4
 ns2.secure-delegated	IN	A	5.6.7.8
 insecure-delegated.ent.ent.auth-ent	IN	NS	ns.example.com.
 something1.auth-ent	IN	A	1.1.2.3
+insecure		IN	NS	ns.example.com.
+www			IN	CNAME	www.insecure
diff --git a/regression-tests/zones/example.com b/regression-tests/zones/example.com
index d797d8440..265732345 100644
--- a/regression-tests/zones/example.com
+++ b/regression-tests/zones/example.com
@@ -20202,3 +20202,6 @@ philip.mb          IN      MR      phil.mb.example.com.
 
 ; Test that no out of zone data is sent
 _imap._tcp IN SRV 0 1 143 blah.test.com.
+
+;
+cname-to-insecure  IN      CNAME   www.insecure.dnssec-parent.com.
diff --git a/regression-tests/zones/insecure.dnssec-parent.com b/regression-tests/zones/insecure.dnssec-parent.com
new file mode 100644
index 000000000..b5a3c73cb
--- /dev/null
+++ b/regression-tests/zones/insecure.dnssec-parent.com
@@ -0,0 +1,13 @@
+$TTL 120
+$ORIGIN insecure.dnssec-parent.com.
+@		IN	SOA	ns1.example.com.	ahu.example.com. (
+			2000081501
+			8H ; refresh
+			2H ; retry
+			1W ; expire
+			1D ; default_ttl
+			)
+
+@			IN	NS	ns1.example.com.
+@			IN	NS	ns2.example.com.
+www			IN	A	192.0.2.88
-- 
2.40.0