From b78052119ab3f0355eeb9fb9a9ec199084fc186a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 19 Dec 2025 18:12:06 +1100
Subject: [PATCH 1/2] Remove determinist selection of nameserver

When selecting nameserver addresses to be looked up we where
always selecting them in dnssec name order from the start of
the nameserver rrset.  This could lead to resolution failure
despite there being address that could be resolved for the
other names.  Use a random starting point when selecting which
names to lookup.
---
 lib/dns/resolver.c | 86 +++++++++++++++++++++++++++-------------------
 1 file changed, 51 insertions(+), 35 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 38e4411820..5240817c0f 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -3673,49 +3673,65 @@ fctx_getaddresses_nameservers(fetchctx_t *fctx, isc_stdtime_t now,
 	dns_rdata_ns_t ns;
 	bool have_address = false;
 	unsigned int ns_processed = 0;
+	size_t nscount = dns_rdataset_count(&fctx->nameservers);
+	size_t maxstartns = nscount > NS_PROCESSING_LIMIT ? NS_PROCESSING_LIMIT
+							  : nscount;
+	size_t startns = isc_random_uniform(maxstartns);
 
-	DNS_RDATASET_FOREACH(&fctx->nameservers) {
-		isc_result_t result = ISC_R_SUCCESS;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		bool overquota = false;
-		unsigned int static_stub = 0;
-		unsigned int no_fetch = 0;
+	for (size_t pass = 0; pass < 2; pass++) {
+		size_t curns = 0;
 
-		dns_rdataset_current(&fctx->nameservers, &rdata);
-		/*
-		 * Extract the name from the NS record.
-		 */
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS) {
-			continue;
-		}
+		DNS_RDATASET_FOREACH(&fctx->nameservers) {
+			isc_result_t result = ISC_R_SUCCESS;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			bool overquota = false;
+			unsigned int static_stub = 0;
+			unsigned int no_fetch = 0;
 
-		if (STATICSTUB(&fctx->nameservers) &&
-		    dns_name_equal(&ns.name, fctx->domain))
-		{
-			static_stub = DNS_ADBFIND_STATICSTUB;
-		}
+			if (pass == 0 && curns++ < startns) {
+				continue;
+			}
+			if (pass == 1 && curns++ >= startns) {
+				break;
+			}
 
-		/*
-		 * Make sure we only launch a limited number of
-		 * outgoing fetches.
-		 */
-		if (fctx->pending_running >= fetches_allowed) {
-			no_fetch = DNS_ADBFIND_NOFETCH;
-		}
+			dns_rdataset_current(&fctx->nameservers, &rdata);
+			/*
+			 * Extract the name from the NS record.
+			 */
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			if (result != ISC_R_SUCCESS) {
+				continue;
+			}
 
-		findname(fctx, &ns.name, 0, stdoptions | static_stub | no_fetch,
-			 0, now, &overquota, need_alternatep, &have_address);
+			if (STATICSTUB(&fctx->nameservers) &&
+			    dns_name_equal(&ns.name, fctx->domain))
+			{
+				static_stub = DNS_ADBFIND_STATICSTUB;
+			}
 
-		if (!overquota) {
-			*all_spilledp = false;
-		}
+			/*
+			 * Make sure we only launch a limited number of
+			 * outgoing fetches.
+			 */
+			if (fctx->pending_running >= fetches_allowed) {
+				no_fetch = DNS_ADBFIND_NOFETCH;
+			}
 
-		dns_rdata_reset(&rdata);
-		dns_rdata_freestruct(&ns);
+			findname(fctx, &ns.name, 0,
+				 stdoptions | static_stub | no_fetch, 0, now,
+				 &overquota, need_alternatep, &have_address);
 
-		if (++ns_processed >= NS_PROCESSING_LIMIT) {
-			break;
+			if (!overquota) {
+				*all_spilledp = false;
+			}
+
+			dns_rdata_reset(&rdata);
+			dns_rdata_freestruct(&ns);
+
+			if (++ns_processed >= NS_PROCESSING_LIMIT) {
+				break;
+			}
 		}
 	}
 

From c67b52684f11652b07afaa75a917f6f0355dbca6 Mon Sep 17 00:00:00 2001
From: Colin Vidal <colin@isc.org>
Date: Tue, 24 Feb 2026 17:30:56 +0100
Subject: [PATCH 2/2] system test covering NS randomization

Add randomizens system test which ensures that NS are randomly selected.
The test relies of the fact that `getaddresses_allowed()` logic won't
allow to query more than 3 NS at the top-level. The `example.` zone has
4 NS and the 3 formers are lame. As a result, if the resolved doesn't
randomize the NS selection, it will only quiery the 3 formers, which
won't give an answer, and fails. With randomization enabled, there is a
chance that the resolver queries the fourth NS, and gets the result.
---
 bin/tests/system/randomizens/README           | 21 ++++++++
 .../system/randomizens/ns1/named.conf.j2      | 29 ++++++++++
 bin/tests/system/randomizens/ns1/root.db      | 40 ++++++++++++++
 bin/tests/system/randomizens/ns2/1st.db       | 25 +++++++++
 bin/tests/system/randomizens/ns2/2nd.db       | 23 ++++++++
 bin/tests/system/randomizens/ns2/example.db   | 25 +++++++++
 .../system/randomizens/ns2/named.conf.j2      | 53 +++++++++++++++++++
 bin/tests/system/randomizens/ns2/xxx.db       | 23 ++++++++
 bin/tests/system/randomizens/ns3/1st.db       | 25 +++++++++
 bin/tests/system/randomizens/ns3/example.db   | 25 +++++++++
 .../system/randomizens/ns3/named.conf.j2      | 43 +++++++++++++++
 bin/tests/system/randomizens/ns4/example.db   | 25 +++++++++
 .../system/randomizens/ns4/named.conf.j2      | 38 +++++++++++++
 bin/tests/system/randomizens/ns5/1st.db       | 25 +++++++++
 bin/tests/system/randomizens/ns5/2nd.db       | 23 ++++++++
 bin/tests/system/randomizens/ns5/3rd.db       | 22 ++++++++
 bin/tests/system/randomizens/ns5/example.db   | 25 +++++++++
 .../system/randomizens/ns5/named.conf.j2      | 53 +++++++++++++++++++
 .../system/randomizens/ns6/named.conf.j2      | 39 ++++++++++++++
 .../system/randomizens/tests_randomizens.py   | 32 +++++++++++
 20 files changed, 614 insertions(+)
 create mode 100644 bin/tests/system/randomizens/README
 create mode 100644 bin/tests/system/randomizens/ns1/named.conf.j2
 create mode 100644 bin/tests/system/randomizens/ns1/root.db
 create mode 100644 bin/tests/system/randomizens/ns2/1st.db
 create mode 100644 bin/tests/system/randomizens/ns2/2nd.db
 create mode 100644 bin/tests/system/randomizens/ns2/example.db
 create mode 100644 bin/tests/system/randomizens/ns2/named.conf.j2
 create mode 100644 bin/tests/system/randomizens/ns2/xxx.db
 create mode 100644 bin/tests/system/randomizens/ns3/1st.db
 create mode 100644 bin/tests/system/randomizens/ns3/example.db
 create mode 100644 bin/tests/system/randomizens/ns3/named.conf.j2
 create mode 100644 bin/tests/system/randomizens/ns4/example.db
 create mode 100644 bin/tests/system/randomizens/ns4/named.conf.j2
 create mode 100644 bin/tests/system/randomizens/ns5/1st.db
 create mode 100644 bin/tests/system/randomizens/ns5/2nd.db
 create mode 100644 bin/tests/system/randomizens/ns5/3rd.db
 create mode 100644 bin/tests/system/randomizens/ns5/example.db
 create mode 100644 bin/tests/system/randomizens/ns5/named.conf.j2
 create mode 100644 bin/tests/system/randomizens/ns6/named.conf.j2
 create mode 100644 bin/tests/system/randomizens/tests_randomizens.py

diff --git a/bin/tests/system/randomizens/README b/bin/tests/system/randomizens/README
new file mode 100644
index 0000000000..1628e6b5e2
--- /dev/null
+++ b/bin/tests/system/randomizens/README
@@ -0,0 +1,21 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+ns1 is root
+ns{2-4} are auth server on example. but lame
+ns5 is an auth server on example. and works
+ns6 is a resolver
+
+Because `getaddresses_allowed()` logic won't allow to query more than 3 NS at
+the top-level, only ns{2-4} will be tried without randomization, and example.
+couldn't be resolved. However, with randomization, some queries won't start
+picking example. NS from ns2, but ns3, ns4 or ns5. This enable to resolver
+example.
diff --git a/bin/tests/system/randomizens/ns1/named.conf.j2 b/bin/tests/system/randomizens/ns1/named.conf.j2
new file mode 100644
index 0000000000..eb079c95ab
--- /dev/null
+++ b/bin/tests/system/randomizens/ns1/named.conf.j2
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/randomizens/ns1/root.db b/bin/tests/system/randomizens/ns1/root.db
new file mode 100644
index 0000000000..98b36c970c
--- /dev/null
+++ b/bin/tests/system/randomizens/ns1/root.db
@@ -0,0 +1,40 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+example.		NS	ns2.1st.
+example.		NS	ns3.1st.
+example.		NS	ns4.1st.
+example.		NS	ns5.xxx.
+
+1st.			NS	ns2.2nd.
+1st.			NS	ns3.2nd.
+1st.			NS	ns5.xxx.
+
+2nd.			NS	ns2.3rd.
+2nd.			NS	ns5.xxx.
+
+3rd.			NS	ns2.1st.
+3rd.			NS	ns5.xxx.
+
+xxx.			NS	ns2.1st.
+xxx.			NS	ns2.xxx.
+ns2.xxx.		A	10.53.0.2
diff --git a/bin/tests/system/randomizens/ns2/1st.db b/bin/tests/system/randomizens/ns2/1st.db
new file mode 100644
index 0000000000..7f06af074b
--- /dev/null
+++ b/bin/tests/system/randomizens/ns2/1st.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+1st.                    NS      ns2.2nd.
+1st.                    NS      ns3.2nd.
+1st.                    NS      ns5.xxx.
+ns2.1st.		A	10.53.0.2
+ns3.1st.		A	10.53.0.3
+ns4.1st.		A	10.53.0.4
diff --git a/bin/tests/system/randomizens/ns2/2nd.db b/bin/tests/system/randomizens/ns2/2nd.db
new file mode 100644
index 0000000000..254772b55c
--- /dev/null
+++ b/bin/tests/system/randomizens/ns2/2nd.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+2nd.                    NS      ns2.3rd.
+2nd.                    NS      ns5.xxx.
+ns2.2nd.		A	10.53.0.2
+ns3.2nd.		A	10.53.0.3
diff --git a/bin/tests/system/randomizens/ns2/example.db b/bin/tests/system/randomizens/ns2/example.db
new file mode 100644
index 0000000000..440eeb84dd
--- /dev/null
+++ b/bin/tests/system/randomizens/ns2/example.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+
+example.		NS	ns2.1st.
+example.		NS	ns3.1st.
+example.		NS	ns4.1st.
+example.		NS	ns5.xxx.
+foo.example.		A	10.53.0.10
diff --git a/bin/tests/system/randomizens/ns2/named.conf.j2 b/bin/tests/system/randomizens/ns2/named.conf.j2
new file mode 100644
index 0000000000..761a5867b8
--- /dev/null
+++ b/bin/tests/system/randomizens/ns2/named.conf.j2
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
+
+zone "1st" {
+	type primary;
+	file "1st.db";
+};
+
+zone "2nd" {
+	type primary;
+	file "2nd.db";
+};
+
+zone "xxx" {
+	type primary;
+	file "xxx.db";
+};
diff --git a/bin/tests/system/randomizens/ns2/xxx.db b/bin/tests/system/randomizens/ns2/xxx.db
new file mode 100644
index 0000000000..2bb4535356
--- /dev/null
+++ b/bin/tests/system/randomizens/ns2/xxx.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+xxx.		NS	ns2.xxx.
+xxx.		NS	ns2.1st.
+ns2.xxx.	A	10.53.0.2
+ns5.xxx.	A	10.53.0.5
diff --git a/bin/tests/system/randomizens/ns3/1st.db b/bin/tests/system/randomizens/ns3/1st.db
new file mode 100644
index 0000000000..7f06af074b
--- /dev/null
+++ b/bin/tests/system/randomizens/ns3/1st.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+1st.                    NS      ns2.2nd.
+1st.                    NS      ns3.2nd.
+1st.                    NS      ns5.xxx.
+ns2.1st.		A	10.53.0.2
+ns3.1st.		A	10.53.0.3
+ns4.1st.		A	10.53.0.4
diff --git a/bin/tests/system/randomizens/ns3/example.db b/bin/tests/system/randomizens/ns3/example.db
new file mode 100644
index 0000000000..440eeb84dd
--- /dev/null
+++ b/bin/tests/system/randomizens/ns3/example.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+
+example.		NS	ns2.1st.
+example.		NS	ns3.1st.
+example.		NS	ns4.1st.
+example.		NS	ns5.xxx.
+foo.example.		A	10.53.0.10
diff --git a/bin/tests/system/randomizens/ns3/named.conf.j2 b/bin/tests/system/randomizens/ns3/named.conf.j2
new file mode 100644
index 0000000000..0aaf81552b
--- /dev/null
+++ b/bin/tests/system/randomizens/ns3/named.conf.j2
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "1st" {
+	type primary;
+	file "1st.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/randomizens/ns4/example.db b/bin/tests/system/randomizens/ns4/example.db
new file mode 100644
index 0000000000..440eeb84dd
--- /dev/null
+++ b/bin/tests/system/randomizens/ns4/example.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+
+example.		NS	ns2.1st.
+example.		NS	ns3.1st.
+example.		NS	ns4.1st.
+example.		NS	ns5.xxx.
+foo.example.		A	10.53.0.10
diff --git a/bin/tests/system/randomizens/ns4/named.conf.j2 b/bin/tests/system/randomizens/ns4/named.conf.j2
new file mode 100644
index 0000000000..76f48ff10d
--- /dev/null
+++ b/bin/tests/system/randomizens/ns4/named.conf.j2
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/randomizens/ns5/1st.db b/bin/tests/system/randomizens/ns5/1st.db
new file mode 100644
index 0000000000..7f06af074b
--- /dev/null
+++ b/bin/tests/system/randomizens/ns5/1st.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+1st.                    NS      ns2.2nd.
+1st.                    NS      ns3.2nd.
+1st.                    NS      ns5.xxx.
+ns2.1st.		A	10.53.0.2
+ns3.1st.		A	10.53.0.3
+ns4.1st.		A	10.53.0.4
diff --git a/bin/tests/system/randomizens/ns5/2nd.db b/bin/tests/system/randomizens/ns5/2nd.db
new file mode 100644
index 0000000000..254772b55c
--- /dev/null
+++ b/bin/tests/system/randomizens/ns5/2nd.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+2nd.                    NS      ns2.3rd.
+2nd.                    NS      ns5.xxx.
+ns2.2nd.		A	10.53.0.2
+ns3.2nd.		A	10.53.0.3
diff --git a/bin/tests/system/randomizens/ns5/3rd.db b/bin/tests/system/randomizens/ns5/3rd.db
new file mode 100644
index 0000000000..5bb2d24b98
--- /dev/null
+++ b/bin/tests/system/randomizens/ns5/3rd.db
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+3rd.                    NS      ns5.xxx.
+3rd.                    NS      ns2.1st.
+ns2.3rd.		A	10.53.0.2
diff --git a/bin/tests/system/randomizens/ns5/example.db b/bin/tests/system/randomizens/ns5/example.db
new file mode 100644
index 0000000000..440eeb84dd
--- /dev/null
+++ b/bin/tests/system/randomizens/ns5/example.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+
+example.		NS	ns2.1st.
+example.		NS	ns3.1st.
+example.		NS	ns4.1st.
+example.		NS	ns5.xxx.
+foo.example.		A	10.53.0.10
diff --git a/bin/tests/system/randomizens/ns5/named.conf.j2 b/bin/tests/system/randomizens/ns5/named.conf.j2
new file mode 100644
index 0000000000..339d552740
--- /dev/null
+++ b/bin/tests/system/randomizens/ns5/named.conf.j2
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "1st" {
+	type primary;
+	file "1st.db";
+};
+
+zone "2nd" {
+	type primary;
+	file "2nd.db";
+};
+
+zone "3rd" {
+	type primary;
+	file "3rd.db";
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/randomizens/ns6/named.conf.j2 b/bin/tests/system/randomizens/ns6/named.conf.j2
new file mode 100644
index 0000000000..1c68943d22
--- /dev/null
+++ b/bin/tests/system/randomizens/ns6/named.conf.j2
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
diff --git a/bin/tests/system/randomizens/tests_randomizens.py b/bin/tests/system/randomizens/tests_randomizens.py
new file mode 100644
index 0000000000..907a82aadc
--- /dev/null
+++ b/bin/tests/system/randomizens/tests_randomizens.py
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import dns.rcode
+
+import isctest
+
+
+def attempt_query(ns):
+    ns.rndc("flush")
+    msg = isctest.query.create("foo.example.", "A")
+    res = isctest.query.udp(msg, ns.ip)
+    if msg.rcode() == dns.rcode.NOERROR:
+        return len(res.answer) == 1
+    return False
+
+
+def test_randomizens(ns6):
+    resolved = False
+    for _ in range(1, 25):
+        if attempt_query(ns6):
+            resolved = True
+            break
+    assert resolved