Data retry on validation failure.

git-svn-id: file:///svn/unbound/trunk@1859 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2009-10-06 08:31:47 +00:00 · 2009-10-06 08:31:47 +00:00 · 455c3d130d
commit 455c3d130d
parent c43987e8e1
46 changed files with 794 additions and 189 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,12 @@
 6 October 2009: Wouter
 	- Test set updated to provide additional ns lookup result.
 	  The retry would attempt to fetch the data from other nameservers
 	  for bogus data, and this needed to be provisioned in the tests.
 5 October 2009: Wouter
 	- first validation failure retry code.  Retries for data failures.
 	  And unit test.
 2 October 2009: Wouter
 	- improve 5011 modularization.
 	- fix unbound-host so -d can be given before -C.
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@ -63,6 +63,8 @@
 /** time when nameserver glue is said to be 'recent' */
 #define SUSPICION_RECENT_EXPIRY 86400
 /** penalty to validation failed blacklisted IPs */
 #define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*3)
 /** fillup fetch policy array */
 static void
@ -163,6 +165,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
 *	UNKNOWN_SERVER_NICENESS 
 *		If no information is known about the server, this is
 *		returned. 376 msec or so.
 *	+BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*3) for dnssec failed IPs.
 *
 * When a final value is chosen that is dnsseclame ; dnsseclameness checking
 * is turned off (so we do not discard the reply).
@ -215,7 +218,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env,
 static int
 iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 	uint8_t* name, size_t namelen, uint16_t qtype, uint32_t now, 
-	struct delegpt* dp, int* best_rtt)
+	struct delegpt* dp, int* best_rtt, struct sock_list* blacklist)
 {
 	int got_it = 0;
 	struct delegpt_addr* a;
@ -225,6 +228,9 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 		a->sel_rtt = iter_filter_unsuitable(iter_env, env, 
 			name, namelen, qtype, now, a);
 		if(a->sel_rtt != -1) {
 			if(sock_list_find(blacklist, &a->addr, a->addrlen))
 				a->sel_rtt += BLACKLIST_PENALTY;
 			if(!got_it) {
 				*best_rtt = a->sel_rtt;
 				got_it = 1;
@ -241,14 +247,15 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env,
 static int
 iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 	uint8_t* name, size_t namelen, uint16_t qtype, uint32_t now, 
-	struct delegpt* dp, int* selected_rtt, int open_target)
+	struct delegpt* dp, int* selected_rtt, int open_target, 
 	struct sock_list* blacklist)
 {
 	int got_num = 0, low_rtt = 0, swap_to_front;
 	struct delegpt_addr* a, *n, *prev=NULL;
 	/* fillup sel_rtt and find best rtt in the bunch */
 	got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, 
-		&low_rtt);
+		&low_rtt, blacklist);
 	if(got_num == 0) 
 		return 0;
 	if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT &&
@ -294,13 +301,13 @@ struct delegpt_addr*
 iter_server_selection(struct iter_env* iter_env, 
 	struct module_env* env, struct delegpt* dp, 
 	uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
-	int* chase_to_rd, int open_target)
+	int* chase_to_rd, int open_target, struct sock_list* blacklist)
 {
 	int sel;
 	int selrtt;
 	struct delegpt_addr* a, *prev;
 	int num = iter_filter_order(iter_env, env, name, namelen, qtype,
-		*env->now, dp, &selrtt, open_target);
+		*env->now, dp, &selrtt, open_target, blacklist);
 	if(num == 0)
 		return NULL;
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@ -54,6 +54,7 @@ struct ub_randstate;
 struct query_info;
 struct reply_info;
 struct module_qstate;
 struct sock_list;
 /**
 * Process config options and set iterator module state.
@ -81,13 +82,14 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
 * 	these are not preferred, but are used as a last resort.
 * @param open_target: number of currently outstanding target queries.
 * 	If we wait for these, perhaps more server addresses become available.
 * @param blacklist: the IP blacklist to use.
 * @return best target or NULL if no target.
 *	if not null, that target is removed from the result list in the dp.
 */
 struct delegpt_addr* iter_server_selection(struct iter_env* iter_env, 
 	struct module_env* env, struct delegpt* dp, uint8_t* name, 
 	size_t namelen, uint16_t qtype, int* dnssec_expected,
-	int* chase_to_rd, int open_target);
+	int* chase_to_rd, int open_target, struct sock_list* blacklist);
 /**
 * Allocate dns_msg from parsed msg, in regional.
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -858,6 +858,12 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* This either results in a query restart (CNAME cache response), a
 	 * terminating response (ANSWER), or a cache miss (null). */
 	if(qstate->blacklist) {
 		/* if cache, or anything else, was blacklisted then
 		 * getting older results from cache is a bad idea, no cache */
 		verbose(VERB_ALGO, "cache blacklisted, going to the network");
 		msg = NULL;
 	} else {
 		msg = dns_cache_lookup(qstate->env, iq->qchase.qname, 
 			iq->qchase.qname_len, iq->qchase.qtype, 
 			iq->qchase.qclass, qstate->region, qstate->env->scratch);
@ -868,6 +874,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 				qstate->region, qstate->env->rrset_cache,
 				qstate->env->scratch_buffer, *qstate->env->now);
 		}
 	}
 	if(msg) {
 		/* handle positive cache response */
 		enum response_type type = response_type_from_cache(msg, 
@ -894,9 +901,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 			iq->dp = NULL;
 			iq->refetch_glue = 0;
 			iq->query_restart_count++;
 			sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
 			return next_state(iq, INIT_REQUEST_STATE);
 		}
 		/* if from cache, NULL, else insert 'cache IP' len=0 */
 		if(qstate->reply_origin)
 			sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
 		/* it is an answer, response, to final state */
 		verbose(VERB_ALGO, "returning answer from cache.");
 		iq->response = msg;
@ -1101,6 +1112,8 @@ processInitRequest3(struct module_qstate* qstate, struct iter_qstate* iq)
 		if(verbosity >= VERB_ALGO)
 			log_dns_msg("no RD requested, using delegation msg", 
 				&iq->response->qinfo, iq->response->rep);
 		if(qstate->reply_origin)
 			sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
 		return final_state(iq);
 	}
@ -1349,7 +1362,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* Select the next usable target, filtering out unsuitable targets. */
 	target = iter_server_selection(ie, qstate->env, iq->dp, 
 		iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
-		&iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries);
+		&iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
 		qstate->blacklist);
 	/* If no usable target was selected... */
 	if(!target) {
@ -1534,6 +1548,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			qstate->env->detach_subs));
 		(*qstate->env->detach_subs)(qstate);
 		iq->num_target_queries = 0;
 		if(qstate->reply)
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
 		return final_state(iq);
 	} else if(type == RESPONSE_TYPE_REFERRAL) {
 		/* REFERRAL type responses get a reset of the 
@ -1643,6 +1661,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			qstate->env->detach_subs));
 		(*qstate->env->detach_subs)(qstate);
 		iq->num_target_queries = 0;
 		if(qstate->reply)
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
 		verbose(VERB_ALGO, "cleared outbound list for query restart");
 		/* go to INIT_REQUEST_STATE for new qname. */
 		return next_state(iq, INIT_REQUEST_STATE);
--- a/services/mesh.c
+++ b/services/mesh.c
@ -851,7 +851,7 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
 			&mstate->s.qinfo);
 		s = module_error;
 	}
-	if(s == module_wait_module) {
+	if(s == module_wait_module || s == module_restart_next) {
 		/* start next module */
 		mstate->s.curmod++;
 		if(mesh->mods.num == mstate->s.curmod) {
@ -861,6 +861,13 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate,
 			mstate->s.curmod--;
 			return mesh_continue(mesh, mstate, module_error, ev);
 		}
 		if(s == module_restart_next) {
 			fptr_ok(fptr_whitelist_mod_clear(
 				mesh->mods.mod[mstate->s.curmod]->clear));
 			(*mesh->mods.mod[mstate->s.curmod]->clear)
 				(&mstate->s, mstate->s.curmod);
 			mstate->s.minfo[mstate->s.curmod] = NULL;
 		}
 		*ev = module_event_pass;
 		return 1;
 	}
--- a/testdata/autotrust_addpend_early.rpl
+++ b/testdata/autotrust_addpend_early.rpl
@ -137,6 +137,14 @@ example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoR
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091024111500 20090921111500 30899 example.com. nDlOZCE24pNtuoYkmmy9cVvtCn7ykdmlhJX9hYcI9b3DzqJjOrGz3GD5RQvti3uxD74gFcFho0g76NwOKFx/qQ== ;{id = 30899}
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. qBHDZu0XQmr6kpt51r1DxT5tuyfwSHcoL8qLpwwhyyNFF13OPlvxgmCVl+1v27A9+h8tcuqaNls5f+tcFBwtRg== ;{id = 60946}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
@ -213,7 +221,7 @@ FILE_BEGIN
 ;;last_queried: ${$t4} ;;${ctime $t4}
 ;;last_success: ${$t2} ;;${ctime $t2}
 ;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=${$t1} ;;${ctime $t1}
--- a/testdata/autotrust_addpend_nosign.rpl
+++ b/testdata/autotrust_addpend_nosign.rpl
@ -142,6 +142,13 @@ example.com.    10800   IN      RRSIG   DNSKEY 5 2 10800 20091024111500 20090921
 example.com.    10800   IN      RRSIG   DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. o+Cbs7DcYPYlSLd4hi3vkSVQpXGnKgKSi9MpHGfu1Uahv5190U2DUOxP1du/HOYbf+IHYL8zLbMZjVEG5wgnTg== ;{id = 60946}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; set date/time to Aug 24 09:46:40  (2009).
@ -197,7 +204,7 @@ FILE_BEGIN
 ;;last_queried: ${$t2} ;;${ctime $t2}
 ;;last_success: ${$t1} ;;${ctime $t1}
 ;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1}
--- a/testdata/autotrust_addpend_nosignnew.rpl
+++ b/testdata/autotrust_addpend_nosignnew.rpl
@ -143,6 +143,13 @@ example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091024111500 20090921111500 30899
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. rOxbAROwiW21OR8HjINk3IBs9bsxJKjipQ5EU4wWutiF/jr6KNT6LgtZv0TaFSiBHN/Jqz1wB2ODD2HXwLQ4DQ== ;{id = 60946}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; set date/time to Aug 24 09:46:40  (2009).
@ -198,7 +205,7 @@ FILE_BEGIN
 ;;last_queried: ${$t2} ;;${ctime $t2}
 ;;last_success: ${$t1} ;;${ctime $t1}
 ;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1}
--- a/testdata/autotrust_addpend_once.rpl
+++ b/testdata/autotrust_addpend_once.rpl
@ -140,6 +140,14 @@ example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 30899
 ;example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 55582 example.com. v/HJbdpeVMpbhwYXrT1EDGpAFMvEgdKQII1cAbP6o8KHYNKDh8TIJ25/pXe3daEXfej6/Z5kpqJ79okPKUoi1Q== ;{id = 55582}
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 60946 example.com. HgXol1hdvbomOM1CFRW8qsHd3D0qOnN72EeMHTcpxIBBiuNLKZn4n1M14Voxj3vo0eAMNuG/y7EjQkxKvSsaDA== ;{id = 60946}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; ns.example.com.  KSK 55582-REVOKED and 60946
@ -165,6 +173,14 @@ example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 55710
 ;example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. nH/6HauVJI4GGz78UoK/38cOOrEqsYZP0jFzfCC3OyIlclVTjAFvjVPlVMGK7sA5Nw1v20YtFTQkXZgbrRuInQ== ;{id = 55582}
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 60946 example.com. xKSBZr4vOsEUKlVoNb6SOV69DM7xFOJI4gPFKq5Tv4APIMJ/9G3odoDmNcLCVyYGzhoDik5hciJnZio6UHgzAA== ;{id = 60946}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; ns.example.com.  KSK 60946
@ -242,7 +258,7 @@ FILE_BEGIN
 ;;last_queried: ${$t4} ;;${ctime $t4}
 ;;last_success: ${$t1} ;;${ctime $t1}
 ;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1}
--- a/testdata/autotrust_probefailsig.rpl
+++ b/testdata/autotrust_probefailsig.rpl
@ -106,6 +106,13 @@ www.example.com. IN A 10.20.30.40
 ENTRY_END
 RANGE_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; set date/time to Mon Nov 23 10:46:40 2009
@ -123,7 +130,7 @@ FILE_BEGIN
 ;;last_queried: ${$t0} ;;${ctime $t0}
 ;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009
 ;;next_probe_time: ${$t0+$probe0} ;;${ctime $t0+$probe0}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
--- a/testdata/autotrust_revoked_use.rpl
+++ b/testdata/autotrust_revoked_use.rpl
@ -187,6 +187,14 @@ example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 30899
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 60946 example.com. p6lOsJpkmZUbj1KCSwzxip0NbK0SnjV1LKLayqkWTDiVNkTYHHLHHJfOU8Grb63SDTsZ5lyDocIwJSUBiKuhig== ;{id = 60946}
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. NsC5s2quifzA7yQBnbroWHJ9rHfSrBo0V7+c+kZoii2cViOm8636uqcWlaNTqNtD5UI6vzQ5zXF4P8JGoac6ZQ== ;{id = 55582}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
@ -211,6 +219,14 @@ example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoR
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 30899 example.com. jTB+ID5gp3U+cxedEPpRvM3tegrBFuVjGR7y9IL+olrtbs5Yr3qeANJwbfO1WVAWiG+EtG876uHny9epo/tlhQ== ;{id = 30899}
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. NsC5s2quifzA7yQBnbroWHJ9rHfSrBo0V7+c+kZoii2cViOm8636uqcWlaNTqNtD5UI6vzQ5zXF4P8JGoac6ZQ== ;{id = 55582}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; set date/time to Aug 24 09:46:40  (2009).
@ -361,7 +377,7 @@ FILE_BEGIN
 ;;last_queried: ${$t7} ;;${ctime $t7}
 ;;last_success: ${$t6} ;;${ctime $t6}
 ;;next_probe_time: ${$t7 + $probe7} ;;${ctime $t7 + $probe7}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4}
--- a/testdata/autotrust_revoked_with_invalid.rpl
+++ b/testdata/autotrust_revoked_with_invalid.rpl
@ -84,6 +84,14 @@ example.com.	10800	IN	DNSKEY	257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 55710 example.com. nu+W3T0afsJc2MrrsnBZ3adysi39TLUJ0o8GYaR/PFYsYSOigSCnr3xo05aKoNZ2oeQXhmwQVAxfwU1M/jXngQ== ;{id = 55710}
 example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 16486 example.com. LDW5an/v6YzgUhpTm8VJnBCko56WDvzzoqCmjXBwpoGjWXThO2hUyO6w00K90swQvKwgIWsC4y00zFlOgLayJw== ;{id = 16486}
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
@ -102,7 +110,7 @@ FILE_BEGIN
 ;;last_queried: ${$t0} ;;${ctime $t0}
 ;;last_success: ${$tp} ;;${ctime $tp}
 ;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0}
-;;query_failed: 1
+;;query_failed: 6
 ;;query_interval: 5400
 ;;retry_time: 3600
 example.com.	10800	IN	DNSKEY	385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
--- a/testdata/val_cnametoposnowc.rpl
+++ b/testdata/val_cnametoposnowc.rpl
@ -81,22 +81,22 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.net. IN A
+example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
@ -152,6 +152,14 @@ www.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 ; ns.example.net.
@ -206,6 +214,14 @@ SECTION AUTHORITY
 ;wab.example.net.        3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. gl8vkI3xfSWx4Pyv5OdOthiewE6u/13kclY7UG9ptuFBddamdJO3RQqyxM6Xcmq+ToO4kMCCyaKijp01gTDoGg== ;{id = 30899}
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qname qtype
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.net. IN AAAA
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
--- a/testdata/val_dnamewc.rpl
+++ b/testdata/val_dnamewc.rpl
@ -81,22 +81,22 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.sub.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.net. IN A
+example.net. IN A
 SECTION AUTHORITY
 example.net.	IN NS	ns.example.net.
 SECTION ADDITIONAL
@ -107,6 +107,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -163,6 +171,14 @@ RANGE_END
 ; ns.example.net.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.5
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.net. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_ds_gost_downgrade.rpl
+++ b/testdata/val_ds_gost_downgrade.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.sub.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -183,6 +191,15 @@ www.sub.example.com.    3600    IN      RRSIG   A 211 4 3600 20070926134150 2007
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
--- a/testdata/val_ds_sha2_downgrade.rpl
+++ b/testdata/val_ds_sha2_downgrade.rpl
@ -180,6 +180,15 @@ www.sub.example.com.    3600    IN      RRSIG   A 5 4 3600 20070926134150 200708
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 ENTRY_END
 RANGE_END
 STEP 1 QUERY
--- a/testdata/val_nodata_failsig.rpl
+++ b/testdata/val_nodata_failsig.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nodata_hasdata.rpl
+++ b/testdata/val_nodata_hasdata.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nodata_zonecut.rpl
+++ b/testdata/val_nodata_zonecut.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nodatawc_badce.rpl
+++ b/testdata/val_nodatawc_badce.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nodatawc_nodeny.rpl
+++ b/testdata/val_nodatawc_nodeny.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nsec3_b1_nameerror_noce.rpl
+++ b/testdata/val_nsec3_b1_nameerror_noce.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b1_nameerror_nonc.rpl
+++ b/testdata/val_nsec3_b1_nameerror_nonc.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b1_nameerror_nowc.rpl
+++ b/testdata/val_nsec3_b1_nameerror_nowc.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b21_nodataent_wr.rpl
+++ b/testdata/val_nsec3_b21_nodataent_wr.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b2_nodata_nons.rpl
+++ b/testdata/val_nsec3_b2_nodata_nons.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b3_optout_noce.rpl
+++ b/testdata/val_nsec3_b3_optout_noce.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
@ -74,7 +83,25 @@ MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA DO NOERROR
 SECTION QUESTION
-mc.c.example.       IN MX
+c.example.       IN DS
 SECTION AUTHORITY
 ;; NSEC3 RR that covers the "next closer" name (c.example)
 ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
 35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== )
 ;; NSEC3 RR that matches the closest encloser (example)
 ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
 ;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
 ;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR AA DO NOERROR
 SECTION QUESTION
 c.example.       IN MX
 SECTION AUTHORITY
 c.example.	NS      ns1.c.example.
 c.example. 	NS      ns2.c.example.
@ -94,30 +121,27 @@ ns1.c.example. A       192.0.2.7
 ns2.c.example. A       192.0.2.8
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA DO NOERROR
 SECTION QUESTION
 c.example.       IN DS
 SECTION AUTHORITY
 ;; NSEC3 RR that covers the "next closer" name (c.example)
 ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
 35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== )
 ;; NSEC3 RR that matches the closest encloser (example)
 ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
 ;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
 ;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
 ENTRY_END
 RANGE_END
 ; ns1.c.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.7
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns1.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns2.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -152,6 +176,22 @@ RANGE_END
 ; ns2.c.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.8
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns1.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns2.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nsec3_b3_optout_nonc.rpl
+++ b/testdata/val_nsec3_b3_optout_nonc.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
@ -74,7 +83,25 @@ MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA DO NOERROR
 SECTION QUESTION
-mc.c.example.       IN MX
+c.example.       IN DS
 SECTION AUTHORITY
 ;; NSEC3 RR that covers the "next closer" name (c.example)
 ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
 ;35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
 ;35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== )
 ;; NSEC3 RR that matches the closest encloser (example)
 ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR AA DO NOERROR
 SECTION QUESTION
 c.example.       IN MX
 SECTION AUTHORITY
 c.example.	NS      ns1.c.example.
 c.example. 	NS      ns2.c.example.
@ -95,29 +122,27 @@ ns2.c.example. A       192.0.2.8
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA DO NOERROR
 SECTION QUESTION
 c.example.       IN DS
 SECTION AUTHORITY
 ;; NSEC3 RR that covers the "next closer" name (c.example)
 ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck
 ;35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG )
 ;35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== )
 ;; NSEC3 RR that matches the closest encloser (example)
 ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom
 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG   NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example.  OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
 ENTRY_END
 RANGE_END
 ; ns1.c.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.7
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns1.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns2.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -152,6 +177,22 @@ RANGE_END
 ; ns2.c.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.8
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns1.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns2.c.example.       IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nsec3_b4_wild_wr.rpl
+++ b/testdata/val_nsec3_b4_wild_wr.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b5_wcnodata_noce.rpl
+++ b/testdata/val_nsec3_b5_wcnodata_noce.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b5_wcnodata_nonc.rpl
+++ b/testdata/val_nsec3_b5_wcnodata_nonc.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_b5_wcnodata_nowc.rpl
+++ b/testdata/val_nsec3_b5_wcnodata_nowc.rpl
@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-. IN A
+example. IN A
 SECTION AUTHORITY
 example.	IN NS	ns1.example.
 ; leave out to make unbound take ns1
@ -46,6 +46,15 @@ RANGE_END
 ; ns1.example.
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.2.1
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
 REPLY QR REFUSED
 SECTION QUESTION
 ns1.example. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id copy_query
--- a/testdata/val_nsec3_nodatawccname.rpl
+++ b/testdata/val_nsec3_nodatawccname.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nsec3_nods_badopt.rpl
+++ b/testdata/val_nsec3_nods_badopt.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.sub.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -120,29 +128,6 @@ s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com.   3600    IN      RRSIG   NSEC3 3
 ENTRY_END
 ; refer to server one down
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.sub.example.com. IN A
 SECTION AUTHORITY
 sub.example.com. IN NS ns.sub.example.com.
 ; proof that there is no DS here.
 ;sub.example.com.        3600    IN      DS      2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31
 ;sub.example.com.        3600    IN      RRSIG   DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854}
 ; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
 b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
 b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFEtLEiFNr2V6qJOHUxIRQ4ittparAhUAm+WN3aqAHEgiQQEeX9z4S0Ub/dM= ;{id = 2854}
 ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.
 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG
 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCategdxsiQTpOMHED1ehjPT7PO2gIUDJ9f/zGCEUHy/UVp97aOh0RRoks= ;{id = 2854}
 SECTION ADDITIONAL
 ns.sub.example.com. IN A 1.2.3.10
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -160,11 +145,43 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      RRSIG   NSEC3 3
 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG
 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCategdxsiQTpOMHED1ehjPT7PO2gIUDJ9f/zGCEUHy/UVp97aOh0RRoks= ;{id = 2854}
 ENTRY_END
 ; refer to server one down
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.com. IN A
 SECTION AUTHORITY
 sub.example.com. IN NS ns.sub.example.com.
 ; proof that there is no DS here.
 ;sub.example.com.        3600    IN      DS      2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31
 ;sub.example.com.        3600    IN      RRSIG   DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854}
 ; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg.
 b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG
 b6fuorg741ufili49mg9j4328ig53sqg.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFEtLEiFNr2V6qJOHUxIRQ4ittparAhUAm+WN3aqAHEgiQQEeX9z4S0Ub/dM= ;{id = 2854}
 ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.
 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG
 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCategdxsiQTpOMHED1ehjPT7PO2gIUDJ9f/zGCEUHy/UVp97aOh0RRoks= ;{id = 2854}
 SECTION ADDITIONAL
 ns.sub.example.com. IN A 1.2.3.10
 ENTRY_END
 RANGE_END
 ; ns.sub.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.10
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nsec3_nods_soa.rpl
+++ b/testdata/val_nsec3_nods_soa.rpl
@ -121,26 +121,6 @@ s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com.   3600    IN      RRSIG   NSEC3 3
 ENTRY_END
 ; refer to server one down
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 www.sub.example.com. IN A
 SECTION AUTHORITY
 sub.example.com. IN NS ns.sub.example.com.
 ; proof that there is no DS here.
 ;sub.example.com.        3600    IN      DS      2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31
 ;sub.example.com.        3600    IN      RRSIG   DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854}
 ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.
 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG
 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854}
 SECTION ADDITIONAL
 ns.sub.example.com. IN A 1.2.3.10
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@ -155,11 +135,40 @@ SECTION AUTHORITY
 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG
 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854}
 ENTRY_END
 ; refer to server one down
 ENTRY_BEGIN
 MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
 sub.example.com. IN A
 SECTION AUTHORITY
 sub.example.com. IN NS ns.sub.example.com.
 ; proof that there is no DS here.
 ;sub.example.com.        3600    IN      DS      2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31
 ;sub.example.com.        3600    IN      RRSIG   DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854}
 ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.
 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG
 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com.   3600    IN      RRSIG   NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854}
 SECTION ADDITIONAL
 ns.sub.example.com. IN A 1.2.3.10
 ENTRY_END
 RANGE_END
 ; ns.sub.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.10
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 SECTION ANSWER
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nsec3_wcany_nodeny.rpl
+++ b/testdata/val_nsec3_wcany_nodeny.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN ANY
+example.com. IN ANY
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nx_nodeny.rpl
+++ b/testdata/val_nx_nodeny.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nx_nowc.rpl
+++ b/testdata/val_nx_nowc.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_nx_overreach.rpl
+++ b/testdata/val_nx_overreach.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/testdata/val_positive_wc_nodeny.rpl
+++ b/testdata/val_positive_wc_nodeny.rpl
@ -56,11 +56,11 @@ a.gtld-servers.net.     IN      A       192.5.6.30
 ENTRY_END
 ENTRY_BEGIN
-MATCH opcode qtype qname
+MATCH opcode subdomain
-ADJUST copy_id
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.com. IN A
+example.com. IN A
 SECTION AUTHORITY
 example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
@ -71,6 +71,14 @@ RANGE_END
 ; ns.example.com.
 RANGE_BEGIN 0 100
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
 REPLY QR AA REFUSED
 SECTION QUESTION
 ns.example.com. IN AAAA
 ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
--- a/util/module.c
+++ b/util/module.c
@ -47,6 +47,7 @@ strextstate(enum module_ext_state s)
 	case module_state_initial: return "module_state_initial";
 	case module_wait_reply: return "module_wait_reply";
 	case module_wait_module: return "module_wait_module";
 	case module_restart_next: return "module_restart_next";
 	case module_wait_subquery: return "module_wait_subquery";
 	case module_error: return "module_error";
 	case module_finished: return "module_finished";
--- a/util/module.h
+++ b/util/module.h
@ -233,6 +233,8 @@ enum module_ext_state {
 	module_wait_reply,
 	/** module is waiting for another module */
 	module_wait_module,
 	/** module is waiting for another module; that other is restarted */
 	module_restart_next,
 	/** module is waiting for sub-query */
 	module_wait_subquery,
 	/** module could not finish the query */
@ -261,6 +263,16 @@ enum module_ev {
 	module_event_error
 };
 /** Linked list of sockaddrs */
 struct sock_list {
 	/** next in list */
 	struct sock_list* next;
 	/** sockaddr */
 	struct sockaddr_storage addr;
 	/** length of addr */
 	socklen_t len;
 };
 /**
 * Module state, per query.
 */
@ -278,6 +290,10 @@ struct module_qstate {
 	struct dns_msg* return_msg;
 	/** the rcode, in case of error, instead of a reply message */
 	int return_rcode;
 	/** origin of the reply (can be NULL from cache, list for cnames) */
 	struct sock_list* reply_origin;
 	/** IP blacklist for queries */
 	struct sock_list* blacklist;
 	/** region for this query. Cleared when query process finishes. */
 	struct regional* region;
--- a/util/net_help.c
+++ b/util/net_help.c
@ -41,6 +41,8 @@
 #include "util/net_help.h"
 #include "util/log.h"
 #include "util/data/dname.h"
 #include "util/module.h"
 #include "util/regional.h"
 #include <fcntl.h>
 /** max length of an IP address (the address portion) that we allow */
@ -488,3 +490,44 @@ addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen)
 	s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr;
 	return (memcmp(s, map_prefix, 12) == 0);
 }
 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
 	socklen_t len, struct regional* region)
 {
 	struct sock_list* add = (struct sock_list*)regional_alloc(region,
 		sizeof(*add));
 	if(!add) {
 		log_err("out of memory in socketlist insert");
 		return;
 	}
 	log_assert(list);
 	add->next = *list;
 	add->len = len;
 	memcpy(&add->addr, addr, len);
 	*list = add;
 }
 void sock_list_prepend(struct sock_list** list, struct sock_list* add)
 {
 	struct sock_list* last = add;
 	if(!last) 
 		return;
 	while(last->next)
 		last = last->next;
 	last->next = *list;
 	*list = add;
 }
 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
        socklen_t len)
 {
 	while(list) {
 		if(len == list->len) {
 			if(len == 0 || sockaddr_cmp_addr(addr, len, 
 				&list->addr, list->len) == 0)
 				return 1;
 		}
 		list = list->next;
 	}
 	return 0;
 }
--- a/util/net_help.h
+++ b/util/net_help.h
@ -42,6 +42,8 @@
 #ifndef NET_HELP_H
 #define NET_HELP_H
 #include "util/log.h"
 struct sock_list;
 struct regional;
 /** DNS constants for uint16_t style flag manipulation. host byteorder. 
 *                                1  1  1  1  1  1
@ -277,4 +279,31 @@ void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
 */
 int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen);
 /**
 * Insert new socket list item. If fails logs error.
 * @param list: pointer to pointer to first item.
 * @param addr: address or NULL if 'cache'.
 * @param len: length of addr, or 0 if 'cache'.
 * @param region: where to allocate
 */
 void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr,
 	socklen_t len, struct regional* region);
 /**
 * Append one list to another.  Must both be from same qstate(regional).
 * @param list: pointer to result list that is modified.
 * @param add: item(s) to add.  They are prepended to list.
 */
 void sock_list_prepend(struct sock_list** list, struct sock_list* add);
 /**
 * Find addr in list.
 * @param list: to search in
 * @param addr: address to look for.
 * @param len: length. Can be 0, look for 'cache entry'.
 * @return true if found.
 */
 int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr,
        socklen_t len);
 #endif /* NET_HELP_H */
--- a/validator/validator.c
+++ b/validator/validator.c
@ -188,18 +188,10 @@ val_deinit(struct module_env* env, int id)
 	env->modinfo[id] = NULL;
 }
-/** allocate new validator query state */
+/** fill in message structure */
 static struct val_qstate*
-val_new(struct module_qstate* qstate, int id)
+val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq)
 {
 	struct val_qstate* vq = (struct val_qstate*)regional_alloc(
 		qstate->region, sizeof(*vq));
 	log_assert(!qstate->minfo[id]);
 	if(!vq)
 		return NULL;
 	memset(vq, 0, sizeof(*vq));
 	qstate->minfo[id] = vq;
 	vq->state = VAL_INIT_STATE;
 	if(!qstate->return_msg || qstate->return_rcode != LDNS_RCODE_NOERROR) {
 		/* create a message to verify */
 		verbose(VERB_ALGO, "constructing reply for validation");
@ -235,6 +227,21 @@ val_new(struct module_qstate* qstate, int id)
 	return vq;
 }
 /** allocate new validator query state */
 static struct val_qstate*
 val_new(struct module_qstate* qstate, int id)
 {
 	struct val_qstate* vq = (struct val_qstate*)regional_alloc(
 		qstate->region, sizeof(*vq));
 	log_assert(!qstate->minfo[id]);
 	if(!vq)
 		return NULL;
 	memset(vq, 0, sizeof(*vq));
 	qstate->minfo[id] = vq;
 	vq->state = VAL_INIT_STATE;
 	return val_new_getmsg(qstate, vq);
 }
 /**
 * Exit validation with an error status
 * 
@ -1175,6 +1182,10 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
 	enum val_classification subtype = val_classify_response(
 		qstate->query_flags, &qstate->qinfo, &vq->qchase, 
 		vq->orig_msg->rep, vq->rrset_skip);
 	if(vq->restart_count > VAL_MAX_RESTART_COUNT) {
 		verbose(VERB_ALGO, "restart count exceeded");
 		return val_error(qstate, id);
 	}
 	verbose(VERB_ALGO, "validator classification %s", 
 		val_classification_to_string(subtype));
 	if(subtype == VAL_CLASS_REFERRAL && 
@ -1825,6 +1836,47 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
 	/* if the result is bogus - set message ttl to bogus ttl to avoid
 	 * endless bogus revalidation */
 	if(vq->orig_msg->rep->security == sec_status_bogus) {
 		/* see if we can try again to fetch data */
 		if(vq->restart_count < VAL_MAX_RESTART_COUNT) {
 			int restart_count = vq->restart_count+1;
 			verbose(VERB_ALGO, "validation failed, "
 				"blacklist and retry to fetch data");
 			/* debug printout */
 			if(verbosity >= VERB_ALGO) {
 				struct sock_list* p;
 				if(!qstate->reply_origin)
 					verbose(VERB_ALGO, "new blacklist: "
 						"cache");
 				for(p=qstate->reply_origin; p; p=p->next)
 					if(p->len)
 						log_addr(VERB_ALGO, 
 						"new blacklist IP",
 						&p->addr, p->len);
 					else verbose(VERB_ALGO, "new "
 						"blacklist: cache");
 				for(p=qstate->blacklist; p; p=p->next)
 					if(p->len)
 						log_addr(VERB_ALGO, 
 						"blacklist IP",
 						&p->addr, p->len);
 					else verbose(VERB_ALGO, "blacklist "
 						"cache");
 			}
 			/* blacklist the IPs or the cache */
 			if(qstate->reply_origin)
 				sock_list_prepend(&qstate->blacklist, 
 					qstate->reply_origin);
 			else	sock_list_insert(&qstate->blacklist, NULL, 0,
 					qstate->region);
 			qstate->reply_origin = NULL;
 			memset(vq, 0, sizeof(*vq));
 			vq->restart_count = restart_count;
 			vq->state = VAL_INIT_STATE;
 			verbose(VERB_ALGO, "pass back to next module");
 			qstate->ext_state[id] = module_restart_next;
 			return 0;
 		}
 		vq->orig_msg->rep->ttl = ve->bogus_ttl;
 		if(qstate->env->cfg->val_log_level >= 1) {
 			log_query_info(0, "validation failure", &qstate->qinfo);
@ -2044,6 +2096,12 @@ val_operate(struct module_qstate* qstate, enum module_ev event, int id,
 				qstate->ext_state[id] = module_error;
 				return;
 			}
 		} else if(!vq->orig_msg) {
 			if(!val_new_getmsg(qstate, vq)) {
 				log_err("validator: malloc failure");
 				qstate->ext_state[id] = module_error;
 				return;
 			}
 		}
 		val_handle(qstate, vq, ve, id);
 		return;
--- a/validator/validator.h
+++ b/validator/validator.h
@ -56,6 +56,9 @@ struct val_neg_cache;
 */
 #define NULL_KEY_TTL	900 /* seconds */
 /** max number of query restarts, number of IPs to probe */
 #define VAL_MAX_RESTART_COUNT 5
 /**
 * Global state for the validator. 
 */
@ -150,6 +153,11 @@ struct val_qstate {
 	 */
 	struct dns_msg* orig_msg;
 	/**
 	 * The query restart count
 	 */
 	int restart_count;
 	/**
 	 * The query name we have chased to; qname after following CNAMEs
 	 */