summaryrefslogtreecommitdiffstats
path: root/tests/knot/semantic_check_data
diff options
context:
space:
mode:
Diffstat (limited to 'tests/knot/semantic_check_data')
-rw-r--r--tests/knot/semantic_check_data/cdnskey.cds123
-rw-r--r--tests/knot/semantic_check_data/cdnskey.delete.both113
-rw-r--r--tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey113
-rw-r--r--tests/knot/semantic_check_data/cdnskey.delete.invalid.cds113
-rw-r--r--tests/knot/semantic_check_data/cdnskey.invalid123
-rw-r--r--tests/knot/semantic_check_data/cdnskey.invalid.param123
-rw-r--r--tests/knot/semantic_check_data/cdnskey.nocdnskey101
-rw-r--r--tests/knot/semantic_check_data/cdnskey.nocds110
-rw-r--r--tests/knot/semantic_check_data/cdnskey.nodnskey111
-rw-r--r--tests/knot/semantic_check_data/cdnskey.orphan.cdnskey135
-rw-r--r--tests/knot/semantic_check_data/cdnskey.orphan.cds138
-rw-r--r--tests/knot/semantic_check_data/cname_extra_01.zone18
-rw-r--r--tests/knot/semantic_check_data/cname_extra_02.signed76
-rw-r--r--tests/knot/semantic_check_data/cname_multiple.zone15
-rw-r--r--tests/knot/semantic_check_data/delegation.signed43
-rw-r--r--tests/knot/semantic_check_data/different_signer_name.signed52
-rw-r--r--tests/knot/semantic_check_data/dname_apex_nsec3.signed25
-rw-r--r--tests/knot/semantic_check_data/dname_children.zone16
-rw-r--r--tests/knot/semantic_check_data/dname_extra_ns.zone16
-rw-r--r--tests/knot/semantic_check_data/dname_multiple.zone16
-rw-r--r--tests/knot/semantic_check_data/dnskey_param_error.signed70
-rw-r--r--tests/knot/semantic_check_data/duplicate.signature19
-rw-r--r--tests/knot/semantic_check_data/glue_apex_both.missing14
-rw-r--r--tests/knot/semantic_check_data/glue_apex_one.missing16
-rw-r--r--tests/knot/semantic_check_data/glue_besides.missing17
-rw-r--r--tests/knot/semantic_check_data/glue_deleg.missing17
-rw-r--r--tests/knot/semantic_check_data/glue_in_apex.missing13
-rw-r--r--tests/knot/semantic_check_data/glue_in_deleg.valid16
-rw-r--r--tests/knot/semantic_check_data/glue_no_foreign.valid13
-rw-r--r--tests/knot/semantic_check_data/glue_wildcard.valid22
-rw-r--r--tests/knot/semantic_check_data/invalid_ds.signed106
-rw-r--r--tests/knot/semantic_check_data/missing.signed20
-rw-r--r--tests/knot/semantic_check_data/no_error_delegation_bitmap.signed61
-rw-r--r--tests/knot/semantic_check_data/no_error_nsec3_optout.signed29
-rw-r--r--tests/knot/semantic_check_data/no_rrsig.signed48
-rw-r--r--tests/knot/semantic_check_data/no_rrsig_with_delegation.signed61
-rw-r--r--tests/knot/semantic_check_data/ns_apex.missing11
-rw-r--r--tests/knot/semantic_check_data/nsec3_chain_01.signed80
-rw-r--r--tests/knot/semantic_check_data/nsec3_chain_02.signed94
-rw-r--r--tests/knot/semantic_check_data/nsec3_chain_03.signed94
-rw-r--r--tests/knot/semantic_check_data/nsec3_ds.signed57
-rw-r--r--tests/knot/semantic_check_data/nsec3_missing.signed120
-rw-r--r--tests/knot/semantic_check_data/nsec3_optout.signed81
-rw-r--r--tests/knot/semantic_check_data/nsec3_optout_ent.all15
-rw-r--r--tests/knot/semantic_check_data/nsec3_optout_ent.invalid18
-rw-r--r--tests/knot/semantic_check_data/nsec3_optout_ent.valid20
-rw-r--r--tests/knot/semantic_check_data/nsec3_param_invalid.signed70
-rw-r--r--tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed70
-rw-r--r--tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed70
-rw-r--r--tests/knot/semantic_check_data/nsec_broken_chain_01.signed72
-rw-r--r--tests/knot/semantic_check_data/nsec_broken_chain_02.signed65
-rw-r--r--tests/knot/semantic_check_data/nsec_missing.signed67
-rw-r--r--tests/knot/semantic_check_data/nsec_multiple.signed66
-rw-r--r--tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed73
-rw-r--r--tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed73
-rw-r--r--tests/knot/semantic_check_data/rrsig_rdata_ttl.signed52
-rw-r--r--tests/knot/semantic_check_data/rrsig_signed.signed62
-rw-r--r--tests/knot/semantic_check_data/rrsig_ttl.signed52
58 files changed, 3504 insertions, 0 deletions
diff --git a/tests/knot/semantic_check_data/cdnskey.cds b/tests/knot/semantic_check_data/cdnskey.cds
new file mode 100644
index 0000000..6ce5610
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.cds
@@ -0,0 +1,123 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144147 25752 example.com.
+ dEDk41MHSAAoc2eboWOXxGQHYFj1gXuD/gfX
+ Qz6HEq44narP0IHuOWt4ni9HUhYDBuanPp7S
+ j/8nYnZc6gdpMg== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144147 25752 example.com.
+ 1HFpOHudUJp7hvrsTmdX6qt+X0I4K9RYo/Uy
+ gpWbJBNhNsPVENVrw8AabhnPaETJGbreS/4T
+ slgbxM1Ks/erzA== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144147 25752 example.com.
+ EA9rtC9Ub4LPDwS6Q8wE4g9nGddbVrg9ivHN
+ oHQzUjTFlxtn8gFPaJkUfHwqwg3PsSVGagyx
+ Bjsool21k/TG7A== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144147 25752 example.com.
+ YLQPkC55O9bpQI/Hg/Ih91UkieeM3wtQvJMT
+ ro3QJ2eDImSyeoIbWsF+ghtoQ+6IUulXLu3k
+ PtDViOe2tfaL/Q== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ 1J1lDp/FQFgAGv7EFeDTAru7rUIcUCc7bkYj
+ 8OlczfdQjo9IfS5MFg6MqIrE/KPC18CDX1Ki
+ DzaCFaMGDlavjQ==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 25752
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ hRcbHnvrTqCb215+XsIn96tvHacV5d15lcnS
+ h91pg8Htes3H0vOoG98C5oWXoj7RM4V/tDoH
+ /0ahiLyRzRnvBA==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 20197
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144147 20197 example.com.
+ JLKC5uLW1+JPkOyVcc8D6B6lCC/0FOlak/Qd
+ Na6Nb33hi9io1HMFI1eYiG7u7lxWmXsKnBo9
+ ONROz+WYGds++Q== )
+ 3600 CDS 53851 8 2 (
+ 6F8129D687EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144147 20197 example.com.
+ pgi1+O/TWU6WCmLLYEibCYj+RzbcOuodnF1i
+ wlBQxDZLTcGYG+1KEC0spZTN1nQncEfdeEKc
+ jnYQUa0izPQRnA== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144147 25752 example.com.
+ MaFyQcB908WIXS+RiLeLXiKdjOo/R6tl9AM/
+ 6xokhcvRqQzuyQeoH4snUvcht0m5ghz09Km7
+ MPN0uzJcXIGg0Q== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144147 20197 example.com.
+ Vdo7aYGIByxiC85dyqLKrrNAYYDFBnKXm8uE
+ rYSXBMWiQoFHwzvlavyqhUWlEABfvYD0pUrX
+ PZ27Hz8rPFCSLQ== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144147 25752 example.com.
+ 9Llt7e4nm8uMLqliT2NZJINmAmLmKDYqjloj
+ Q3/wNI4K+J0RUmWpg3f6xODVkKjjuVnwpxkK
+ eWV9zqY4jUTAGg== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144147 25752 example.com.
+ lZSHyLdXGFvoL9fhk26y70ifFwui2A5bpdir
+ Su7VhfsnNdLgNuCceRXbYwxQaUyODCl7dcJ9
+ UkRzq2eDs0evKQ== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144147 25752 example.com.
+ dDE1XApt4lZ9u20Z/vXwhJxE27AZJQzKwLkk
+ jpwEDVJo6/SdV2smB7s7+qmGnSKhIehVpUFX
+ wv3/3YaFxSTifQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.delete.both b/tests/knot/semantic_check_data/cdnskey.delete.both
new file mode 100644
index 0000000..b3b840b
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.delete.both
@@ -0,0 +1,113 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144234 36859 example.com.
+ uHjgn9WEMdw/d//q2ZhGF1GAQItK9UPyByET
+ VDuZgER/JBHuFd1/MMEkkFmCRneXuVudSnki
+ aXiza0GLV0ujfw== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144234 36859 example.com.
+ 39YAhtx1qe9sbJ/6N1fS7F4QLS9iqagdbQN4
+ w6VRyMRrseRY16G2n3Th9yw1+R9aXOazb6iP
+ BL6azQJiUCZJ5g== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144234 36859 example.com.
+ EXv3vV7Njpz59INdubRpDsGANROKfEhqBzQ8
+ zSL1vujpUOdaZWqmS3uoKusxHCghJacCFeUA
+ KQNrWNuZHT2S8g== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144234 36859 example.com.
+ LgXpsIgBZBO03iU6D2nqsbmal6AK51ev21Cj
+ PQFfFBLQ+ARqyE3k7mlTK4A+/UfIpWgpkKnz
+ St4SbtL3r6GK+g== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ l/Uak3BSxeoEO8n42GtZkS1aTdEV590rAuwS
+ Jvt8Gzyj1S5Aqx5Tytm+nb93ZtO3eSL2OpJg
+ p7tdmPjtHKxYpg==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 36859
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ jNkK9sXUo8jTJ2snaD+3Mao2q0m5UjyZ7ykD
+ 6yQqTJ2xgldvTCyuu/YlSCoR9gli8pOGz+KT
+ 3YA9HjG46ob8ug==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 65430
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144234 65430 example.com.
+ id6EVGBrg2vZm6vIIGNhSukuI2Uv6/MzZiJk
+ C1N9k5P3zAP6Es9aLp9m4cR8qGIdUu3DZ3AU
+ ngKndEZvk5YUUg== )
+ 3600 CDS 0 0 0 (
+ 00 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144234 36859 example.com.
+ mDmiCviPRxQ1BiinR2+/lQ/KabHgIu/LSKZ2
+ yZFsgiF8YF4IT8mJc/qiKVtaCWLK4Sszxk/F
+ P8kMTmTKORT40Q== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144234 65430 example.com.
+ O1KH8u+VPLnd5TwGPRbv7VpMss+Mjwr+nIOE
+ UxSS7unksPUldU0e9qXby0fydlN5LTf/L0sD
+ daMwGOA2fuD/dA== )
+ 3600 CDNSKEY 0 3 0 (
+ AA==
+ ) ; ZSK; alg = 0 ; key id = 768
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144234 36859 example.com.
+ Hj8WJNT51BdqA6szAI7sn8gZftHY6/1/Y7qQ
+ DRsunh1J1cNRuqHtLBnRKpVdteZ4znNKnavb
+ uoC6kzSzbRiJzQ== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144234 65430 example.com.
+ 7YGVqSgaiHXwY+GdMkUJXZyqkGvkfA8LliB6
+ 6Nn4AvuETs4lX080MNq3dWmjI/tHSg5ptQz7
+ Hukvd6cYWNgtBQ== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144234 36859 example.com.
+ SVatJA8FhwAotw625XttyhgD8Rcp4ukcidii
+ By06YX9e5rCgOHOvjsHwA57kBBzcZg0ZXAbF
+ SOhDdUQibKaRSg== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144234 36859 example.com.
+ D+r82Tvm8eGuYrJKVCUMw1Gz+tevXwE2IGoG
+ 7pXErKbDv13p/eFAPsRdUKtdmsOq4mHSxQuZ
+ GVGAULfJjcs3pQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey
new file mode 100644
index 0000000..366edaf
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey
@@ -0,0 +1,113 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144623 39533 example.com.
+ wXvCukXPMbON0oD2nKINzyauQRgeYE/kIYKZ
+ pYaMwV5Z6yZ9SKSSy7oRBn7t1+rOmGI69NSx
+ 3WHXaRiLjcH1Sg== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144623 39533 example.com.
+ XNdl4tiEhUPOpEgwGO2njssc8QMB8IeP5QDM
+ 9/LZJUPZ0hZ76F7fX9C3X3edgysEoDFR1HAE
+ JdTxkJ5Oqv7Xig== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144623 39533 example.com.
+ Or2a9ZLl2FnBmNM1KbUcgAjgLKRS6O9H4XmK
+ VAGM3QxutaTZuF1sjsz+kNh6yrT38eLm5B8M
+ PLCxUmkTSUmgeA== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144623 39533 example.com.
+ 5SBXb1HpSfhPinO3hadK7E0lhRHwyUAsjZpy
+ /7jTO7/uUNXD6asY9V6kvOJmRgMpSeXFJKFw
+ +Vsyx0jifistyg== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ TQSEqjdF8egQ1YjZPdVXrX+pngPHTdCgwJFR
+ AefWVHOLsMADS3/LL5G+pZTSldB3j3Xo4Na/
+ 1tsuCgNmV+58xA==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 39533
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ VARBBNSEYzAbBYxgdQi/epYgWFaGnL49509p
+ CeZWg4LO4jhjVT7uyhsSQny2wyahP2Y37YeO
+ d+sY503BNpqzMQ==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 59324
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144623 59324 example.com.
+ YRhAwruTjWmu6drb4+iJ/QOwQg8dnGur8LH7
+ bsn1ZCHQYNDHiIai8JqikqzkhEYKIK8HIqT8
+ F2RY/LqFxKebjg== )
+ 3600 CDS 0 0 0 (
+ 00 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144623 39533 example.com.
+ cHTGBug23nTe/aS09JaakuG4wa9EEbWxL3gu
+ LQpCK8HV/JMsNSGqh1FsUlX92y4tSIvJn+Lx
+ vvdN+Qzh+zASHg== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144623 59324 example.com.
+ GU9Q/CipUscofDL6uhT2ZmhQoyApLX9zbyfN
+ dG5XW6sXYaB94hVSiT2DSyt19fyQwYoKK2Br
+ fJwy4pI890kKoQ== )
+ 3600 CDNSKEY 0 3 0 (
+ BA==
+ ) ; ZSK; alg = 0 ; key id = 1792
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144623 39533 example.com.
+ CXeUfFxa7aT2tivKLovVQ2CA0HYZxxlUrbm1
+ voABTNkU7lb5W9Z7GQ/VDugd8QeKNK8YWOaQ
+ Tdl79jkL1rQKXw== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144623 59324 example.com.
+ sd+fzJmLLIoFIcbKCJ+rHE+tOs0PwHjjY9ml
+ Dsbel1k5sANI4xR8iMv6YAEhcpvb0S+8Nd7h
+ 7BT45SkKVtyFsQ== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144623 39533 example.com.
+ VGa9LkgVATBLHOwMBNc6g74iXCCSXnWWNs8O
+ ndoXk4ZMMRRkmaxSWXH2pBdJLZPL5f26aEVl
+ 4toVcsE722LoFA== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144623 39533 example.com.
+ i+94RvIQBBEOza7Y963huNEWYrqt/VT/eE1E
+ Gqx5kngvZgZ7wO8tcOsaE7ctb69SvgZwRR9c
+ RBgb2N6ezo9OxA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.delete.invalid.cds b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cds
new file mode 100644
index 0000000..9d63eb9
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cds
@@ -0,0 +1,113 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144646 56106 example.com.
+ 1CRyeUic9BIwBWcjk95VQJktQng6f3dLQm64
+ JwGGqivUM3Hgp7URguNIx0BsCvfo67NIpk7N
+ mMIFwMkMGOHmgg== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144646 56106 example.com.
+ pB4+Z3ltuzY+/NkAeCb9LOS7Zlh7QLfHKimR
+ JPtvdOuIhd8vB0NZLzcYX0lIkrqyP3LadbrS
+ u8r9BMIlu4cKpg== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144646 56106 example.com.
+ x8XhP7r3/glI7AenoSLVmfqhZXQfj6YllgxA
+ jkVxExiM9OJZOPdyeDTuRyUD1PFiBOEsP7Wu
+ vNgWA9eyQFOslA== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144646 56106 example.com.
+ TCn7V7sHR2TNY5ywyEpbYZMegZwTX+I/TPeO
+ 76D3WORu9pN0kJWjGPAebwTvL/a7p8xS8B9U
+ X9ivUVFORG+mJA== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ cOjtacSzGkoh6bO4clqYPM2y+g5ezQUtCNdx
+ iRqickHCvQnL9OM/h7V8txqEsSulG5ZCeW+O
+ LDhDQDUchpNv7A==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 56106
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ pB2mCNXFJ8e+UaMeMmy1LSCv6TJ92Fs3kFxY
+ I8NyZPyGvfePpMlzWZr7Bw7wS6G6Jhayhj94
+ MMJ4lM/5+ZzVJw==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 45911
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144646 45911 example.com.
+ uOAPEzDkPNI9Uo2N+iiRkIb2p1Y0VhgqwUom
+ +Dssd6X0CEdQEmD8YQ43Cuq9ZNwk8Bm+lgm3
+ X+ImdIKeE4MvNQ== )
+ 3600 CDS 0 0 0 (
+ 01 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144646 45911 example.com.
+ IN5tLpm7OKjIL4VpucR1ero1Gv5UEyVqjzB9
+ rRJefwUtlZFKNaTbU0oQD33vQXEjUiIMr66b
+ zIC3Ju/YtYFDLg== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144646 56106 example.com.
+ f8VJa9GRwSWNmg0AR4nA3OD4X8im7BriZjME
+ 2ypYUOJkdIafolyb0LDz7XWTaVsFHQWO0z+J
+ 14g0CgCroTm3pQ== )
+ 3600 CDNSKEY 0 3 0 (
+ AA==
+ ) ; ZSK; alg = 0 ; key id = 768
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144646 45911 example.com.
+ 89oeIQuH82i2RYIj/fnX/71s8kspDHcI8lIa
+ R02OZZ9bF37bi6LbGkypdXpmxN9/rEjk4ThF
+ IHRX2USEPtl+wQ== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144646 56106 example.com.
+ Hgf4SgtoV0IHsF6feSP8YqeibPTtwZelLpLs
+ hux/D94MFKtYa6OseyzT3qIDdixav+mlI2ud
+ 0JyflYZ6MCBlxg== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144646 56106 example.com.
+ XdhVQ3Na3LsvdtT2HwdsM3ItiD3UH0HO6TZD
+ W6/jy8r0NA6fTN4b4oVr6wSqHAQIQVYUbWER
+ 7pav2Ek03LDa0Q== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144646 56106 example.com.
+ dVTxTNAfZy5sa0SW8eme+KMx3hByBnPIrRlF
+ zGDsGN1Xzw3OBhsTmuOwhbnZSnnvdBrhBOJw
+ 8eU/6zpcZypyFQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.invalid b/tests/knot/semantic_check_data/cdnskey.invalid
new file mode 100644
index 0000000..6937db5
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.invalid
@@ -0,0 +1,123 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144725 7800 example.com.
+ fIUb0+hjrELDVphcGgDZemNVpq1TBgyTt184
+ 9YnzaAhADynsscEd5iZRjuA5r7mlI/M9fFtU
+ l6wpEmqAs7sG5w== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144725 7800 example.com.
+ 86HnJEU3jP+bL9JmnY+2TGwna7DGtUVvgdhu
+ slzGQWN3EHb51vx1fHQGGfQlJ4P4ch5US3TE
+ 1rd/OKNUBE+p7w== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144725 7800 example.com.
+ 33SrrSRr8KwasK7qfxYAPxP//dj8Y9i95oza
+ 2Fwvt23QxfZS3TBLqMyMA6G/nmXyavUxsye8
+ C+mks7QsS7HJCA== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144725 7800 example.com.
+ WRb17ehBEEjIVl//Zw8vtDmbnTY6eLWe2KQ2
+ +E+pCMEK0QE1qXwcethJ9PkM+gKFmN9RscXH
+ DjrmWIAfgndjsA== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ VxRHPS89GaMJvJ1xL8/HulwW75tDXUZ6nYlI
+ 8VCFOMB7vU+SoZhaaoZu4YcCZqzjzfZLl8Lt
+ SEaXZPQbnpkhyA==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 7800
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ MWndPmlRdffYHO8Z2quMkXq80Nm3PNmWpTix
+ xJLJ71Oph+ta4XaTuiza6AQgVkCSzrfwoTuJ
+ UKHL13s4/IrRGg==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 46605
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144725 46605 example.com.
+ GRVgc202uXoxu8f36V/Tc4r9BzCKK07SCmS6
+ MCJ+mXO7PCv4RIzN9Dp8t6sVuDb5smLe6cV6
+ 5lgyPYJwr1TVJA== )
+ 3600 CDS 53851 8 2 (
+ 668159D684EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144725 7800 example.com.
+ r+OpHWsZ0enCPKtUIZFXSb/8YbLdfYb3Ihpt
+ n/5kAWbOkkkVzAJX2/sCrVExMCVcP/nFSIIf
+ hACGKBjTvuLFLA== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144725 46605 example.com.
+ buNL2/GqYvtwcXMPSiOeaEB5L6r5InyVxzaJ
+ 1PaaJigmJHbdNKGFl8ijDiH7WBdQECb8M3oU
+ zeuWGebSLuy0AQ== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144725 7800 example.com.
+ wYB3zuX5/bt3Pg2nz9F0j6MK1bkY19QvDcRb
+ pk/0rHXLbSjTepbIwy8O0KbJndHy+a70fN5p
+ 3dBGN5J56KymFg== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144725 46605 example.com.
+ pXWJCUC0kKqWpjZetDhGJLNPpXGqc8sJZ9wY
+ HKs4Sd734p+Gr45vnJ94pGYjjtZi9bwPo2nF
+ DmFP5K3NLACG+Q== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144725 7800 example.com.
+ Khv6ptUd4l4SgJI/H+L6Ls/gQHnmmQJcg0fB
+ xv7zECmQfQFguVIJ1bmoz4jP26ejsNH1pG+o
+ Wz9U7I5oWsDzYg== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144725 7800 example.com.
+ z8omQAty9S0cNyFATnM8DZ+RbMly/7staAmc
+ RF+PmOp/E7FtdKOZe5+ega/+aQV9VpePYXMA
+ UwmIeeYYU2pAJQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.invalid.param b/tests/knot/semantic_check_data/cdnskey.invalid.param
new file mode 100644
index 0000000..2814ddd
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.invalid.param
@@ -0,0 +1,123 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144756 33730 example.com.
+ tBomI7xR670RBUw9IjNL2A5eMVKtYqDUdhiq
+ XJI3CFdb4j6plfdUF75SfaiCP70aLX8Atzxm
+ 2RAzpR6M2Q3gbQ== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144756 33730 example.com.
+ 8mHEeq/7fnXpM/CaOFsIqTKyTrixQVZr8V+P
+ Lwn641YbbKniEP+KacrJ7Ul2jt2jCT2cnxC0
+ b9XicHENmd0phA== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144756 33730 example.com.
+ f8ZdC3vD/oIltQLyL4zBmwo9rRyijN183BGw
+ L6iZ6DnH4BASlUyrGa0IceRH4yD5pP+gnhCc
+ lBzWFgvtEIyPPQ== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144756 33730 example.com.
+ UK+oQx75Gdn82LKBzht8KxrtwPE5JCBhEMcR
+ hRhHTeMqRUjbbeEOSWRdjg/36329yNYrxC60
+ l7bBcqolo9dDmw== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ kr0M2egbhUXhH0i6fYiSl+zRH1pU7XhamCdO
+ nPhMEgFa3CsGp61kCuZFulpY0ODh8WrAPZcO
+ qC0tCj5Bz7nWZQ==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 33730
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ 7fs6TMYYlkkxI1PCunVT9dxcxWVGXu1N7xVv
+ 2EUyVYMXSn/Z04URNTaxXcoWuDafy99G8rcT
+ oPycl2oOhc+s0w==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 60664
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144756 60664 example.com.
+ WpjHrB8ZfAhOSjq79gAaPEiQgSxvEatTi8nC
+ AYYpGs4dc1n54iYZ4IjCfMW/etlkZsMzXbVE
+ s6t+Dj/gJ3JKZg== )
+ 3600 CDS 53851 4 2 (
+ 6F8129D687EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144756 33730 example.com.
+ IAgBYDhTIYQvmF2vUy72TWoRlPJQGyGErJuT
+ 0xxZDStaSfoAVM3Hr6VEqIq7R3B+Xel/urDM
+ WYUbIAinEnvpOw== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144756 60664 example.com.
+ IpzPg5fx+O1HUqjN0lR1Bbo6Zx/Lq1wrrJvv
+ Y518ooGelg8Q2wH7NgScsyhLY342+MHk0fKX
+ RcxRzfaFohiEZg== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144756 33730 example.com.
+ WMqSVG8Tcq7e5E2y8oHThr6Ip7ASu/35m10m
+ TzsEANrlFf0e1Z6XG5ca/6//NSolXoTu6jBx
+ 2kvnsX2bA222PA== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144756 60664 example.com.
+ LLGAWxuAhlKM/3i9+FFGngy6Zqo6NsxdXScR
+ wgVe3Ilw+3vU/Nih70uRE/xUjZpfFBOlMEk6
+ EBSf/DJr6awY/A== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144756 33730 example.com.
+ mpcGxsR9c/K6wuaJCeFds1kg0af6Xj8K24o6
+ FHzqn60w7HXXNnDjxS0jPTHpaVUkWhuKUcCR
+ 9EcvMW7uwVfULQ== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144756 33730 example.com.
+ gLwhcu1t0qloiWb5/XHuv0PAQZ+ChmDdMuMS
+ qS3hi0VPk9cscMjd7ZH7shJBH+9KKMI6YbMz
+ VGU4MSCj5/kT0A== )
diff --git a/tests/knot/semantic_check_data/cdnskey.nocdnskey b/tests/knot/semantic_check_data/cdnskey.nocdnskey
new file mode 100644
index 0000000..a7bac63
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.nocdnskey
@@ -0,0 +1,101 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144854 39620 example.com.
+ 0JDLQ/bZj4SSmqvLPAzt1v/UUb8mfJQnuLC9
+ B1CL4oRD45Hw00KgmbE7xgJVflYZJxfx7KIw
+ ydsB0/1/dMJzbA== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144854 39620 example.com.
+ Mnk/oSM7sdAhGYbWUMLpYFR1ahcvULo/8z42
+ giRwzAX8HiqvxxkqRCFbvzYeRkZLLw0fYTeR
+ Mqit0zQuWuc0ow== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144854 39620 example.com.
+ qPQblbJyzHdmhqYhYx4wfUHWe3SYGUA65hZR
+ UFYcx99Vhs1CXUobjCk9NBedRbBHR04kQ5Bo
+ /72fhuCPJFIC1Q== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144854 39620 example.com.
+ H5So5m0YdxOBU3k0+pi6KOgPNF2V4hU+GLxa
+ c0JdGnALP4Wz6lWCdMRPXIaMjImb3TK9vFti
+ 89lB/2MMDe4dTw== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ 6R8b9KzH06NQ/4AUqrmp8rFmY0AmHpbW/vhj
+ xLul6ON720xvdeKBzi0nLSeTdUO8/gK8s8jh
+ RmJ8Fw279eXXZQ==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 39620
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ hfwsa6JnfqjMRma2PlO+gt8qqLytVIygLZHB
+ 5APAuz2cheZCMD8A2kyt5NziCCj6szmCK4oZ
+ fColPGaDgYtpmA==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 6821
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144854 6821 example.com.
+ UbEQQoX5j1FVOqpkQBqckaG4WnCd7+4dBJax
+ 5sgjHQnfSSwKGfJx0zxd3ZbPCEKj+Ymrhpsm
+ nqfPzVRZhUPKuQ== )
+ 3600 CDS 53851 8 2 (
+ 6F8129D687EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144854 6821 example.com.
+ Sc/K9xI1C9rzujnllO5o7sKoJiEKFUEfPxt8
+ gsxs3sb9Q1s0/uSocrPc2OcaLgEzuFGS5FzA
+ fg7HcgZN63I5TA== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144854 39620 example.com.
+ ykGu61Yjp24MJjp0wIYV20LSQ9ovRHT0zqp2
+ CSvlROIVpbUGlNjAAKJdWwYJAqNUD571gJ7E
+ TkhrLEIX02ySqw== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144854 39620 example.com.
+ ye5pM/p8OWbdRNhLfbfWsY6lG8lr0Ae80LKv
+ rVOCMhAowrtKmDL6hUByovCV7MjCIYwGM26C
+ Vl9CRmrWwJEULw== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144854 39620 example.com.
+ JHP3TuxCuZ+N0lWtRI7Xl0qIcHSrn/X+WDUr
+ 0cVBfQTsFrAZs14bJhvw0zMGgONAgnFsXlxg
+ QmAqIPmpRvKtnA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.nocds b/tests/knot/semantic_check_data/cdnskey.nocds
new file mode 100644
index 0000000..ecb3188
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.nocds
@@ -0,0 +1,110 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144849 42608 example.com.
+ GDfM/H4m+FRVp3M/KsOv//eMFaL1LnyrIi8O
+ pUSht1KyYDRoVqSL72XTy1aAJJ49Sd0uq+4U
+ acekI3Xi9OpvXg== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144849 42608 example.com.
+ ICtOUMZr415dJb22HWsrjbYfW7q6hh6gxD2i
+ EikMQAkPncdBHHd7dCrjy1/4CPhixn/BnDfV
+ ZwF87k2Sa7EV8w== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144849 42608 example.com.
+ IokJy9LCiCaOPsluuBKYnwkesiPwsU/KZdA9
+ jK25UmdfD1uU8AA63OOciTZQSv9NI+Q4nzl3
+ LyqkRWFKToMz9A== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144849 42608 example.com.
+ kuhtgHhoeIwJ8IG08x+Tp5M7kQ+LzWoH/hTs
+ V17ZSyPD06YvMEmv9vdB+ATLd+j3uNYnMd4n
+ HW7Jh/ocOWg6+Q== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ p9BANIrBFV9hX2qwbzydeiubQkm9qstpzvUe
+ OFMDOEyyQxI+8s2nfHI76KmRliHuM7fOM9B5
+ e8wNmEeVd9JJmQ==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 42608
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ 5sv4MetMS4KWSgyzvn658Prs0A8tLaWFhRJD
+ E9IznhGY2ogp8Z/uSIqh8QWzf1kQvfDUQiav
+ kOx4CNa3dSx/ZA==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 8616
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144849 8616 example.com.
+ DeZBLj99QbyGhalCZ4UOmBJO/RLNgrPsAdaW
+ swYSg18lvE7jmLn9vxkUVZu0G6z43tulSb+a
+ lQT8m+U+PlusNA== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144849 8616 example.com.
+ IlysaALuak04Zbh0+104PHAuQgnYDBTLpvz+
+ BgirzX9Vp+pg4yZVelAXsaDbcj2ZrXrwBjpo
+ +DHj53HmZygj4g== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144849 42608 example.com.
+ dJhB1Xmd3G1ueRVnFU+M4yc379LH0UrpBcNS
+ xHzjVd+vWtpNGPq03Wi3sczA9UUkXE0F5n22
+ 6ZNR5XAswf+SYw== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144849 42608 example.com.
+ 3DTwpPojzX4r9ZWeKo+zmJw+2L/uqrtoAZEv
+ ncPJG0AGB9QVzjLFiRg0BV4GiDZCl2Hh4onl
+ OShOi5Nt0GXp5Q== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144849 42608 example.com.
+ 1m2PpD3S6/5x3Kkes+1JgbHtsm0xlnKrNCmF
+ xeBvCl55D98zSvs0DjfRjFowAg22nWJkvsWo
+ 3N1vnfFZpzmPPA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.nodnskey b/tests/knot/semantic_check_data/cdnskey.nodnskey
new file mode 100644
index 0000000..461e05a
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.nodnskey
@@ -0,0 +1,111 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144347 19649 example.com.
+ Tng1e4Zs8LvGZJqp75aBSX9Ci9bsncY+w8+K
+ rfYdoVe/Smq0I+Hgtygcq0Twc7llW0rwtZ8R
+ jQpbXbp+XNDi3g== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144347 19649 example.com.
+ OcKfgxtnriGsC/9wV9yI71wIVzR+71j3sZ3+
+ ZGVqAo2bWR8QRULa5g5lQpIxlayN7w6xi6vV
+ IVWY3vauy59pPQ== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144347 19649 example.com.
+ CtZFcGvbco6ZreotcmfSYl8SlRdN/JiSuoOG
+ KtdauRz9+a+xkT2k1Wy6dADfLpwHwXL8yElg
+ /LdNXKEWK96HcQ== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144347 19649 example.com.
+ 6GVUlXemDUb6W9IID4qK+PPDSizeURGJEJlN
+ Hoof218/H/k8/BLNphFIGpdhCC2jHnAx2Nxd
+ Af65dTLtt7OBjQ== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ LiJCYpav6haPA3M3GhTZ/L6wtSqS7e9mwKsU
+ TdBkZ71RS8qmXsITLz5bFHMSy7K8mCuQIdTT
+ J3cGkbguNBqgJg==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 19649
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ j18Cd+0frtc1WPeWn8bwdxYd9iTe7XsqTwnO
+ W46ZpPJPGBq/n31+7/N9TRAtXulE2r+rJDRF
+ mMooK5qrWOtqvw==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 24385
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144347 24385 example.com.
+ 8O0L6xxTnGMccrMSjaG2/MtljkSOls/BIwoX
+ eUmB9nJvDQNd8jg9XtNYUGG79dmysetBrNQl
+ TohQ1BEVGTJwig== )
+ 3600 CDS 53851 8 2 (
+ 6F8129D687EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144347 19649 example.com.
+ CLjvJJOAZVToWUQQX06ySDkKo4QO4YcN2vhl
+ JZZ2a1hA2ranrzpeE8cslGKme5lxHKr8Y1ev
+ ffWfrz8KoQVW+A== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144347 24385 example.com.
+ TaPgzUzL+fPwEUNyusjCb6OZOF3DtlMNh3eY
+ ZTvogl2eRq84NA+mfzPmh0NXqVDbsVHGHq1B
+ mJoxuMtIt4G5Rg== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144347 19649 example.com.
+ 5sY/Q/1tP9qPMAHyQVMtbFQ0gO24rofCLg/D
+ /BaXTvjp5bnWhGuv1wFbSCyEreYr072Va08t
+ JdntIC8Prt/1MQ== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144347 24385 example.com.
+ UlLhm8Nb6g0jUIs1ldjW4OedzzLXDjCllRSm
+ +6WQuBK1uA7vboyqYVvLxxyFZCxgz6xV02iK
+ eawtsKsOnlfGCg== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144347 19649 example.com.
+ ZRDwnV+YyfKPI58ASagzoCo+qWTscYZZa6j+
+ wr4axJ7jtIO6Firy4R1GlO6NXmN5vcjHAj90
+ NZ26ezRgCMCFQQ== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144347 19649 example.com.
+ c5ILb+AR9BIinFp6mCogN+jwR8067Fm9LT9Y
+ AWaR3pqUC4d+Qdo4pkODLkmhAaSQLJCyPyYB
+ TQ7OFkQCC49MtA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.orphan.cdnskey b/tests/knot/semantic_check_data/cdnskey.orphan.cdnskey
new file mode 100644
index 0000000..70241ab
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.orphan.cdnskey
@@ -0,0 +1,135 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144945 39996 example.com.
+ pdj652v0OfPO/McP8sNpxoE+adY+Qim5je8m
+ TQPcudU3gm7I2L+YqU/ujX1NUOyhUAhzRng7
+ m6nfrudJebq15g== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144945 39996 example.com.
+ 7/X57I7FmbSlgxxeaE3Xgoot7KxN6nxtDb0E
+ mEEZNwdLCpjgaftaXXXM3NaZ1W2sdoECCrlz
+ R4/75kqrmNpYPw== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144945 39996 example.com.
+ 0tcHIXXPEKy1tpc+Of6s2hTdQ5dGh1IoIoxY
+ se9paUUfhoF2oH5Pb8HP3rNyWLiTqXh4/lxV
+ vFLi4rR5zojxLA== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144945 39996 example.com.
+ kbImDj5vgk5VG9MI+4HJ4FtwnJ4ykSbk8vNY
+ e49ibkZChGsTtIzLwdcNAmOk7w/em67FkGBi
+ oxqCj6b3G0C45w== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ R4pG7HF8CbXgbo4N6UqdSnE8CaClNUw6v/di
+ aScNknRS0eLPOKmpANe0tyiwBV1bRQyjpmxq
+ fgZ9Oxac7plIJw==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 39996
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ cJdrUmmcxe9JKHwHHAkJ8mO1J63Cm6Qoln56
+ CUya+eWuF1A3u9L3wumvY2rAXvzBpplLXeUN
+ GIN0GgLHejH6QQ==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 56026
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144945 56026 example.com.
+ srEjUMAQ4Z/yc22bas+P0ly30IVbZaIIlli9
+ H7avBz013fn90vDRDLiLuHAMvW++xdDJypcg
+ Sr+9I9+nv6jzRA== )
+ 3600 CDS 53851 8 2 (
+ 6F8129D687EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144945 39996 example.com.
+ inhdpEZ+2W4EM1HSiVZdJa4xT5S319D0x3b5
+ eJpskw/EV/Rx1X87FCr8FP18iBOszsWJjQQq
+ Z66eAxIhpBcb7A== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144945 56026 example.com.
+ TA7UxWd+j6bOXKPxo3XuKlIy87/HvIPGoELS
+ WQyrON5IURgGw/2YWD0M5xw852jl27USezzo
+ pai940D3+VGeOQ== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144945 39996 example.com.
+ CSk6oHNIsj3XQgXpPtFOhf4dTv/Wu/vnJfJs
+ Lpc3IoApBMxrpSIzfM/c72JtjSVzjJcdo6kL
+ n71WM21CsMcQ4A== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144945 56026 example.com.
+ hsml4IaJtzvMdvaMTR3MzeCT5fMHJ46rCY0y
+ 8DTAvK7/Z6LHbF4G7yRh9ozwcyZbB006cMdc
+ 4XUFDtEPK62DGw== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144945 39996 example.com.
+ 1cNj6TJEHFxLXFYVt3RU3wC8Wz/F5bfjy8/W
+ jEJdrnVzo1ihmJWoY48e9MlvsGXnGe4+GUrl
+ HSS+2bsGOS7DyA== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144945 39996 example.com.
+ 5mtXYcvidkSnG12dZof3xSEaH2eOsV2fuBvb
+ 8Eb6XEuPfD9v5g2mweyZYrBtowEsTA9IOsly
+ 6AWT5PfZbNAe+Q== )
diff --git a/tests/knot/semantic_check_data/cdnskey.orphan.cds b/tests/knot/semantic_check_data/cdnskey.orphan.cds
new file mode 100644
index 0000000..54732de
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.orphan.cds
@@ -0,0 +1,138 @@
+example.com. 3600 IN SOA dns2.example.com. hostmaster.example.com. (
+ 2010135808 ; serial
+ 10800 ; refresh (3 hours)
+ 3600 ; retry (1 hour)
+ 1209600 ; expire (2 weeks)
+ 7200 ; minimum (2 hours)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201012144942 8996 example.com.
+ ThTlvNtautK64IeJRxNCr5acLrRu8jXkTR3N
+ y5TlXrei2DIagbPja++4vLjhUJAcKTGndD+x
+ wgMrDpCY6pMAYQ== )
+ 3600 NS dns2.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201012144942 8996 example.com.
+ 3OJiG3v9Nq9OHkyysT3A6PNPRVn9sYTQkHNS
+ 6JL5BzLCQ+uYKJBCu0ZPxDlYpbYnO0HKQ7Ta
+ iZYCjm7vzqtvwA== )
+ 3600 MX 10 mail.example.com.
+ 3600 RRSIG MX 13 2 3600 (
+ 20601231235959 20201012144942 8996 example.com.
+ 9vi3n2cVyr+ghB0ql4Wc8vhpLfAuclopapXw
+ BQV328nEwftj0okcPz4Z7Iye9by4X6NDd13x
+ vzWXDKjZCSxLJg== )
+ 7200 NSEC dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+ 7200 RRSIG NSEC 13 2 7200 (
+ 20601231235959 20201012144942 8996 example.com.
+ HP8iIlUO+EKFRgoHUrQWLcaX8oSGEb/tldEP
+ GcJKM+rGMeJvxXOJnjSskUm7AyRK1TKK4RqE
+ xaOHTgIz1uUkzw== )
+ 3600 DNSKEY 256 3 8 (
+ AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+ YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+ 1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+ jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+ CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+ ) ; ZSK; alg = RSASHA256 ; key id = 48849
+ 3600 DNSKEY 256 3 13 (
+ bkP3kBcYNsUB6jpKA764AJeNBzGJjNIRPxDl
+ 2wK1O7I/bvZDILscWSMUsSRmxZuPWGLjevpp
+ Tve1UMe+dP9VIA==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 8996
+ 3600 DNSKEY 257 3 8 (
+ AwEAAaulfU2biYVBiUsGwAyCXbA+gm0yWgH2
+ Z71S16R2YNERlb0he9Od28DcFd0HbaKdFnw/
+ CtX7Z2UWs6/IRu8QmHGn6SKDsLzZ5StdPsJD
+ KilfvSlEcQeqrRAncug1SnA5BogNQSD0/02Y
+ w5KDGn7ALCSYlNgOgy7l+D/urlkuxgsPWvqY
+ XnlxaIcKt96fndwmkfZ5eF+WAqxguaNcvm14
+ 6NA53wRrWx8BQbcHk1R+WcQGqFcVOlifCs9z
+ V+87QJy2H660QKqOVDgt8PF8QmRRJqzOKpu2
+ 9T+Vd1dM3zjBJ7deLaNH2E5p7Bbp1eeOCeOt
+ WpCG6XfaRmZIF3ZWVM6Ways=
+ ) ; KSK; alg = RSASHA256 ; key id = 56474
+ 3600 DNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 DNSKEY 257 3 8 (
+ AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+ jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+ IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+ 7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+ 0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+ LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+ CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+ dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+ 9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+ /4lgdSiBtvByLCXoWEYIGRs=
+ ) ; KSK; alg = RSASHA256 ; key id = 19420
+ 3600 DNSKEY 257 3 13 (
+ 1OgEqruDg7pI2dTIRMdP9ihhdl3wFngZW9bP
+ E4jMg4ByKKoKM/C1QN4Q+BQiQDkcprwE9vLf
+ D/cLgFNspjcBgQ==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 63865
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201012144942 63865 example.com.
+ 9d2q8pWH1AftoDmPq3DNblta3oPV+6ROZmVR
+ BvjHj7xJjI27aY514C0qNkQVhioe2mhQjikO
+ gyxvkWwBV/owPg== )
+ 3600 CDS 53851 8 2 (
+ 6F8129D687EC387C948E6F4B0AC9AA01481C
+ CEBF7570AFEC582897E7725122D6 )
+ 3600 CDS 56474 8 2 (
+ 260E7ADB07D1ECC40DEE79EFF6527CF7119C
+ 0AFC1CFA5DAC1ADFE342568CF32D )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144942 8996 example.com.
+ E7iVsJZjRyGbjMUADsi9Chz74+t1W75zTPmm
+ MYVD77dkRHiEpN41MJB6Z7Fn1lNOE6f8q2B5
+ iL/3UXULB1vpwA== )
+ 3600 RRSIG CDS 13 2 3600 (
+ 20601231235959 20201012144942 63865 example.com.
+ fsMqYcBDcTBtaDEqDTYrHHivnuQKb629drhm
+ 77RFfBxFJAxlq176PzaddA++zHfWsBgIlJzy
+ VHFy3S3huuyfaQ== )
+ 3600 CDNSKEY 257 3 8 (
+ AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+ oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+ 2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+ mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+ x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+ bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+ mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+ odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+ tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+ EHYAd/AP8YgaovS8N1fJyh0=
+ ) ; KSK; alg = RSASHA256 ; key id = 53851
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144942 8996 example.com.
+ hhpJcQ4cMcq9fLNtZrTEVAMGB2bjMwcDvv4C
+ Sss9wWDBNxIVOsi4x3j/08PZTqbfmYePWtK8
+ k2R5GOOK1lpVlw== )
+ 3600 RRSIG CDNSKEY 13 2 3600 (
+ 20601231235959 20201012144942 63865 example.com.
+ xU82j/dJf8oBd1Ti2lHH0YoxBvgCQo2MOdwJ
+ yOc6fDrT/c39rCMT//VoDmmKj3SavQ92ABBt
+ 18JqxCXK7+tnYQ== )
+dns2.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201012144942 8996 example.com.
+ D3O6XOYrOT1tlCieJJvw7zys0ClqXcCvs5+D
+ qSEpKcE6RNNeJG2d3SJg95fbO+eTkw30MROF
+ ajnNh5xJ+8xsMQ== )
+ 7200 NSEC example.com. A RRSIG NSEC
+ 7200 RRSIG NSEC 13 3 7200 (
+ 20601231235959 20201012144942 8996 example.com.
+ sGBFze6wRGj8n0B8izUNHO2ufA72sR55U3OQ
+ RLYTx2XqBRvdmapMKK6QDu/6lmwqgYMbjiBJ
+ XqDLv/1RP4DisQ== )
diff --git a/tests/knot/semantic_check_data/cname_extra_01.zone b/tests/knot/semantic_check_data/cname_extra_01.zone
new file mode 100644
index 0000000..ae3f27a
--- /dev/null
+++ b/tests/knot/semantic_check_data/cname_extra_01.zone
@@ -0,0 +1,18 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111218 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS dns1
+ MX 10 mail
+
+dns1 A 192.0.2.1
+
+; error CNAME, node contains other records
+email CNAME mail
+ A 192.0.2.2
diff --git a/tests/knot/semantic_check_data/cname_extra_02.signed b/tests/knot/semantic_check_data/cname_extra_02.signed
new file mode 100644
index 0000000..724a8da
--- /dev/null
+++ b/tests/knot/semantic_check_data/cname_extra_02.signed
@@ -0,0 +1,76 @@
+email.example.com. 3600 IN CNAME mail.example.com.
+ 3600 RRSIG CNAME 7 3 3600 (
+ 20840201000000 20160224073150 29600 example.com.
+ IxkF8oqOEzhlZDSRBIi4448EGvQwxm0QDFE3
+ JExA4Byx2QaJvXo8LoCeyQxS/f9E6bXpXQk2
+ 4dgQxUrRZqnKEA== )
+ 86400 NSEC example.com. CNAME RRSIG NSEC A
+ 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224073150 29600 example.com.
+ iKA+5qsYA7A7JN7Df99aJnToYESjqordQgVj
+ yMS/1RVBYEGE4y3ggehzAxvc8bsNYnUwGeGt
+ vse5dMVKCcIaPA== )
+; CNAME extra record A
+email.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224073150 29600 example.com.
+ DummySignatureDEADBEEFToYESjqordQgVj
+ yMS/1RVBYEGE4y3ggehzAxvc8bsNYnUwGeGt
+ vse5dMVKCcIaPA== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224073150 29600 example.com.
+ MT+QgXcsDzkrFgncNwFyH8lwXiOTpj1rnPgs
+ OUIOfIhyJyzT1hpozAHt+IWOPHUkKjBN1C5y
+ SwyTnlqwJtG0yw== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224073150 29600 example.com.
+ Mr0Gu7PUu9PsUBflhd8tMhcQ9+ve+z561/ml
+ kP6PL0MHgLg7V8KVmL2tc7+JAhSOVSpJ4BGQ
+ c9HKD15lFDFEgw== )
+ 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224073150 29600 example.com.
+ oEMpoEhi86OM/SdyobPEh90zF3c3FhOgv68j
+ paD5BLUsAntf3qU+KoIMb9iVglp+VTGrg0Ol
+ XdJ2D/xSMA+XHA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224073150 29600 example.com.
+ WOtx+LBKbS2MOahlpDJMqgeH1TI5dZoQitmA
+ SOkDRlJgfPsiKeiaGMrnWN9xnPZOVr9MsInE
+ sKYjh6EZM1nuBQ== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224073150 31323 example.com.
+ nL4eJLv62C56wexu10DMPHqXCXSE/3vRe4es
+ 4e0e1CkY9bdj+LgLfgs7CH7UDNXFX2CxKxHd
+ mL4sp5AtaA8fnQ== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224073150 29600 example.com.
+ nn2dG+ORbcNQWHT87ijfOddx0SKCSE+8hAxt
+ SiQQpxAzPw13CZmnbYas8uvFFtth6U689V3h
+ rMzzZcxQEA1z8w== )
+ 86400 NSEC email.example.com. A RRSIG NSEC
+ 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224073150 29600 example.com.
+ BFz1Z7dbBNgHXDOaufuCoIzGHbwyLUrA+Wad
+ QBPD9xCYkXHoHfvVOhtEeMR19Rz+fi6ottJI
+ 4AWItiobBC/DAQ== )
diff --git a/tests/knot/semantic_check_data/cname_multiple.zone b/tests/knot/semantic_check_data/cname_multiple.zone
new file mode 100644
index 0000000..971c34f
--- /dev/null
+++ b/tests/knot/semantic_check_data/cname_multiple.zone
@@ -0,0 +1,15 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111214 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+ NS dns1
+
+dns1 A 192.0.2.1
+
+email CNAME mail
+email CNAME mail2
diff --git a/tests/knot/semantic_check_data/delegation.signed b/tests/knot/semantic_check_data/delegation.signed
new file mode 100644
index 0000000..2007216
--- /dev/null
+++ b/tests/knot/semantic_check_data/delegation.signed
@@ -0,0 +1,43 @@
+; Delegation NS and glue signed despite mustn't.
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 NS dns1.example.com.
+ 0 NSEC3PARAM 1 0 10 -
+
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400406103150 20210205090150 25674 example.com. 4tMK6g2B0ITXf2haSSuH45nO53GlpZQ97ofC5Pd/S38oeNzWmhfxIBaGtb597qxRA2NC7rYtGsscLrCa0sthMA==
+example.com. 3600 RRSIG NS 13 2 3600 20400406102301 20210205085301 61806 example.com. TrCJZgu1hVoUK532mmhQpZcEcPdw4FezPCymtUuQH9XjZNBn3DP/OhM8NvAbtailiOIX/djosTC2cNDlqSoVCQ==
+example.com. 3600 RRSIG SOA 13 2 3600 20400406102301 20210205085301 61806 example.com. h/+XG/WWQsoAuzOM2wiulY8TOslYTj4MyP7Rjj3VXx8frlheIN84yH7NL6Xgt3ibQJpJl7rujkDuoTBH+snnCw==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400406102301 20210205085301 61806 example.com. TYk9hqD6hWA8YH/G3VeggrUHb7CwX3ut5GGiAOcl9o8I0gdMIOu8E1uUukexvJsZAt1Fbcjc7ZIbsUmvgs2MVg==
+deleg.example.com. 3600 RRSIG NS 13 3 3600 20400406102301 20210205085301 61806 example.com. /Xg/3viyTMyd88hcByGifSMHGo3up83exBQQt4FC6qexZffRyNiLrHOfnoz/2LqFMg/oDVCsvqaEomiMM6FlZw==
+dns1.example.com. 3600 RRSIG A 13 3 3600 20400406102301 20210205085301 61806 example.com. zc6VOVGfgoB9C8/0WPHOVrdikBzK6xh25UtrdIYuSzcPWbFlWSsV3+xS1q20MBDb2dj635jcyBWRep+287rDLA==
+deleg.example.com. 3600 RRSIG A 13 3 3600 20400406103429 20210205090429 61806 example.com. 8hcIsHOARI1XXMcPXwtlmQC071+FBH+I0a6CufDbE7nPa38brBKomqTjiYF26K1KZ4IQASw5vvF0lFg3eEOZog==
+
+deleg.example.com. 3600 NS deleg.example.com.
+deleg.example.com. 3600 A 192.0.2.1
+dns1.example.com. 3600 A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008173641 61552 example.com.
+ URGzLYXySdeOtXWW5ph64pNedd7/cq0WYcbd
+ nArHBIN2S08knOfV/OHOMDaR7WufUbIF8bPQ
+ FxDkURlAhZbH9A== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 3600 IN NSEC3 1 0 10 - (
+ MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+ A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 3600 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ NS RRSIG )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 3600 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20g1gol477ro51rk9a9nfd54tfqal7iq.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406102301 20210205085301 61806 example.com. LUBULY9667EsrOHecNjp2QkW9JJW1fOSyTmleWul7vGFwuNC1mKVUQu3H3V5ndtwzU1YD69oa6eI2DOERmiJXg==
+mjv836rjqej5ubghvksq7n44rso3q938.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406105733 20210205092733 61806 example.com. zYuSttG565eDv3FPeKfZs4FNuJHD204/8nv8cNx+9iqbxMdh5s1XJx4nolWyiOJcBq+G8CmtiuJK6plUs7x67w==
+utqvuhu2blk3dhmrr5t1hd9vteohqt0a.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406102301 20210205085301 61806 example.com. aMivM0YOs4Il/WRWqf3SRzh21nZXau7VIJOpX2NK46qxBCW41N/+J7rXaeAT15ayWNjCHP1YoDwyuC/lVZtCqg==
diff --git a/tests/knot/semantic_check_data/different_signer_name.signed b/tests/knot/semantic_check_data/different_signer_name.signed
new file mode 100644
index 0000000..ff92f7b
--- /dev/null
+++ b/tests/knot/semantic_check_data/different_signer_name.signed
@@ -0,0 +1,52 @@
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201008164859 49259 example.com.
+ UH4IJhLwxWI9g2vycAuGAHm5XzsW5LKr6xeI
+ aoaiMeb1pepw9vAWEUO1Byimg7FfhvYpt7+J
+ IhYCvpBb6u3ucA== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201008164859 49259 example.com.
+ ou6B0AgSUxs7//b+c+Gm3XjC83TpgGvRwj9d
+ F48TEZCMRpdvtVNc1hDnNKa8oXA16TafbkqN
+ Z0ekrEo2LlN+hw== )
+ 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 13 2 86400 (
+ 20601231235959 20201008164859 49259 example.com.
+ uCzqU8DU8ZMt3t/h0jwZjdVgSj33HhwtGwhE
+ ZglZ0gUVDVLndP5Q+psqlz2jBmiXIN16s/+b
+ di0crJ9LULq0NA== )
+ 3600 DNSKEY 256 3 13 (
+ qWpA6ejmc17FHZTN/YoYX4WdNN32LC2IlBmm
+ n2Yoi16OQ1e2ztEusvQaSwzEMbN2pIzfTIlF
+ YQQ1gzLQAhWIpg==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 49259
+ 3600 DNSKEY 257 3 13 (
+ rHQi5BOkLnSsZh1v9saRZ38MkzYLL0oGbAK2
+ Dp86tH3lpDqPoR7LM98gyBLZgp81m0YHAYnf
+ 2yK617XStIPw+A==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 3753
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201008164859 3753 example.com.
+ 81C/yn0gxkwOMUWNZPszGow4UyDuDn1V4WQJ
+ NXJfNiTvT6edQ0rQakhJPGgVyH4LIwWJV8Uk
+ fOubCv7BBgu0wg== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008164859 49259 example.com.
+ x6z2ftS2deCBR9HJeIazQNrDdzw0lEE04UYp
+ npUe2zkIx6aH7MvvgZIjcFTwPOVsI00u7gaU
+ AzuxODSma50TXQ== )
+ 86400 NSEC example.com. A RRSIG NSEC
+; different signer name in RRSIG
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008164859 49259 different.com.
+ K/URrUmli54Noy0E3REXBo/g0LZ/8gneyVfa
+ FrGXLB0kvQydPyceL+BFIoJP6d/Gs/0qkUjT
+ vMQfvF0x3bFS3w== )
diff --git a/tests/knot/semantic_check_data/dname_apex_nsec3.signed b/tests/knot/semantic_check_data/dname_apex_nsec3.signed
new file mode 100644
index 0000000..b083ce9
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_apex_nsec3.signed
@@ -0,0 +1,25 @@
+; Zone without any semantic error
+
+;; Zone dump (Knot DNS 2.6.0)
+example.com. 3600 SOA dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com. 3600 NS dns1.com.
+example.com. 3600 DNAME bar.example.com.
+example.com. 0 CDNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 CDS 25674 13 2 2EC05563A3537BD32EA3EB92C44794C644F249EE440785CF28207B903E35322D
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 NSEC3PARAM 1 0 10 151E9F1094FE188F
+;; DNSSEC signatures
+example.com. 3600 RRSIG NS 13 2 3600 20400406111136 20210205094136 61806 example.com. WIlxYlV/hn9mfojITrVbIV+Giy9b5pAKofkw62Yli+jIspQ3dC/WWLrM5Y4HcQwTfNp7yuhIS0jPzkuy0xuAxg==
+example.com. 3600 RRSIG SOA 13 2 3600 20400406111136 20210205094136 61806 example.com. z71ipK0zBRKKokzXdoZdtkxGC75MJbwmICNjSfd+IX/hneIGvFE7mTose1Zbb0WGgKRdUMEoii7hLZLrx7waqg==
+example.com. 3600 RRSIG DNAME 13 2 3600 20400406111136 20210205094136 61806 example.com. 5tIYeBwbwpVF0X5ZLoSpHeB8IYLU5/2fFYXqvctZYqTO24T0EBfu+++j66VSERAI38xf2Z0KkYcwx1XeIeivBQ==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400406111136 20210205094136 25674 example.com. X3n5YVkjpSpK+IOCkhv/wFmF5WIPHUR2LXkNME84i5S4efvQiRRq/jgqos2f7OgfSi/9Q2Q2x6BiMQ1vx/R+Pw==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400406111136 20210205094136 61806 example.com. gogp8pZycFopDodl4IOfpaKCbLqXw2v+5DcV2YwmHr/pMwrc28bClQxw4HVGcYQ13HpC9kKmzmcrn3dEumTb3A==
+example.com. 0 RRSIG CDS 13 2 0 20400406111136 20210205094136 25674 example.com. zRQEFycg2sNVVB4TOZO8QcMwRwSA7tHJqkc1l9V+WtEdJY8UvYpYPPgAn9FjWMzzhvRMlws89TBSsQzqCemHiQ==
+example.com. 0 RRSIG CDNSKEY 13 2 0 20400406111136 20210205094136 25674 example.com. hLOpPxmKXU//dmQoE5OdCqzWkkJsuBHa8QITWB/A3Tc2CXQTaqFKqTspZvTLOAYKNaSVu6BOLWM7Fi2Bq3I0mQ==
+;; DNSSEC NSEC3 chain
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS SOA DNAME RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
+;; DNSSEC NSEC3 signatures
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406111136 20210205094136 61806 example.com. C3JeKvcKdQO3zTJqg5Z114jTd36tgF7PIL2kCs7X6VnCaVe7E5NtwUuLMLFIw/gUqaLDbE7vQwHMK3Psl536aA==
+;; Written 17 records
+;; Time 2017-10-06 15:58:57 CEST
diff --git a/tests/knot/semantic_check_data/dname_children.zone b/tests/knot/semantic_check_data/dname_children.zone
new file mode 100644
index 0000000..5758833
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_children.zone
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111214 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+ NS dns1
+
+dns1 A 192.0.2.1
+ AAAA 2001:DB8::1
+
+foo DNAME bar
+bar.foo A 192.0.0.1
diff --git a/tests/knot/semantic_check_data/dname_extra_ns.zone b/tests/knot/semantic_check_data/dname_extra_ns.zone
new file mode 100644
index 0000000..e188742
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_extra_ns.zone
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111214 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+ NS dns1
+
+dns1 A 192.0.2.1
+ AAAA 2001:DB8::1
+
+foo DNAME bar
+foo NS dns1
diff --git a/tests/knot/semantic_check_data/dname_multiple.zone b/tests/knot/semantic_check_data/dname_multiple.zone
new file mode 100644
index 0000000..2a6c0a2
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_multiple.zone
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111214 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+ NS dns1
+
+dns1 A 192.0.2.1
+ AAAA 2001:DB8::1
+
+foo DNAME bar1
+foo DNAME bar2
diff --git a/tests/knot/semantic_check_data/dnskey_param_error.signed b/tests/knot/semantic_check_data/dnskey_param_error.signed
new file mode 100644
index 0000000..1a2e936
--- /dev/null
+++ b/tests/knot/semantic_check_data/dnskey_param_error.signed
@@ -0,0 +1,70 @@
+; Zone without any semantic error
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ W9EprjaR4loSnNW96h4rLsquPDw3LHYvD05k
+ djkQofHSkMNZAJ7Q+eA3Fs2ik5fnJFM7wi5C
+ MtFsV2TfqMJFmg== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ I9Je1S7XhZIW9C0fWE8NwFLC2rhHklddNYBO
+ dxVKL/lxENU4jPPBwZBGrcYn2WVHgkIzjG0n
+ EOHONAgRFPi3Xw== )
+ 3600 DNSKEY 1 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 5 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ vO2UQiTN/CNUZOmSEg8kJlR/UqiAZHc4qMwj
+ 9u31sbPmOMuni+ZGuVCFFoEMtZerIkkQowkB
+ sXJFkvCP5oF2rA== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229083110 31323 example.com.
+ Z+aaLu4rmzekfhlj6A0ClREloRi8MloRHf/3
+ Dlw/RYY1hrOCfcZKEY6AXeVdUwESEsSkSOco
+ CbhyGHH10dKAAg== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160229083110 29600 example.com.
+ d69kc52VdALI8fbdbflsVsltc1m7bI6QsJ5U
+ IDE9fy5VqcufZecZMKuozPDuF2vBA8ADFIRU
+ OfYgKs6YNIOLWg== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 1 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ D24JCtCcNzwsY1FXVliAjxMm+x95N2eUTXn0
+ M8NK5glSk1yLtnAUKzHxpRExAJLGUiaG4yPu
+ 2yGZuqwNvJztzw== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ F7y+xW/C7iICgmZeYrF4e7Yx4kWZAZPAMzlu
+ PtWVuf37ySg1VfEWcQcDP04vF2rXVUqSMEcj
+ bqUVN5W8Hoazxw== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ MoYrL/lToC4AHo6KCZRiBRmCMWHUAx2Xt32A
+ P4lDpwA+wiBWkCZSfVTh60AosS/BIGtBb2BK
+ mszMx8CLBvkjRg== )
diff --git a/tests/knot/semantic_check_data/duplicate.signature b/tests/knot/semantic_check_data/duplicate.signature
new file mode 100644
index 0000000..77bf21f
--- /dev/null
+++ b/tests/knot/semantic_check_data/duplicate.signature
@@ -0,0 +1,19 @@
+;; Zone dump (Knot DNS 2.5.0-dev)
+example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2010112269 10800 3600 1209600 7200
+example.com. 3600 NS dns1.example.com.
+example.com. 3600 DNSKEY 256 3 7 AwEAAd0e6EjJ0PgChDpbjB9QtvJ0ZqwKC/j7wlEOOB9owqefH/taZ37w6QR8Ysvvv2058AflDcCP3qlaOXp+ogq7AhayA+K4kc/UQyTPCe2jXKlX9IB0KAsr8nO9UEXzjYuyBw80Ry86Xxmj7OGYRu8eRm3ruOjVJy8hCrEQ7680an303Iu3Ixnmo8lPTPPMg4dbFXZ/RW6Sanrr/Sy6fre87XY58yywqX9lZOh5eqBeZG9WvU/HycrDkx5AcwD5etVk98tVTnofShY34ePZWDmRHEtvBpMzNObdomgM5we+DawC6P+Z8PFeGz+OgN7WVzkjm+MmYAk1aIeLQyNIE8SyMts=
+example.com. 3600 DNSKEY 257 3 7 AwEAAea81n0wL09ZMejh806rJ0Km3MYC+ySPWnOmV70nEmONbnduRPpXWjYSqFmH5kldfNdCH403kI/YCMYDYBAPFPbhxuZuVBaJJqOQVsI4rpwj+XiANfGFAq9pZ0oA8iH7gSoNUCf6+g2hcP0ajYoqCjUZ7ZZQNytV/x6foW5t5PbyPNeAU1AEKxk2VSg1TMfkccZqTIx1ofS0N102Z4tOBn26judPqLc0tXMCJc7wgekqG04IGe7UWfk9xWtwo2SbtX9diErF8DJ93C17OWkb04n1xCm3i8/XZadA/HrBjfX/NvlHF8qnUQzzxN7UGrvBD4hE12R9ICj4YNFZViOTdvs=
+dns1.example.com. 3600 A 192.0.2.1
+;; DNSSEC signatures
+example.com. 3600 RRSIG NS 7 2 3600 20170403124401 20170403124311 40703 example.com. ltKNDw2O/sIwQUsv3UCKqOtZYvWNJ0mHo2xDxpzZXfAiMbgR4k7jBIkpSEpcBiBlH7EvWom7CYVigPu8Y+j/Jq4uv+wmVF47OVY3YZvuzfprWj+iOQwPlfDJfUPx+U+73SSsZ21B5/+auB5cada730B4gQKmldleVGg5aov4H2+BpEyrsSs2o79qiXNBzLPqrZEmT0nfUAvQC8xhFV/71I8Q5qtfa3vO6DLSOBmBUtAlGKqfpWoZ2w+QDdA6rtOe0haizTZUtghL2ut47bdTR253brhUccL6nnLc5//jTUBToIhmG/p698xLnU9BYnuHIi74xsb3hVr5b46W5gAGKw==
+example.com. 3600 RRSIG SOA 7 2 3600 20170403124401 20170403124311 40703 example.com. E9a+I8HDh6ycTVkFgOWkzbH7PWds7ewp1M5lUci13ZzMVWsJeFW7t1tLnnOtvz2H8pq5/BevPB8iZBA7rHH7GxoQ5P8xrxAO6HvuRZT8O4kYAWRZ0QHhMIvY8f6VqTyoOmzgIGt0nJ3BL/XJgxIiFrsiLyih6+dkckEu62F22+FFvlv49ufKkCo+EUQPCzo7ZYODc8xKWo97SmaADzjfz7Hq9UPHraUgLhNkfBDbI9YPCGKaJaAiqCBy/6ih3SyHxVPLcIz95okeo5AJVszFIS+8pNPZssJBpWsLKYyAGzs2dsliRwS9z+a3wkHXJIfbLX+r3kGhcG4lQMYDz9SrFA==
+example.com. 7200 RRSIG NSEC 7 2 7200 20170403124401 20170403124311 40703 example.com. poh0BT+nUD3sM05axVGC+k7jj1r3YVNcx4bn/0cviNxzCqLY9RGgImPWsmkTgbJpmCox9SHzpTqL8acIQDNZaciNH9WeYKvn7wkap3z6jtCuQRezM3nUx7E37fzbnNC8MUoWkV37y3FSmtiza9l1isrE5dGkNMOsBcPvIp5wrbQ+dH4cMdcgQuW+NDjee6czIeeYtyarBWhq30S2lxroh8VXlrFDTcbiIY4UoGzJDfevvsonNFQXc+p7qq2fU1fyU1e3Ugty9I23g6fLhLcrmflVbYpcgE8/02K4asu5D7x/dOq21OU/jJfeudk66l6CVw7c3Qh/N63jRn8SsCj0Sg==
+example.com. 3600 RRSIG DNSKEY 7 2 3600 20170403124401 20170403124311 5154 example.com. RmAPllqg+CEX+vj5KKmXGYsF8vqbqLoXSYqSOSWbvgWRazKaQU98fpJWdrmqylkR6Xa1fnbvliP4N/0MGremNejsNPvMsJ4GvpyM75Mb4BEf5mwwikW6xov9V/n1AN9grWofj/r5evsZYcxIR7naM9oxV6qJvy8fFIjthG805MO18bYk1/Och2x9TgUf6DTqKNBHQjk1AfrhVvpuLjdNnNT16Ak3izrCLOm2tuNTaflkYkD0n06ZIAsz1krJWztpncA2csnKQmdybSL95wZnFeb6nkmq+P5vk3PuTENIMURYMCNfzBHogLfbVG5HpDhaHkcM2zSe1qATbp9xRZujLw==
+dns1.example.com. 3600 RRSIG A 7 3 3600 20170403124401 20170403124311 40703 example.com. iYfVT+HPDqMyH9f8aLrzNK6sOCoo38tlRJ5tjiko0DOpsWp20LLgVQLvKsTs3SfdC0gYzMVQCgzfDMbAgrEvmm4ZEQT/NSUhcO2t08f6pABn6GSdoswFupi0LGdQmgj/MbOET02OTALh9I6g3Ir1+bF+C10GS/8CYqffO/52IEJylc6AzDCwAjfkI/55hsuv2H8Wp5cqEG5yAlL4fK+U2zQWEuAGOtGbEuzeKcEDV6iiAuFge7ClW+CbB3gQxEhDdx5TQNNAcpzHmum5yfsfcFkIezZqIzEvOQWg1nJVcLvYnuBqyMWv/uGbG4CxTDy49U9JB/6QfilMk38VVcitZA==
+dns1.example.com. 7200 RRSIG NSEC 7 3 7200 20170403124401 20170403124311 40703 example.com. gtRE8TafAp50tzk3rAub93X69pp4J7uPzXPM0UAAp97oVMqcqvuZh80fICLmKl7xShvBx+AYfV+2CoeMW66CXVHTP8CyIjLyi32EGgL75Y2xs55/lEOaMl8hREgxniopCWGX/5vjmY0SBdGWVQVyeQeb0DbTXFWQNw/1LUPueoM1zqGcHFKFt5Y1GidboUEDsNeCmG3ZzGV9/v9sVUezzDK53uaHm8Ojz6E4N7kg6qXDF32ZAxs0dDjh46bsaTNvMLCEXqO2imHx9Omc2wYyCt/roMoeYiulXQ7yHYt0yQuCYwqxxMqJ4z9jvLNdLxH3YZYV0CVUrNgNC/5vtUILsQ==
+dns1.example.com. 3600 RRSIG A 7 3 3600 20170216152943 20170216152853 45258 example.com. j7H3N22L+tqfwuSd4GhIwMyjrFSY3+kypIcOvg0Ipbj4pAHsJOJTiW454Ueq54G/0ntoHxgmGLv3d/EV9prMPPQz8eqtRcYFip2NuEF9bJsIG3SMy+0HolPK+8D7B0MOGFA2TExKNknS7sJy/Jn/yQrf7BHubC61zWnqB+vN7MNlJASXEvy3008oi4FScSsrAVIrZK+z7utY4exkCVfELC7flGenoyPDFR12y8WpN/Tk6q1H37x+EKaQgFj361Bm6f/InPKW8Npn/SNCIJ2DvSWAnj6+2n1mse0sC+rKhRIDMDopu7JzTjpVs9U/p9BY5dtH/3YvST4Vz3syqd1unA==
+;; DNSSEC NSEC chain
+example.com. 7200 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 7200 NSEC example.com. A RRSIG NSEC
+;; Written 13 records
+;; Time 2017-04-03 14:43:12 CEST
diff --git a/tests/knot/semantic_check_data/glue_apex_both.missing b/tests/knot/semantic_check_data/glue_apex_both.missing
new file mode 100644
index 0000000..74e37f6
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_apex_both.missing
@@ -0,0 +1,14 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS dns1
+ NS dns2
+
+; missing glue for dns1 and dns2
diff --git a/tests/knot/semantic_check_data/glue_apex_one.missing b/tests/knot/semantic_check_data/glue_apex_one.missing
new file mode 100644
index 0000000..47ee797
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_apex_one.missing
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS dns1
+ NS dns2
+
+dns1 A 192.0.2.1
+
+; missing glue for dns2
diff --git a/tests/knot/semantic_check_data/glue_besides.missing b/tests/knot/semantic_check_data/glue_besides.missing
new file mode 100644
index 0000000..38ad890
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_besides.missing
@@ -0,0 +1,17 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS dns1
+
+dns1 A 192.0.2.1
+
+deleg NS dns2
+
+; missing glue for dns2
diff --git a/tests/knot/semantic_check_data/glue_deleg.missing b/tests/knot/semantic_check_data/glue_deleg.missing
new file mode 100644
index 0000000..291b450
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_deleg.missing
@@ -0,0 +1,17 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS dns1
+
+dns1 A 192.0.2.1
+
+deleg NS ns1.deleg
+
+; missing glue for ns1.deleg
diff --git a/tests/knot/semantic_check_data/glue_in_apex.missing b/tests/knot/semantic_check_data/glue_in_apex.missing
new file mode 100644
index 0000000..a02f6bf
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_in_apex.missing
@@ -0,0 +1,13 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS @
+
+; missing glue for @
diff --git a/tests/knot/semantic_check_data/glue_in_deleg.valid b/tests/knot/semantic_check_data/glue_in_deleg.valid
new file mode 100644
index 0000000..42adf6b
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_in_deleg.valid
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS ns2.d
+
+d NS ns1.d
+ns1.d A 1.2.3.4
+
+; glue below another delegation is not mandatory
diff --git a/tests/knot/semantic_check_data/glue_no_foreign.valid b/tests/knot/semantic_check_data/glue_no_foreign.valid
new file mode 100644
index 0000000..4cdcbe0
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_no_foreign.valid
@@ -0,0 +1,13 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS foreign.
+
+; glue for foreign. is not mandatory
diff --git a/tests/knot/semantic_check_data/glue_wildcard.valid b/tests/knot/semantic_check_data/glue_wildcard.valid
new file mode 100644
index 0000000..9e36b5e
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_wildcard.valid
@@ -0,0 +1,22 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111217 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+ NS dns1
+
+dns1 A 1.2.3.4
+
+abc NS a.ns.abc
+deleg1 NS a.ns.abc
+deleg2 NS a.ns.ns.ns.ns.xyz
+
+; wildcard glue
+
+*.ns.abc AAAA ::1
+*.ns.xyz AAAA ::2
diff --git a/tests/knot/semantic_check_data/invalid_ds.signed b/tests/knot/semantic_check_data/invalid_ds.signed
new file mode 100644
index 0000000..2435014
--- /dev/null
+++ b/tests/knot/semantic_check_data/invalid_ds.signed
@@ -0,0 +1,106 @@
+
+
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+ 3600 IN DS 60485 5 3 ( 2BB183AF5F22588179A53B0A
+ 98631FAD1A292118 )
+ 3600 IN DS 60485 5 7 ( 2BB183AF5F22588179A53B0A
+ 98631FAD1A292118 )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ 6DFJITU5VML86QNKU9FO2LJDDQQTQPVT
+ A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 1 10 - (
+ UI312KQOP1NG8IQEIEFNPSLA94KB5Q92
+ A RRSIG )
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG)
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ KElp8dLKBKFzgEFV8r5aP9pCyYUD+Z8rLBA9
+ KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+ Qbiek52n6umbEw== )
+
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+ jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+ 1y506ytGbX/q4Q== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+ eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+ XCO6BdZkmk/aQA== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+ zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+ OSV1D5SL7utX5w== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+ Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+ TUmriM3ihfXxIg== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 31323 example.com.
+ mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+ qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+ YyYRaaQC6yhm4g== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160302125715 29600 example.com.
+ K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+ tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+ YJrD7TvrFDot8Q== )
+
+
+
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+ 5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+ lqhxunAbh08dsQ== )
+
+www.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+ ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+ 0Ru0tX9R65NlKw== )
+
+
diff --git a/tests/knot/semantic_check_data/missing.signed b/tests/knot/semantic_check_data/missing.signed
new file mode 100644
index 0000000..75c7d22
--- /dev/null
+++ b/tests/knot/semantic_check_data/missing.signed
@@ -0,0 +1,20 @@
+;; Zone dump (Knot DNS 2.5.0-dev)
+example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 1081539379 3600 300 3600000 3600
+example.com. 3600 NS dns1.example.com.
+example.com. 3600 DNSKEY 256 3 7 AwEAAaBgc4O+4UWd7mzSyelnPb/le/x0q/E90B/xnlf56kgEFMvEGz++o6CMRXr5JfgyxDDsahxTwFoWu30KJry4MjgcwlETM63DFpIYtyDBsi8TlQFEp5NDrlYUWlPGiPfywZBVkHGFMcFct+5/ZalTzYIP39tDytZcPZ/IgQRQZA9qeHYIw51YX9IlNMalHFCtJyrpzCdo22FY/vwBwSbdCa+vzkH1Uu8JkIqyAvAGkuwVisgpMpzWhvJNi5WSAnQfwOcsYCftINAHdRXtuqyG+uU/RDcZ2psx+woi+mYzEPeYV9MEqWpDyIz7jS7e1hK/1o05+qY8Eu2gt4enRj9BQr0=
+example.com. 3600 DNSKEY 256 3 7 AwEAAfcfJSUnim+cR3YEc4VfdJ5W65GNlK0LQaAh6vAejH7uol8VYmXdlyz+wlhad+DyRM5Jl+XJVFMMyFUqWx+Q63DPRtl+TlN/2pWU2gsNHUoovFhFpdX1cQMVoxr2QLgsm1ASTeqvZV8Dn0xAlNRihNv877sTySjveaH0JpuVCMpe5DB1zVbAzLgDqFKAvwJCumdycp7RzMi9PqS1XtsEInKi+X/zZteTJbDO7l+tFt9/NgFxiaLgNo8Gz2oVBTQvAbjCDEi2mPA/YJrpOGZWNkB2L9HFSfzZih8BbgUI3Fh4lhS8XCVrfVV7K9YR2F5NBVi7h0Mk15hzNsSS7tRK1FM=
+example.com. 3600 DNSKEY 257 3 7 AwEAAcjdwuJkjM8G5rk967z1cJqF88BqpvN2GN/6Tj1XA5AbIx+33qy5JI6K43ehlT/neLizOCk/JyXaw8gcjQaDKcIy0vKysXvI6yK4PNgHTdzQunBqGTfvPDlXKCle550R/DJF2OZH/T7jgX2GhQlem6UB3A23n24YP50IzAmXK9RYdE/dMFXU5jEz+CjcHNkB8ZCb2VrKE9RDjY88vr6lyM2kPbvBtx4UaUSEzwlDMRc3Wf+dBWKm6mKWAPsHZM/cux+S2mca/cxEA1ngCgBBbm7824WjTXgDs14QWuwruMTqLPDujUYND5kbsiuhQsfEFGVq2UyhGEZG/NoIEEg7qLc=
+dns1.example.com. 3600 AAAA 2001:db8::3
+;; DNSSEC signatures
+example.com. 3600 RRSIG NS 7 2 3600 20840201000000 20160302125715 7242 example.com. B/6k7YAQGkiz6IkssLZblExgMZBE+Flkhv/leVgvM4RLPPpQ2znouYyrSbVCcU5irA7PFLbee5Mn1aWj2S57L8yGJjHBuamQSIO0GcvGcmXi1CrdaYXSofo3PtnKpM8/mG3+8RCUL5YhoxhTK4Y5gJrYGPkRPKsBTw2Qd2TUJFebtYgCuGN8Q3UwbeYPw89rNbqC3a7zsGwJoZKgDnm3NwCWcv6NRTcQA/H5v6T0/QvYbZpBMrjl3EiAWOccdUlQnALngGSzbJ2GnmK933VXYhuAoSKEN6thauOBSLkdCh9afkUzo/t7xhTJszo0F1uuavs8PYf3HjmdnMwdPMkUuQ==
+example.com. 3600 RRSIG SOA 7 2 3600 20840201000000 20160302125715 7242 example.com. dHmPqRl9snHFavwkkAFZqHDmvUrI3+e+dmEexqgW9txr30fbrkeGAp6ApdZlqJiDTJ/2q0UoyQxSYe/BzgV4gEBgTTgfmC7m9eHVLTD70KMlNuvwC4jkh1vWT1Zn6IFUsQtJ+54XfRTe/2VHyeK7saqsA/ARRZGOzk6To8CWxNCApUdLZMQO9UTX7uVcXKkPvfMvlhx1fmn4OE8ntwbY1oPosQb987N8V8x9Rb2hINr4DCkXNDydDZAh4vsZO0DHPlmyfkyNguQDmdgnDz1CVbJzguy8tqeMGT7CrwU8AmX3JADQTHoxjnWEidLLUa/gNDRFcRc5YMcdZyImHqdNZQ==
+example.com. 3600 RRSIG NSEC 7 2 3600 20840201000000 20160302125715 7242 example.com. bjw2G/BwF2xTP/QSkKqdr7byUS+nqMvfppuhZmH0VcysAKN2oqsV51bn7gWej6dnx0svtX7nCOlwdDFSCMJld5BGZFnAfhS+XVc/wTeZGMi1BkeJxlT3UbGLhf2DuLLyL969HPltL527vSysjBEmi7OsTlH+wXD6SW35ZClajNSRLjxrRpVHTGpA5uyyysHRYNXAKS3+SSc1N/Fovjgzi68exWD0BKTGia7Nf9Fn+bqvhbYh+pMHA7djPFJIsER3OCBx7H1KMxl6rap7Q3rC0I289xnnsOqRh/GnzSVgvobKWozOOs9XXNg+w9ioSos+kbzTxxSEvLKqNBgCbLjUHg==
+example.com. 3600 RRSIG DNSKEY 7 2 3600 20840201000000 20160302125715 37855 example.com. EHXazcQ27b5Cjqd1T8TAui2PrUqEq7cBxk45OA8BfBDmOuH2vXFVL+juCM2gCvQ+0oZmcJmpkjMCxUqQekXgxRy21PlEzJfR3VHRDSYCSogR9cCLw9T9OiFXugZAtYcLVXVHddKu0+t5yeQqdStgLBiz9EmeuPFYd/h/BxKI8FGx/TjHNzd06SKgxlZAT/vCGhEswgSIpxJm4Ju561vT2/Hh+NmD4jIKVf0OUSkfRVRbxpzMs0HaZx6s0T2mcL8so/rEXjSIORkw56Q7x3EmYQDxNJjoNo4nHKT0/pciCey+vHj9pxxaiave8wLBG96JpgJgSV7BG8TTbE2q62wX1Q==
+dns1.example.com. 3600 RRSIG AAAA 7 3 3600 20840201000000 20160302125715 7242 example.com. h0oZ7ghuhANB27zD+M1m0NyVUHND7g2qI1IfEKDjMzZ34wyqM0xWLm/Izln86ol4naDvJU3a7hsJS/95DdvW/s711Oi2nKhX/Hkjvnzu8WVcf5DvEKYQe/fyZ676hnwviKqFzwmfTAKgIuSvt2uZzJkpcyL8ZE6O/GdPrcR6rTuuDI30F4zXIWPmuMNLR2qJv59DwM0tZScLdmRGKGnZNpdxDvtbCsZrXBUPrOE5XpAw+fe8+oL3UEeKQZq8qFhVvegl4TAuk1a8CS+zG4E1ABQKp86J1h0G4l/ajmWqq2T59lHsBAOuX0IbKHEHIJzwRd9EV7LM59EtJVacx8ZCkw==
+dns1.example.com. 3600 RRSIG NSEC 7 3 3600 20840201000000 20160302125715 7242 example.com. Pq6F6akEhyIqch7vwWJ5C53FW1UW/Y8vseFqB6tzql5bnIYjEwikgiWR85uvSUNGvsjHbadBYiVh2i68k80ws/2LecQCvguSH+rMkqqY9go+pBh3pdiNlJaJZp3zJQ6+E35xOA+p0G5t84Et3satJl3OcpVthrdBKuotpDg4P+nOpfLHkI3FO5vehxs71HmESQli5JllhPNMH6WZfWsP74D4DgRjUpIK9hGznCeuZxJT5+S5wL4fzqb+P20W30bsQqMbo9GNdPy5AdbwZoEKJVoN3HC/sv03ScQzWUxjamHCQOeZFys25fFlh7+JU1xYSb3V/fPhUUuf7OsBVvn7+g==
+mail.example.com. 7200 RRSIG NSEC 7 3 7200 20840201000000 20160302125715 19578 example.com. gjNXoKVddN+Z3MmHXxs0v4Gv/3zaTAg0mBSLkSp8Ion6qKj/aR2y50QhNfZGVEZSmyerDiaVpfPMN+q9mwx+6xmv4/G97DkadXBYt5IXGR1fXhMCF+RLJb5ePYjQKSk2TfRMJAlk1Mowfvlp8rXFrT576y2F+IXKbpiJOdRt/13Wo5IUbw6LLFDOeZ3fUiZtBmoWTTjBnrGWYdb+ePcSXID+qM5TmRXqIOFceJvt/RhGZ5LYAchgM2sZDf4Asacxg6Z6vS2cA1opTLMAIu+cuEmq61cSJxWHblfXIpPMXFG+4i+nkCxEFxWyxt9edlAeHS/l2AiHQl5QeuzwEjFI2g==
+;; DNSSEC NSEC chain
+example.com. 3600 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 3600 NSEC example.com. AAAA RRSIG NSEC
+;; Written 14 records
+;; Time 2017-03-31 15:38:20 CEST
diff --git a/tests/knot/semantic_check_data/no_error_delegation_bitmap.signed b/tests/knot/semantic_check_data/no_error_delegation_bitmap.signed
new file mode 100644
index 0000000..abbf088
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_error_delegation_bitmap.signed
@@ -0,0 +1,61 @@
+; Zone without any semantic error
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201008173446 32411 example.com.
+ /R/djqaZWRo1zCmz7B58/93D8ZxJoZAAKEbH
+ xuCsAJ5dm2ubvtgvqmhNXMqdVBvpb2OPdBX8
+ VF1j9RsjuE7ORQ== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201008173446 32411 example.com.
+ AmyqpqMfMEztA9S1Urv6yEtKd5yc6kkSedRU
+ uLp7velyCkipFzWgpzRVDqn+wp2ZaHig0Fod
+ kryw3j4yHOLlHA== )
+ 86400 NSEC deleg.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 13 2 86400 (
+ 20601231235959 20201008173446 32411 example.com.
+ 9tR3kL4pVEYsHzt888pbP0TtS/npeApAEUfZ
+ L5rXQE0WqBLQGtyEPYxujFuaruvxH0SgLl6r
+ n6MKCEB07DjhTA== )
+ 3600 DNSKEY 256 3 13 (
+ C7v6eelCoXgBoUjHe/gKdsnWNw04GH7PpYMo
+ 2hF5jaeq1zkLSXkF2xS/04MgBTFFYuDU+LGt
+ 8kMKNc8o2wH2jQ==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 32411
+ 3600 DNSKEY 257 3 13 (
+ m6KdGBizfDaUhcW+nIHuRdufZFcSYlZ5Xoky
+ +GcH23OxZtPzPwKwpg5rTx+RCRPlVpmwyiW3
+ aC69n0Q8mr8NpA==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 60051
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201008173446 60051 example.com.
+ SD4149dui/vuky4G6wiJQLUw5b8XpG+Cy/cf
+ +9CSbuKWHRcC1K0wVEw6xyEah6eD/7Sh0eFA
+ EECgej5etJbL3A== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+ 86400 NSEC dns1.example.com. NS RRSIG NSEC
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008173446 32411 example.com.
+ HFA1XBdjaUvb8lbyhXVDYxTUn8Nr2HNC5ktc
+ kPBW2AGMQiVUtyR3vPxUIiusxsQn+uyRL2QC
+ NBG3ANo5exT8ug== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008173446 32411 example.com.
+ 4NLhmO0Sa3yk1ZikWSRYEX0FpHK0NkTGk++h
+ RHJO3E9M6Og1am/PiPf67DAe/2n4ANItC/SH
+ u/1WSvYQV7OZqg== )
+ 86400 NSEC example.com. A RRSIG NSEC
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008173446 32411 example.com.
+ pQgr7WzGpL8gbbAcbeYEIYBLq8lCAuE9NaUf
+ itYKBFh7Cbg4YrLOoeAV6v6V4tfZPpmNpd2U
+ 9VUrY9es4QfX6Q== )
diff --git a/tests/knot/semantic_check_data/no_error_nsec3_optout.signed b/tests/knot/semantic_check_data/no_error_nsec3_optout.signed
new file mode 100644
index 0000000..a03f4ea
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_error_nsec3_optout.signed
@@ -0,0 +1,29 @@
+; Zone without any semantic error
+
+;; Zone dump (Knot DNS 3.1.dev.1612270066.d215637a6)
+example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111222 21600 3600 604800 86400
+example.com. 3600 NS dns1.example.com.
+example.com. 0 CDNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 CDS 25674 13 2 2EC05563A3537BD32EA3EB92C44794C644F249EE440785CF28207B903E35322D
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 NSEC3PARAM 1 0 10 151E9F1094FE188F
+deleg.example.com. 3600 NS deleg.example.com.
+deleg.example.com. 3600 A 192.0.2.1
+dns1.example.com. 3600 A 192.0.2.1
+;; DNSSEC signatures
+example.com. 3600 RRSIG NS 13 2 3600 20400406110811 20210205093811 61806 example.com. VD3IclxLUSi1tgv4+FJ+9e3EWiRny6de1y4jUFn1Ama8+Cl2vZO2Jc34Q9MKY/S9m4id7Xe8MtkkrKThQcaaXw==
+example.com. 3600 RRSIG SOA 13 2 3600 20400406110811 20210205093811 61806 example.com. BniH53lEM1hYGcorTmqF7At3+neZkifPT1sM15nGlQUQ6RfkPxh7Uy8Pj3PxLL5v7WDTyFGbLVThEFWZUh/h6w==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400406110811 20210205093811 25674 example.com. 3FSDEJ9f54++FX/EHWXXnbHW8iJPaDG4kc7qf772y62dtqTfAvb22lq2yKzCOaRFFwpPKEdcS4OEkhx0IbC27w==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400406110811 20210205093811 61806 example.com. BTT+7Gj8V2pATxogxJ8xEO5eiVHoVIDxdK60zDS3MWNcbUc/n9vJR8NrCECel9egQUWrejawikO4DkyQxLZpkw==
+example.com. 0 RRSIG CDS 13 2 0 20400406110811 20210205093811 25674 example.com. h43kZiM1EFETWQEtMM8Xls/RFDsAkLIpLf+DUnJ+zzxv37xpGvtf/s//3ew9qEhouBnGh/1FWtNr8vjhzh0tsg==
+example.com. 0 RRSIG CDNSKEY 13 2 0 20400406110811 20210205093811 25674 example.com. 4mf7C/zyWoFRllUEaLHpdxJdlbEQXIRKNH6JOH3sTKSQMGj1SMmkWm9qlO9tVaUm1ggB6r8TPWgrAUBG+4A9gQ==
+dns1.example.com. 3600 RRSIG A 13 3 3600 20400406110811 20210205093811 61806 example.com. lMj63MgZYiCl6Fdf0Q5C4/K99AAXTqCI9HSBQcrc7qiZDjRpZXzBUO8yv7+5JSMIo/A3tJtQL/12VFPGZ9NQ5w==
+;; DNSSEC NSEC3 chain
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F rvcd9h11kcnenarqcmtmrhusdmb24rm4 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
+rvcd9h11kcnenarqcmtmrhusdmb24rm4.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc A RRSIG
+;; DNSSEC NSEC3 signatures
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406110811 20210205093811 61806 example.com. 7AdxaQLQ16ORwtf3t9lNQrzOP1BKu0TOIiKfx8/7o0JKoVtDYjqTC+ilWSD/Mbfb6PI6ND3NQKsIbnApOa2SUA==
+rvcd9h11kcnenarqcmtmrhusdmb24rm4.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406110811 20210205093811 61806 example.com. bOUzqzuIhV/SPyXiFOgsJbnS77dijFWcLDY/0X3r9aNiAo3/vSE4OTT0f6CkcBQDka+LjIoRaE7NIaTMl24fdg==
+;; Written 21 records
+;; Time 2021-02-05 12:08:11 CET
diff --git a/tests/knot/semantic_check_data/no_rrsig.signed b/tests/knot/semantic_check_data/no_rrsig.signed
new file mode 100644
index 0000000..6a3161b
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_rrsig.signed
@@ -0,0 +1,48 @@
+dns1.example.com. 3600 IN A 192.0.2.1
+ 86400 NSEC example.com. A NSEC
+; missing RRSIGs
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224081310 29600 example.com.
+ ieEKhIV69ywg+YFSqdz0t17eE+PLl1eR4kpv
+ Mq6Q6TfjC7V5/PcFW6KRoP50RFp4m4cD0E7T
+ GpmpnPF++QV1Vw== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224081310 29600 example.com.
+ kYbAbCGzyWPBEfc0TH1calUiKsZi12MH3TNV
+ 7vtjOvIYEqeNmuJkrw899a7nOPNoahB6h7o/
+ DXuRlFqYYCC16Q== )
+ 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224081310 29600 example.com.
+ PchT9RWRkLCMxWAQ3ut6LZlh4MYT4CkAPThQ
+ cnIn0ORi/fVgGzlifQ88xfEdEr1ZoXk9PlhT
+ 5b+wocBOl2HhGg== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224081310 29600 example.com.
+ JLcSyR8KgSicUou0c7Zs7Ol1DYiaQ8Lfyort
+ 8a+5OP3em3r3NH1nJkiVfs8+xdvUcGlGkbib
+ RKlfRWiIcOEalQ== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224081310 31323 example.com.
+ EQMX5DPXhwa+blMRkzl+swUW3BtzpGJ5tGEU
+ hkH7bJfM51gIAO5qnUO/mMPnEA8b4dc20nnZ
+ 8j8lETDjqBLgDQ== )
diff --git a/tests/knot/semantic_check_data/no_rrsig_with_delegation.signed b/tests/knot/semantic_check_data/no_rrsig_with_delegation.signed
new file mode 100644
index 0000000..2c36b9b
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_rrsig_with_delegation.signed
@@ -0,0 +1,61 @@
+ns.deleg.example.com. 3600 IN A 192.168.0.2
+deleg.example.com. 3600 IN NS ns.deleg.example.com.
+ 86400 NSEC dns1.example.com. NS NSEC
+; missing RRSIG for NSEC record
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224081610 29600 example.com.
+ HhnlCtlIaZFVklpzVUnzm6AzFd65CSc4WCJL
+ f2o7Gkevu+HTnkiPN6gqtERC/BKJz1EKd2fC
+ KDyLxXw6KeTRAw== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224081610 29600 example.com.
+ rcHuZd9wTYykzis+9Z8uyqD8V9h22szf2bmE
+ GYNyJBlHZO0sOmys31xnvDfQ9sdk9hf1TUfB
+ 9ACGIF5lDHBEog== )
+ 86400 NSEC deleg.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224081610 29600 example.com.
+ YGSe1OINjOY3I8BY1EoxcOJsDZ/DjGCT5nqY
+ J6BBjTcbT5S1W61SN50xc2sGB4Q8F2KTotAe
+ arzn4DGDt9mOMw== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224081610 29600 example.com.
+ rdmqHOUXqhwrJusNt/7FTV+AtO/v6Md3LXzj
+ /QzR/pCADNC6ZA+FvqaOycnUxoryKk7PY3pM
+ 5ispCMuEx/1OGA== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224081610 31323 example.com.
+ jELyXsaJx+G4heZJ96dyE12hSyTNFazwWDkq
+ 1Mkja9/bTTdYAd+t8fhf/c35bUiTVJWMivJe
+ +YcCwqGf2U+2zw== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224081610 29600 example.com.
+ ln2xuvghOWBDOfyk19Wwtv3oc8+1go3WQuMf
+ vel5x/uHVx6voNA25cpFIQ6nPlCo8pmd5R3w
+ paMxgoQtBkzBcA== )
+ 86400 NSEC example.com. A RRSIG NSEC
+ 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224081610 29600 example.com.
+ EEKcIegUeyn/1FIgxHV+gSX3b/ygQPAcjD8g
+ aCt1yiO0B1xmVm09RJNxzCLaTKxQENhxIoUZ
+ 2l7250pBQnrlAQ== )
diff --git a/tests/knot/semantic_check_data/ns_apex.missing b/tests/knot/semantic_check_data/ns_apex.missing
new file mode 100644
index 0000000..fd7b7be
--- /dev/null
+++ b/tests/knot/semantic_check_data/ns_apex.missing
@@ -0,0 +1,11 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@ IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111214 ; serial
+ 6h ; refresh
+ 1h ; retry
+ 1w ; expire
+ 1d ) ; minimum
+
+; missing NS in apex
diff --git a/tests/knot/semantic_check_data/nsec3_chain_01.signed b/tests/knot/semantic_check_data/nsec3_chain_01.signed
new file mode 100644
index 0000000..cd90b9f
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_chain_01.signed
@@ -0,0 +1,80 @@
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+ A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ ; wrong next record
+ NS )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+; RRSIGs for NSEC3s
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229140652 29600 example.com.
+ PjEM7Bxxb7w67366fKCLkR9BVFAL0RI8RJCZ
+ 5aqoMVuy+ui7MLKxKT2LfeTHgBw1Cww1bbJw
+ Ip2zu0/ZGPfKzA== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229140652 29600 example.com.
+ DUMMYDUMMYDUMMYgc7Jx/FgAlruRjwsS/YJa
+ sZRspDGZhSqK2daV5K0lmK+XL8BoOtp7aXtq
+ VER5XcWLOebCdw== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229140652 29600 example.com.
+ XsJa0IUE2ddTohJmiuNVd/Po1ZOK0PDCuU7/
+ CS0/wiZ5ZlxPdVUAYXuC7HhGH+ZPsqwZ4oUU
+ ToDbFqfdzmC1XQ== )
+
+; other zone data without error
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160229140652 29600 example.com.
+ u5QMvOSkZBUM5tLiEAq3A+x4Ha17ZsNUYqeI
+ SuYA1+NbaBDxAtT6scB9aeA4lOTQ0TZvpGFE
+ YF/XxGtqvwdZ8g== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160229140652 29600 example.com.
+ ELZOh4iS9DpAafa8NTaI/eNL3Qwy+lsmgrzF
+ 7jaoR5yOURl/RZSJY+m9Peaq4ALcROdGJ0O4
+ miSpdTIZsBSGZg== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229140652 29600 example.com.
+ sjxCP/grgOR+4vmXw7HU/hGSx5dS5QxM00IA
+ gZNJ6Lqf+4OSL3TEa1/qqRSFTl5uv3rqh5W4
+ 8p2JoT1ZkcJj6w== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229140652 31323 example.com.
+ jrH48r1iPFRfbyIZWcARQrejVgrE9v8qqt4R
+ uPHjz5t7PYmZYH544SI9HtaWGkIJ9jzlxr5l
+ ikCWo1we50y9Lg== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160229140652 29600 example.com.
+ yIXzhQw8c/c/in+doXX5JmqoGiqoYD2Hhw6d
+ /aGXc5QLQqxyATXln02vkwt1d7DK/ha1vkfx
+ bvGdduXDQ7YZ+g== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160229140652 29600 example.com.
+ aMRzV/1+m9wQHWezSiwkmDEbnS85wB9dA5x/
+ u2P7NPsgwMnRdfpVIMfaVhSJH88i5OlLTvL1
+ sSK+RADpuoqnLA== )
diff --git a/tests/knot/semantic_check_data/nsec3_chain_02.signed b/tests/knot/semantic_check_data/nsec3_chain_02.signed
new file mode 100644
index 0000000..ca70cfa
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_chain_02.signed
@@ -0,0 +1,94 @@
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ 6DFJITU5VML86QNKU9FO2LJDDQQTQPVT
+ A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ ; wrong next
+ A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ NS )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938 ; wrong next
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ oErbN3Xw+0zAqkz5KC5nOsINblBc4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature+Z8rLBA9
+ KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+ Qbiek52n6umbEw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ ep1TVqEISn2ZOiBtizK2eyuuhsYyD37X9Bw2
+ 9JOkecZnmzCwBqfMCBvRYmNRpMd512+ZnW/I
+ 1vIViE7CGwkHyA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySginature6IqpQS6Q
+ jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+ 1y506ytGbX/q4Q== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+ eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+ XCO6BdZkmk/aQA== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+ zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+ OSV1D5SL7utX5w== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+ Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+ TUmriM3ihfXxIg== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 31323 example.com.
+ mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+ qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+ YyYRaaQC6yhm4g== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160302125715 29600 example.com.
+ K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+ tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+ YJrD7TvrFDot8Q== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+ 5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+ lqhxunAbh08dsQ== )
+
+www.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+ ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+ 0Ru0tX9R65NlKw== )
diff --git a/tests/knot/semantic_check_data/nsec3_chain_03.signed b/tests/knot/semantic_check_data/nsec3_chain_03.signed
new file mode 100644
index 0000000..80112f8
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_chain_03.signed
@@ -0,0 +1,94 @@
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A ; wrong next
+ A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 0 10 - (
+ MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+ A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+ 6DFJITU5VML86QNKU9FO2LJDDQQTQPVT ; wrong next
+ NS )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ KElp8dLKBKFzgEFV8r5aP9pCyYUD+Z8rLBA9
+ KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+ Qbiek52n6umbEw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignatureD37X9Bw2
+ 9JOkecZnmzCwBqfMCBvRYmNRpMd512+ZnW/I
+ 1vIViE7CGwkHyA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+ jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+ 1y506ytGbX/q4Q== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+ eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+ XCO6BdZkmk/aQA== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+ zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+ OSV1D5SL7utX5w== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+ Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+ TUmriM3ihfXxIg== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 31323 example.com.
+ mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+ qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+ YyYRaaQC6yhm4g== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160302125715 29600 example.com.
+ K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+ tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+ YJrD7TvrFDot8Q== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+ 5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+ lqhxunAbh08dsQ== )
+
+www.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+ ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+ 0Ru0tX9R65NlKw== )
diff --git a/tests/knot/semantic_check_data/nsec3_ds.signed b/tests/knot/semantic_check_data/nsec3_ds.signed
new file mode 100644
index 0000000..ad5da7c
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_ds.signed
@@ -0,0 +1,57 @@
+
+
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+ 3600 IN DS 60485 5 2 ( 4EFB4310DB01A42E7882E102
+ 7A73CC28E2E0FE938F2D5888
+ A0DA0005B99E7FF8 )
+deleg.example.com. 3600 IN RRSIG DS 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 3600 IN NSEC3 1 0 10 - (
+ 6DFJITU5VML86QNKU9FO2LJDDQQTQPVT
+ A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 3600 IN NSEC3 1 1 10 - (
+ UI312KQOP1NG8IQEIEFNPSLA94KB5Q92
+ A RRSIG )
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 3600 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG)
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 3600 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20g1gol477ro51rk9a9nfd54tfqal7iq.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. k2hYD9qbLM8cRuN1fcLar/GsSufK/5oQYxRnE9bUDiKvC1WhCDF3pee6MSqybb3LoNkQUeOgGV4jdzvslzDlhQ==
+6dfjitu5vml86qnku9fo2ljddqqtqpvt.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. fGQRezo0T9Hd1tGJqhCXPyLONKSxOPmX1Kl7MjD1OVDLg9l5Ei9DmhrpCFxahXMBGIA4yy1J7mSK3PqelPMyFw==
+ui312kqop1ng8iqeiefnpsla94kb5q92.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. 6AmfjUgzO4Ew9FmW6koVhQ+98Vd7xI7kpFXwj8wb4ObmuM8uFu6tpvcT/jDcUduFuUb//DS5fS9fXraLNL8JUQ==
+utqvuhu2blk3dhmrr5t1hd9vteohqt0a.example.com. 3600 RRSIG NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. WMvFzIf9Ekvr0UVRzbZpxUAjT2Sf2KgsXek6iG786Iw6nZ/rzPVNlfNLhWvdqQmi5LEDp03UExshDlPz3JgOkQ==
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 NS dns1.example.com.
+ 0 NSEC3PARAM 1 0 10 -
+dns1.example.com. 3600 IN A 192.0.2.1
+www.example.com. 3600 IN A 192.0.2.1
+
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400405162736 20210204145736 25674 example.com. 5nIsRsT30KNhPS/i8rNhT/C3uPli0jb+7fLYL+eHKggTHk5UK69Z5EHA/ISKnbEOMIQA3QJ98XNreLJk+sTZ4w==
+
+example.com. 3600 RRSIG NS 13 2 3600 20400405162736 20210204145736 61806 example.com. nzKbYNX9cbrf3zNMSRK4ftG/p4DLn/uB3BM29txIj0nyKxL1cmK0wsTltGmwLzJTegBy/LV1VtMudDLWEFU3sQ==
+example.com. 3600 RRSIG SOA 13 2 3600 20400405162736 20210204145736 61806 example.com. HvtxfzCSLHjFSHuAyO+KKymy/vxOGLS8T1DuhfAoUtweHv1zVeYfbFOfCdcfs15PKO31ldqwWRvFWAhM+3hnrA==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400405162736 20210204145736 61806 example.com. 8uDKYTVd+XuYFyzf/aNm6kMjZhbI8r+22v1AuuYYqgP5aH6/ZFXusczSGkPdcauVIgKLV1I7dBBQkQm2LNIqAA==
+deleg.example.com. 3600 RRSIG A 13 3 3600 20400405162736 20210204145736 61806 example.com. beD3O8cnCQ+8HWZpn35gFrR2tLkb9tGpe143BfUA0aOkAr2PdK9CUBs47uSyWAATYoa11gtxxdFUzW6coa7l/w==
+deleg.example.com. 3600 RRSIG NS 13 3 3600 20400405162736 20210204145736 61806 example.com. HJCAXBevueFA2BOP6eOnsbP1X+2VUQRGXRcYI2SDqqq4U2DQHWQMOfI+pKVpkfdc8D6qDYnFZSg6II/dDJQ0AQ==
+deleg.example.com. 3600 RRSIG DS 13 3 3600 20400405162736 20210204145736 61806 example.com. DhZsh6wiPACEUz7GY4WpvcIrMOF+sU27kJAGKaCcpxv9jQBY7Jpf/otRf+yn+Bmm32RZUr5swSXMXAvDtCj6qA==
+dns1.example.com. 3600 RRSIG A 13 3 3600 20400405162736 20210204145736 61806 example.com. z/pEp4EcGkmy+niefZRLgRo1LraBlJABdgpSo94cYEqJM3GBMHsPZeAKmqnMAYA5Nz0hQtTplqS3rsJHJJdQ7w==
+www.example.com. 3600 RRSIG A 13 3 3600 20400405162736 20210204145736 61806 example.com. FpOwodJYlk3NxEEjGvY75r8Ptef13P4Um9N74NxV1QWQlqtBhg+1bndvaY376uBFVDFGsEiDFEgIoFL0Ao+PeA==
+
+
diff --git a/tests/knot/semantic_check_data/nsec3_missing.signed b/tests/knot/semantic_check_data/nsec3_missing.signed
new file mode 100644
index 0000000..4974956
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_missing.signed
@@ -0,0 +1,120 @@
+
+; extra record without corresponding NSEC3
+extra.example.com. 3600 IN A 1.2.3.4
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature12345678
+ 123456789123456789123456789123456789
+ lqhxunAbh08dsQ== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ 6DFJITU5VML86QNKU9FO2LJDDQQTQPVT
+ A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 0 10 - (
+ MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+ A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+ UI312KQOP1NG8IQEIEFNPSLA94KB5Q92
+ NS )
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG)
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN A 1.2.3.4
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG A 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+ jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+ 1y506ytGbX/q4Q== )
+
+
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignature4ey0Qcln
+ uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+ t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ KElp8dLKBKFzgEFV8r5aP9pCyYUD+Z8rLBA9
+ KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+ Qbiek52n6umbEw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DummySignatureDummySignatureD37X9Bw2
+ 9JOkecZnmzCwBqfMCBvRYmNRpMd512+ZnW/I
+ 1vIViE7CGwkHyA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160302125715 29600 example.com.
+ DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+ jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+ 1y506ytGbX/q4Q== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+ eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+ XCO6BdZkmk/aQA== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+ zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+ OSV1D5SL7utX5w== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+ Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+ TUmriM3ihfXxIg== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160302125715 31323 example.com.
+ mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+ qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+ YyYRaaQC6yhm4g== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160302125715 29600 example.com.
+ K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+ tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+ YJrD7TvrFDot8Q== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+ 5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+ lqhxunAbh08dsQ== )
+
+www.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160302125715 29600 example.com.
+ NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+ ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+ 0Ru0tX9R65NlKw== )
+
+
diff --git a/tests/knot/semantic_check_data/nsec3_optout.signed b/tests/knot/semantic_check_data/nsec3_optout.signed
new file mode 100644
index 0000000..c9caa5d
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout.signed
@@ -0,0 +1,81 @@
+
+; insecure delegation, not covered by NSEC3 or opt-out
+zzz.example.com. 3600 IN NS zzz.example.com.
+ 3600 A 192.0.2.1
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ W9EprjaR4loSnNW96h4rLsquPDw3LHYvD05k
+ djkQofHSkMNZAJ7Q+eA3Fs2ik5fnJFM7wi5C
+ MtFsV2TfqMJFmg== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ I9Je1S7XhZIW9C0fWE8NwFLC2rhHklddNYBO
+ dxVKL/lxENU4jPPBwZBGrcYn2WVHgkIzjG0n
+ EOHONAgRFPi3Xw== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ vO2UQiTN/CNUZOmSEg8kJlR/UqiAZHc4qMwj
+ 9u31sbPmOMuni+ZGuVCFFoEMtZerIkkQowkB
+ sXJFkvCP5oF2rA== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229083110 31323 example.com.
+ Z+aaLu4rmzekfhlj6A0ClREloRi8MloRHf/3
+ Dlw/RYY1hrOCfcZKEY6AXeVdUwESEsSkSOco
+ CbhyGHH10dKAAg== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160229083110 29600 example.com.
+ d69kc52VdALI8fbdbflsVsltc1m7bI6QsJ5U
+ IDE9fy5VqcufZecZMKuozPDuF2vBA8ADFIRU
+ OfYgKs6YNIOLWg== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+ A RRSIG )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ D24JCtCcNzwsY1FXVliAjxMm+x95N2eUTXn0
+ M8NK5glSk1yLtnAUKzHxpRExAJLGUiaG4yPu
+ 2yGZuqwNvJztzw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ NS )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ jRNMrWLfS4yzRHQOBxs6/GKWIzx6AZV5lyCm
+ 7bYTV9wS3owDJSQhJ7lft0WbBmUMtV3tP9Xr
+ Yc+yW48p2Vr+QQ== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ F7y+xW/C7iICgmZeYrF4e7Yx4kWZAZPAMzlu
+ PtWVuf37ySg1VfEWcQcDP04vF2rXVUqSMEcj
+ bqUVN5W8Hoazxw== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ MoYrL/lToC4AHo6KCZRiBRmCMWHUAx2Xt32A
+ P4lDpwA+wiBWkCZSfVTh60AosS/BIGtBb2BK
+ mszMx8CLBvkjRg== )
diff --git a/tests/knot/semantic_check_data/nsec3_optout_ent.all b/tests/knot/semantic_check_data/nsec3_optout_ent.all
new file mode 100644
index 0000000..5ebd917
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout_ent.all
@@ -0,0 +1,15 @@
+example.com. 3600 SOA dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com. 3600 NS dns1.com.
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 NSEC3PARAM 1 0 10 151E9F1094FE188F
+deleg1.ent.example.com. 3600 NS glue.outofzone.net.
+deleg2.ent.example.com. 3600 NS glue.outofzone.net.
+
+example.com. 3600 RRSIG NS 13 2 3600 20400410173442 20210209160442 61806 example.com. laxHzto10anAyWXb/IqVEoBsybVmb/aCMb4SdxEC3YiJFj1IX9rxChVnuXrQ5zgr1f6YaRyc/DDTP8NFvwyTWg==
+example.com. 3600 RRSIG SOA 13 2 3600 20400410173442 20210209160442 61806 example.com. /eNl2bkB/SJ6qBX+Jpm5KTXIs5Xi978JWRN2jtbEh5Z9udy7liS73oMkBLlJ33amKc7Gwfqi2+SgdHHud4j0Ug==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400410173442 20210209160442 25674 example.com. TpePckJM7GcsE72vbfSf49LzEM1chUFIiKBN0VyCHdB3YFpRH5d8Qx+XWh8Vs9AuLoKMWTQ0UD4kZK8yF70N4A==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400410173442 20210209160442 61806 example.com. RfPCpoA94H+dm7fqxhZ+GIf4fQwzN19yJVbhmEOtx6if9U/H6mJalvoy4d5UD/L2bferTBbie4I/TzAIXgVETQ==
+
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS SOA RRSIG DNSKEY NSEC3PARAM
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 RRSIG NSEC3 13 3 3600 20400410181548 20210209164548 61806 example.com. EBPlHXYdARm1T0TaYadx0ETwC6w0g5J1yPR6LB3ur9IItcEWRONhqDrNwUbYGbW5c4nWep/hnJYdmMFq1bTfiw==
diff --git a/tests/knot/semantic_check_data/nsec3_optout_ent.invalid b/tests/knot/semantic_check_data/nsec3_optout_ent.invalid
new file mode 100644
index 0000000..114d5d7
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout_ent.invalid
@@ -0,0 +1,18 @@
+example.com. 3600 SOA dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com. 3600 NS dns1.com.
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 NSEC3PARAM 1 0 10 151E9F1094FE188F
+deleg1.ent.example.com. 3600 NS glue.outofzone.net.
+deleg2.ent.example.com. 3600 NS glue.outofzone.net.
+
+example.com. 3600 RRSIG NS 13 2 3600 20400410173442 20210209160442 61806 example.com. laxHzto10anAyWXb/IqVEoBsybVmb/aCMb4SdxEC3YiJFj1IX9rxChVnuXrQ5zgr1f6YaRyc/DDTP8NFvwyTWg==
+example.com. 3600 RRSIG SOA 13 2 3600 20400410173442 20210209160442 61806 example.com. /eNl2bkB/SJ6qBX+Jpm5KTXIs5Xi978JWRN2jtbEh5Z9udy7liS73oMkBLlJ33amKc7Gwfqi2+SgdHHud4j0Ug==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400410173442 20210209160442 25674 example.com. TpePckJM7GcsE72vbfSf49LzEM1chUFIiKBN0VyCHdB3YFpRH5d8Qx+XWh8Vs9AuLoKMWTQ0UD4kZK8yF70N4A==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400410173442 20210209160442 61806 example.com. RfPCpoA94H+dm7fqxhZ+GIf4fQwzN19yJVbhmEOtx6if9U/H6mJalvoy4d5UD/L2bferTBbie4I/TzAIXgVETQ==
+
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F gtr2v0c3d7eqh7ob8rbad7ta90tq8lci NS SOA RRSIG DNSKEY NSEC3PARAM
+
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600 RRSIG NSEC3 13 3 3600 20400410173442 20210209160442 61806 example.com. gb3uKByt54iwCsd284xzOVnnpN97r7ARz6UacMdm2Xs4M8t6Ao9bRG7jvbNpFCALfaU/xDQF7K3v31iKBeVwjw==
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 RRSIG NSEC3 13 3 3600 20400410173442 20210209160442 61806 example.com. kpuFRuzOhsG5zy0Sdql0AB44IDUtf9ccTwJXdULoIqUNKeRqvgWJ7ekEhBKvntVHlBQZPescgPMvvq7PLcA2Dw==
diff --git a/tests/knot/semantic_check_data/nsec3_optout_ent.valid b/tests/knot/semantic_check_data/nsec3_optout_ent.valid
new file mode 100644
index 0000000..c9fe657
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout_ent.valid
@@ -0,0 +1,20 @@
+example.com. 3600 SOA dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com. 3600 NS dns1.com.
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 0 NSEC3PARAM 1 0 10 151E9F1094FE188F
+deleg1.ent.example.com. 3600 NS glue.outofzone.net.
+deleg2.ent.example.com. 3600 NS glue.outofzone.net.
+
+example.com. 3600 RRSIG NS 13 2 3600 20400410173236 20210209160236 61806 example.com. C4ierSNpy03xjH5rQEfb01wCj4SVIzX9b15FVEMIbn3lmDo5jXO6stOrW8Z7OjoVuCaRi1Qj997TeCYqOxNXSQ==
+example.com. 3600 RRSIG SOA 13 2 3600 20400410173236 20210209160236 61806 example.com. NNyQzYOcPbfEsqv61I78MuMguN/KIFi/wSJc940pj7rv+riA3J+XVzpaHSSh//q8CmrvpBAk2g8KsQG/6kOXmg==
+example.com. 3600 RRSIG DNSKEY 13 2 3600 20400410173236 20210209160236 25674 example.com. ZY3nxZJeOfSOEhs02mfhQgt6N1EgZubtPp3HuV69gStFSu4aCLi8a2aseQGilOFW64dOAYNm3LL/WqhPi7MZ1Q==
+example.com. 0 RRSIG NSEC3PARAM 13 2 0 20400410173236 20210209160236 61806 example.com. JITs/EH8nLaFRidlkT6+mcTwEpjgp2TMjb9fU5TBIlKn94og8YtOWFbNmzdEYBKlGLlkg8LwY2ortrSoRHS6Hw==
+
+ej69a9a2k2j0ntktmdvihrv5ao8fl1jt.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F gtr2v0c3d7eqh7ob8rbad7ta90tq8lci
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 NSEC3 1 1 10 151E9F1094FE188F ej69a9a2k2j0ntktmdvihrv5ao8fl1jt NS SOA RRSIG DNSKEY NSEC3PARAM
+
+ej69a9a2k2j0ntktmdvihrv5ao8fl1jt.example.com. 3600 RRSIG NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. yatL/lbFSUyN4UyRtMXymxsiqhOXHp+N+pTI/zNOc0NXCdaaLceh+tZHlc+E4napRfP53XXEhuGavjShTIJ/+g==
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600 RRSIG NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. 20XNZrfJ4l/JIDjCbsba3mUOrNyOxJ2VuCju/yLc0XbdzqMcKJR87g3u967GEnoYY5f5+rJt/IHsuJWHcLApCQ==
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600 RRSIG NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. eLRo9y8Rxf157qcciWM/LSUbtjYks2zLO5xQ9Ff5bidHc9m2XEqjWxqdPZz5gurEf+uPnM8mnix36X4YH4ZXwg==
diff --git a/tests/knot/semantic_check_data/nsec3_param_invalid.signed b/tests/knot/semantic_check_data/nsec3_param_invalid.signed
new file mode 100644
index 0000000..c7d8d6d
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_param_invalid.signed
@@ -0,0 +1,70 @@
+; Zone without any semantic error
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ W9EprjaR4loSnNW96h4rLsquPDw3LHYvD05k
+ djkQofHSkMNZAJ7Q+eA3Fs2ik5fnJFM7wi5C
+ MtFsV2TfqMJFmg== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ I9Je1S7XhZIW9C0fWE8NwFLC2rhHklddNYBO
+ dxVKL/lxENU4jPPBwZBGrcYn2WVHgkIzjG0n
+ EOHONAgRFPi3Xw== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ vO2UQiTN/CNUZOmSEg8kJlR/UqiAZHc4qMwj
+ 9u31sbPmOMuni+ZGuVCFFoEMtZerIkkQowkB
+ sXJFkvCP5oF2rA== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160229083110 31323 example.com.
+ Z+aaLu4rmzekfhlj6A0ClREloRi8MloRHf/3
+ Dlw/RYY1hrOCfcZKEY6AXeVdUwESEsSkSOco
+ CbhyGHH10dKAAg== )
+ 0 NSEC3PARAM 1 4 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160229083110 29600 example.com.
+ d69kc52VdALI8fbdbflsVsltc1m7bI6QsJ5U
+ IDE9fy5VqcufZecZMKuozPDuF2vBA8ADFIRU
+ OfYgKs6YNIOLWg== )
+deleg.example.com. 3600 IN NS deleg.example.com.
+ 3600 A 192.0.2.1
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 1 15 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ D24JCtCcNzwsY1FXVliAjxMm+x95N2eUTXn0
+ M8NK5glSk1yLtnAUKzHxpRExAJLGUiaG4yPu
+ 2yGZuqwNvJztzw== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 4 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+ 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160229083110 29600 example.com.
+ F7y+xW/C7iICgmZeYrF4e7Yx4kWZAZPAMzlu
+ PtWVuf37ySg1VfEWcQcDP04vF2rXVUqSMEcj
+ bqUVN5W8Hoazxw== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160229083110 29600 example.com.
+ MoYrL/lToC4AHo6KCZRiBRmCMWHUAx2Xt32A
+ P4lDpwA+wiBWkCZSfVTh60AosS/BIGtBb2BK
+ mszMx8CLBvkjRg== )
diff --git a/tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed
new file mode 100644
index 0000000..a3024d8
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed
@@ -0,0 +1,70 @@
+; example.com -- missing DNSKEY in type bitmap
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG NSEC3PARAM )
+; dns1.example.com
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ li23VC44fumpMHhKwWug2J1C2fwCMiwgofYO
+ DKydNYsJyYTlyi8ezLJ2KoBlCtOc4Fp0NbqS
+ aN8CKWh7fQVnkQ== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ Y8olY2OClZgC+QHnOhY52LONVOcctOnl8jNY
+ /c7sCHZO4TdPPDHDhpbVntQD+Vc4fUTx+cXY
+ GrF5sLbhddBJXg== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ fx2rZzhyYrp1b4tNH1SmM852VbGEeZdKrD+f
+ ZoInny1m8sovb1J9ORtVbGkOYOnInDMLWMCX
+ fghHC2MafuFV+Q== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160225083237 31323 example.com.
+ TcNU6AlrYhJLrNlkfOPJzO6A77j6C39IPoP4
+ OfmY2ClA5Vx2JO0vQ4bIHR7GIW8fiMe6M6tt
+ ZwQImhVWdG414A== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160225083237 29600 example.com.
+ iY0WB0dN1hQXoctaMwvvXzn7paQt5xUyucT3
+ xwo6HAI8Y+OJlecUfOpkkQ9lqIfsqPTXmgbY
+ RieoZGrWR6ZvaQ== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ QptUkTNS7umNQ5V6Z9DyGl6z+rG7G3TFmHG8
+ p9HGaKifSxjwSFW0nZ9/s86XHQ8ql5+bQmPa
+ xw39ntBmQLVxfg== )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160225083237 29600 example.com.
+ CPx6000z5m1zUUpVhki1u9U7P/WMr7PUJAk3
+ G0w3v+/Lw56mDzYzNuTpPzS0noe0LKuecqRu
+ m99KpLyLOx+9QA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160225083237 29600 example.com.
+ m2z+hx+8hTA7Phu6QzGJrq+o4MiURpda3fYm
+ 0wTDmXtfPKsHmojGr3kBlvUMg16s2gpvNyCL
+ MSlnJ+7KCkI+Mw== )
diff --git a/tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed
new file mode 100644
index 0000000..e3e4940
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed
@@ -0,0 +1,70 @@
+; example.com
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+ 20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+ NS SOA RRSIG DNSKEY NSEC3PARAM )
+; dns1.example.com -- extra type in bitmap - NSEC
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+ UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+ A RRSIG NSEC)
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ li23VC44fumpMHhKwWug2J1C2fwCMiwgofYO
+ DKydNYsJyYTlyi8ezLJ2KoBlCtOc4Fp0NbqS
+ aN8CKWh7fQVnkQ== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ Y8olY2OClZgC+QHnOhY52LONVOcctOnl8jNY
+ /c7sCHZO4TdPPDHDhpbVntQD+Vc4fUTx+cXY
+ GrF5sLbhddBJXg== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ fx2rZzhyYrp1b4tNH1SmM852VbGEeZdKrD+f
+ ZoInny1m8sovb1J9ORtVbGkOYOnInDMLWMCX
+ fghHC2MafuFV+Q== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160225083237 31323 example.com.
+ TcNU6AlrYhJLrNlkfOPJzO6A77j6C39IPoP4
+ OfmY2ClA5Vx2JO0vQ4bIHR7GIW8fiMe6M6tt
+ ZwQImhVWdG414A== )
+ 0 NSEC3PARAM 1 0 10 -
+ 0 RRSIG NSEC3PARAM 7 2 0 (
+ 20840201000000 20160225083237 29600 example.com.
+ iY0WB0dN1hQXoctaMwvvXzn7paQt5xUyucT3
+ xwo6HAI8Y+OJlecUfOpkkQ9lqIfsqPTXmgbY
+ RieoZGrWR6ZvaQ== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160225083237 29600 example.com.
+ QptUkTNS7umNQ5V6Z9DyGl6z+rG7G3TFmHG8
+ p9HGaKifSxjwSFW0nZ9/s86XHQ8ql5+bQmPa
+ xw39ntBmQLVxfg== )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160225083237 29600 example.com.
+ CPx6000z5m1zUUpVhki1u9U7P/WMr7PUJAk3
+ G0w3v+/Lw56mDzYzNuTpPzS0noe0LKuecqRu
+ m99KpLyLOx+9QA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 RRSIG NSEC3 7 3 86400 (
+ 20840201000000 20160225083237 29600 example.com.
+ m2z+hx+8hTA7Phu6QzGJrq+o4MiURpda3fYm
+ 0wTDmXtfPKsHmojGr3kBlvUMg16s2gpvNyCL
+ MSlnJ+7KCkI+Mw== )
diff --git a/tests/knot/semantic_check_data/nsec_broken_chain_01.signed b/tests/knot/semantic_check_data/nsec_broken_chain_01.signed
new file mode 100644
index 0000000..cb41dce
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_broken_chain_01.signed
@@ -0,0 +1,72 @@
+; not coherent NSEC chain
+example.com. 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 86400 NSEC example.com. A RRSIG NSEC
+www.example.com. 86400 NSEC example.com. A RRSIG NSEC
+
+; signatures for NSECs
+example.com. 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+ oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+ cY14UkYqsdP3fA== )
+dns1.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+ COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+ cEg+DBI7qZ88NA== )
+www.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+ COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+ cEg+DBI7qZ88NA== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+ +ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+ B7Cx+BILQRev8w== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+ XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+ iWLeZzFR1+aJBA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+ /ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+ kcMw0GqUzOVb9w== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 31323 example.com.
+ tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+ rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+ o63Vcqyy3gZfvA== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+ Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+ TAGEqGRYFSY9Ew== )
+www.example.com. 3600 IN A 192.0.2.2
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+ xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+ EETdmMeQzkiuNw== )
diff --git a/tests/knot/semantic_check_data/nsec_broken_chain_02.signed b/tests/knot/semantic_check_data/nsec_broken_chain_02.signed
new file mode 100644
index 0000000..5c5f004
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_broken_chain_02.signed
@@ -0,0 +1,65 @@
+; not coherent NSEC chain
+example.com. 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 86400 NSEC www.example.com. A RRSIG NSEC
+www.example.com. 86400 NSEC www.example.com. A RRSIG NSEC
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201008171141 31772 example.com.
+ Qwf3qgLbSvE4PmUVU8rpIASe0v1T1K0ie3Lw
+ g+6o3tpBS8vWcmHMUiKns/6rAvoum7vHQRmO
+ dH7X3Pp1/X3xCw== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201008171141 31772 example.com.
+ 92/D4j7CUCKkykxMzdjfJoaNrMwO93OQtZlB
+ APsfcEyYl+W0sSnow/2RgYvKfX+kdcmp5VXD
+ vQxTGC0VqdMwCQ== )
+ 86400 RRSIG NSEC 13 2 86400 (
+ 20601231235959 20201008171141 31772 example.com.
+ shdsucYBfD8/zV1h1QgUBiC7VgYdFxFEcF1k
+ FQfY+UHkfD/AyOkiFPQxysimgzqJn2/z5Q+v
+ GT1CzzzemgzoXw== )
+ 3600 DNSKEY 256 3 13 (
+ /4RnFpCmaYIIrL/zP1T6LvfhXdpun0ZyYDKL
+ ho0zuUD+RMDe31IQCzr9AuSn1BAIQWIunxFs
+ EaTSlvpiUd+CAg==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 31772
+ 3600 DNSKEY 257 3 13 (
+ /KEwa6qUWHdkpEMGX55UaIvl7do5l2IADCDq
+ iNnawoCLu7Tm4MU6ylzYS1htz1mTd8Zcuzl0
+ gkRe4FXwOmOzvQ==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 14119
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201008171141 14119 example.com.
+ FPftK2atu4GMOspSR24p5iIvmq2VKgPJMUTu
+ 5RiwflEf8UgD7s2WFe7A6/JLurwEhqa/313T
+ eEURk7m313h4jQ== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008171141 31772 example.com.
+ +Xvcx4bZ536B8DtNwzurqmPPoDVdtS5nlRhQ
+ pMZ+OLsHECDnFaI50dSw4F1/c3DERz1ktM0+
+ QCC96MZ7QdAYQw== )
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008171141 31772 example.com.
+ 64MPHHZG8wrbAtk+LY/5ISicI1vU7V19q9lF
+ wOm0mcpvoBERyDwadgZpmHsvin1sRt/LZYDr
+ iBKxcnaviHfULg== )
+www.example.com. 3600 IN A 192.0.2.2
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008171141 31772 example.com.
+ +/+14BFYf5Iq9IIeX1Oz5XqxsaPaw3T6PTPH
+ neJz6N9QhnI6aKkGZFYBuqY0Zhmcr52zbhPi
+ 1yZAUTP7OvouhA== )
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008171141 31772 example.com.
+ fPqL9hFml35JLmfX3MA32hMnMhh9UA1Mc2OZ
+ nY+0j4wTtVR0PVMWHOv9UaULzTCM+5mlpFXm
+ nRUMj8sMTGzFzw== )
diff --git a/tests/knot/semantic_check_data/nsec_missing.signed b/tests/knot/semantic_check_data/nsec_missing.signed
new file mode 100644
index 0000000..e901607
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_missing.signed
@@ -0,0 +1,67 @@
+example.com. 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 86400 NSEC example.com. A RRSIG NSEC
+; missing NSEC for www.example.com.
+
+; signatures for NSECs
+example.com. 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+ oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+ cY14UkYqsdP3fA== )
+dns1.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ GF3mqBf6Ny481XSbEor1uTzQZtT2DSA/3jU2
+ ZcLXXhlmHG3nI/PB49lG+17O83rDrbhcYc8G
+ cHEbLIGNr/6+Mw== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+ +ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+ B7Cx+BILQRev8w== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+ XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+ iWLeZzFR1+aJBA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+ /ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+ kcMw0GqUzOVb9w== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 31323 example.com.
+ tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+ rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+ o63Vcqyy3gZfvA== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+ Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+ TAGEqGRYFSY9Ew== )
+
+www.example.com. 3600 IN A 192.0.2.2
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+ xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+ EETdmMeQzkiuNw== )
diff --git a/tests/knot/semantic_check_data/nsec_multiple.signed b/tests/knot/semantic_check_data/nsec_multiple.signed
new file mode 100644
index 0000000..0cd6aec
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_multiple.signed
@@ -0,0 +1,66 @@
+; not coherent NSEC chain
+example.com. 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 86400 NSEC www.example.com. A RRSIG NSEC
+www.example.com. 86400 NSEC example.com. A RRSIG NSEC
+www.example.com. 86400 NSEC www.example.com. A RRSIG NSEC
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201008170543 19445 example.com.
+ dEcgYVtA8cRE8ErOZGO/aaMat99+KuJdKoDc
+ 0+8fauQ3dcTUHVg2I+v4hdizjlmAJzGXJN+7
+ 6ssZgcvXCnWOsQ== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201008170543 19445 example.com.
+ 2OEk6Lpt+1c58vnCEHBrV7//7gyoo1bGJSHo
+ k+oWaF9Uh07XVkVWznq6mmCErqukUPLnW1Bn
+ rysjk4i5Yflqkg== )
+ 86400 RRSIG NSEC 13 2 86400 (
+ 20601231235959 20201008170543 19445 example.com.
+ icB72dzHg9d9klcTL/mW53mGIX6KzF0GLWUt
+ DKLCcu2Ailyp3kdM64dyJxRYTr7F7KfxyHi4
+ 3KJtphYNEA6ZWA== )
+ 3600 DNSKEY 256 3 13 (
+ H1roLYze5AZ+ouWMduBJtoJ8N5BPFdF3n6Pv
+ +Nfw5bNHUtCzgvMhmtX2gcRlmZ70Ycv1C/U+
+ mCvLWVdfJm08lA==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 19445
+ 3600 DNSKEY 257 3 13 (
+ MSWkrHjEr7zi143oQdRthBBzl70MXeILunB7
+ 8j55a5a9+Q39YKaIiRM4zyCV6WTXpm9H6eOS
+ RRgdQqGNL1gsKQ==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 23836
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201008170543 23836 example.com.
+ ejlk2L0CVBWuAxr1g+qivdvyIXqzp3+9U0tu
+ a2geLUtaVx8ErYnIvUug15S54g75+lZoZ1uK
+ l2WFWuy751kIsw== )
+www.example.com. 3600 IN A 192.0.2.2
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008170543 19445 example.com.
+ 8k4wk4+kCs1kO3+8sL6zZdpkHw0U58oua/Ur
+ C8CHo6TjlLx/jRrLdQKcFy5H7gBMcJY76SDs
+ mT91HuWH+BpwNA== )
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008170543 19445 example.com.
+ 3XbwYx32/Y8sLtQ+dW1lg+s1eaOSZlmkdJeO
+ IsLOAF6U9kq/2zrUTYCtFBMfqs5yYDEISK6X
+ W5UfBBdFRdYzgw== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008170543 19445 example.com.
+ DDTolVJ5Mxfm8srRVi/SRu0+5y3OBTQCVFuQ
+ ywdv4IahQoE11pjXRCBUXvroTeDgoHrmD7PD
+ b1aIBxHLiC/2pg== )
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008170543 19445 example.com.
+ DDhuGYMEij4vbJZlscX3os8qj/wgq55w63jc
+ 8mPr/LquDr6o6lrEYdcnZl4Rz22snnF2+po1
+ 3SEjRSJ0ROmTbw== )
diff --git a/tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed b/tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed
new file mode 100644
index 0000000..058a0a3
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed
@@ -0,0 +1,73 @@
+example.com. 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 86400 NSEC www.example.com. A RRSIG NSEC
+
+; extra AAAA type in NSEC bitmap
+www.example.com. 86400 NSEC example.com. A RRSIG NSEC AAAA
+www.example.com. 3600 IN A 192.0.2.2
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+ xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+ EETdmMeQzkiuNw== )
+
+; signatures for NSECs
+example.com. 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+ oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+ cY14UkYqsdP3fA== )
+dns1.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ GF3mqBf6Ny481XSbEor1uTzQZtT2DSA/3jU2
+ ZcLXXhlmHG3nI/PB49lG+17O83rDrbhcYc8G
+ cHEbLIGNr/6+Mw== )
+www.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+ COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+ cEg+DBI7qZ88NA== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+ +ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+ B7Cx+BILQRev8w== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+ XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+ iWLeZzFR1+aJBA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+ /ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+ kcMw0GqUzOVb9w== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 31323 example.com.
+ tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+ rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+ o63Vcqyy3gZfvA== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+ Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+ TAGEqGRYFSY9Ew== )
diff --git a/tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed b/tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed
new file mode 100644
index 0000000..dafdc92
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed
@@ -0,0 +1,73 @@
+example.com. 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com. 86400 NSEC www.example.com. A RRSIG NSEC
+
+; missing A type in NSEC bitmap
+www.example.com. 86400 NSEC example.com. RRSIG NSEC
+www.example.com. 3600 IN A 192.0.2.2
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+ xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+ EETdmMeQzkiuNw== )
+
+; signatures for NSECs
+example.com. 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+ oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+ cY14UkYqsdP3fA== )
+dns1.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ GF3mqBf6Ny481XSbEor1uTzQZtT2DSA/3jU2
+ ZcLXXhlmHG3nI/PB49lG+17O83rDrbhcYc8G
+ cHEbLIGNr/6+Mw== )
+www.example.com. 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160224082919 29600 example.com.
+ FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+ COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+ cEg+DBI7qZ88NA== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+ +ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+ B7Cx+BILQRev8w== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+ XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+ iWLeZzFR1+aJBA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+ /ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+ kcMw0GqUzOVb9w== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160224082919 31323 example.com.
+ tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+ rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+ o63Vcqyy3gZfvA== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160224082919 29600 example.com.
+ HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+ Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+ TAGEqGRYFSY9Ew== )
diff --git a/tests/knot/semantic_check_data/rrsig_rdata_ttl.signed b/tests/knot/semantic_check_data/rrsig_rdata_ttl.signed
new file mode 100644
index 0000000..28b118c
--- /dev/null
+++ b/tests/knot/semantic_check_data/rrsig_rdata_ttl.signed
@@ -0,0 +1,52 @@
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201008172615 16105 example.com.
+ UkbSKt1soIfnM7ZkNAfOcS4D3eHBzMQOef1d
+ bFK+ne+MtJsKEGM9brUD23v0f0CdvteVkeNS
+ 2oRrfrb3avZ08A== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201008172615 16105 example.com.
+ Mu/BsXIC10V5uRFUGR42/ntmT5eYt4192AQe
+ a5zdWnLo7A3GYHlPcOcZRMdqvsa3SAPOK2Br
+ UmFkHsWTawhWJQ== )
+ 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 13 2 86400 (
+ 20601231235959 20201008172615 16105 example.com.
+ IexJzu8x2GxGzGrWlceYZmUbry2D+E67py6B
+ /7j2K5IPjNQVGKbItfvqjQTUm+eVrdcwFbyK
+ iiEuVeU7qG5hIw== )
+ 3600 DNSKEY 256 3 13 (
+ tGxruia7b3JYm32MDdFLYX1M1e44DQJmXpVM
+ EWDjcNulSNY5sWR/zgDzhqiQSKEKCFolwhB/
+ MFVIF71WNjE65Q==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 16105
+ 3600 DNSKEY 257 3 13 (
+ 24gAMJg6uXIBEdWkrAXmwP6znng79lTelLDg
+ WxeHbXriSxVPLSTYxrp7SO1FUi2N03v1RXcn
+ 5jONJdQYlxLtSg==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 17031
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201008172615 17031 example.com.
+ Tm4MkXCDkavltvRYnEp/enJzzjyjX3EgI8yY
+ OF2VuJY8uQHD0/uzZF3JTmXj7pkGShAUpFKI
+ Uzn5e3jrGqtMGA== )
+dns1.example.com. 3600 IN A 192.0.2.1
+; wrong RRSIG original-ttl
+ 3600 RRSIG A 13 3 600 (
+ 20601231235959 20201008172615 16105 example.com.
+ 7J01Zyly+ky0F94kfaDtERQDVyxhHexzqETa
+ qgsemJkH0pP9FKsEY/dTkeZUwCY4EFZeps7C
+ AOKyGTKdqR5N7Q== )
+ 86400 NSEC example.com. A RRSIG NSEC
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008172615 16105 example.com.
+ 0evb+3+rXrrx0f8Za//w6q2acUZPvYbW+Ezj
+ BoJFvwBYHrhyiiVHlfUzmr/jJh9cTEdxPnL3
+ ow6ZUsfF0HJ4hg== )
diff --git a/tests/knot/semantic_check_data/rrsig_signed.signed b/tests/knot/semantic_check_data/rrsig_signed.signed
new file mode 100644
index 0000000..2798026
--- /dev/null
+++ b/tests/knot/semantic_check_data/rrsig_signed.signed
@@ -0,0 +1,62 @@
+dns1.example.com. 86400 RRSIG RRSIG 7 3 86400 (
+ 20840201000000 20160201000000 29600 example.com.
+ DummySignatureDEADBEEF8ijooV1IMfEtki
+ kLbaIvFcgZbPvTnXXHyesHO2OPiRsc7zF576
+ Z6prBT8CkMM7bw== )
+
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 7 2 3600 (
+ 20840201000000 20160201000000 29600 example.com.
+ kINKkWiBvb9Dpb0vghlLhXyObSzsYYNsOqe9
+ pWJN4lI4F2O3T6biPTQPsq3mYMR+6x9gPr6v
+ ysEPHlGtLdTLag== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 7 2 3600 (
+ 20840201000000 20160201000000 29600 example.com.
+ LkagMndC+wJGlQycPDvNmCZ0/QuBB7Zo4UVZ
+ He5jzQrE3Hnq8tn+/QfJ/yn62qCZ87DETwTT
+ rGaLqOTYRb1isg== )
+ 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 7 2 86400 (
+ 20840201000000 20160201000000 29600 example.com.
+ YDJ1tQvNlv8Y7cGioq8nkbaETx7wmyJKqa0B
+ 8hDLClYA4nf9UtyVXqZCISa2PlgRdBc5GEEh
+ U5BuLr4wYXqEFA== )
+ 3600 DNSKEY 256 3 7 (
+ AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+ oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+ MFwieWYfDdgUnPxyKMM=
+ ) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+ 3600 DNSKEY 257 3 7 (
+ AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+ exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+ JH9YXitS21LMD0Hqp1s=
+ ) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160201000000 29600 example.com.
+ FPOm8y3e09jh0fv0ZaOecWbdIXDAoERVKdjz
+ qsg1Etop1n6nDhO/lW3pwOUe02Zq2vretu2W
+ DozlDr5E6ZoqPA== )
+ 3600 RRSIG DNSKEY 7 2 3600 (
+ 20840201000000 20160201000000 31323 example.com.
+ cZTevjvA8UO9Tqet/pbsN0Peep6aN8heyxMK
+ XP/Twsj4u0DeClKeIN7pd7Gi7Aac/UV2dev/
+ x/90SM22VQVpeQ== )
+dns1.example.com. 3600 IN A 192.0.2.1
+ 3600 RRSIG A 7 3 3600 (
+ 20840201000000 20160201000000 29600 example.com.
+ f24sVhH1P/0mEMYTMbFLrWmJtl6kqZF6yzaS
+ TcyK6JhVM4sDT//YnjizJGsTVGSCelz3FxMj
+ LdiUm9AD05uY6A== )
+ 86400 NSEC example.com. A RRSIG NSEC
+ 86400 RRSIG NSEC 7 3 86400 (
+ 20840201000000 20160201000000 29600 example.com.
+ FgQ4VD1yDeA+uvJ+o8e1F28ijooV1IMfEtki
+ kLbaIvFcgZbPvTnXXHyesHO2OPiRsc7zF576
+ Z6prBT8CkMM7bw== )
diff --git a/tests/knot/semantic_check_data/rrsig_ttl.signed b/tests/knot/semantic_check_data/rrsig_ttl.signed
new file mode 100644
index 0000000..1aeef78
--- /dev/null
+++ b/tests/knot/semantic_check_data/rrsig_ttl.signed
@@ -0,0 +1,52 @@
+example.com. 3600 IN SOA dns1.example.com. hostmaster.example.com. (
+ 2010111220 ; serial
+ 21600 ; refresh (6 hours)
+ 3600 ; retry (1 hour)
+ 604800 ; expire (1 week)
+ 86400 ; minimum (1 day)
+ )
+ 3600 RRSIG SOA 13 2 3600 (
+ 20601231235959 20201008165912 34876 example.com.
+ NaUbzn4tb3bsVI4O2YgrefFtZPJSYlLKbVKB
+ HyIqwfQjwdkbIKZ5tqH/IGJagvj8oxeStwF/
+ vEoG9c/o/MNs4g== )
+ 3600 NS dns1.example.com.
+ 3600 RRSIG NS 13 2 3600 (
+ 20601231235959 20201008165912 34876 example.com.
+ YZqxQKpj3kxfRHxoQda1z9JD9nmX8uNJTBGV
+ qdMMU3cPOVamTzOqymseQYjBPaaeoxL1kyqk
+ K2w/ixOUCFp8qg== )
+ 86400 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+ 86400 RRSIG NSEC 13 2 86400 (
+ 20601231235959 20201008165912 34876 example.com.
+ 88QLNDpFWd2FIag2vcKGvY1HQFVeOaRIiMU5
+ 2VZfLFOPBmuTniTcnPvCt76i5ObPVsWdwJhM
+ /7NVMxoRPfMC1w== )
+ 3600 DNSKEY 256 3 13 (
+ 9+7buhxES5wZQZ54+O1qQGuRcKz3P3URZwws
+ 30CacknPsdcWAy7RN1yYmUjP80geUrxJVQt3
+ boo1BwFW4Rnnsg==
+ ) ; ZSK; alg = ECDSAP256SHA256 ; key id = 34876
+ 3600 DNSKEY 257 3 13 (
+ eYNrBYFUn5JIhTlS3N0i2aFj1YE8127h3tlb
+ VJP9JAfMMxQT+Mg6lwDpUa0oQkNFbEoHhqrD
+ 0pcMvp4VeMgJ7g==
+ ) ; KSK; alg = ECDSAP256SHA256 ; key id = 36952
+ 3600 RRSIG DNSKEY 13 2 3600 (
+ 20601231235959 20201008165912 36952 example.com.
+ AVF7u7FzDx2ORApl74nP2hcJd4Szs1o1LXH5
+ OWe6JULh80kITEb9zogpCryQu41bYSZYuxMk
+ yeblfo1OEI2DZg== )
+dns1.example.com. 3600 IN A 192.0.2.1
+; TTL of RRSIG differs from original-ttl
+ 600 RRSIG A 13 3 3600 (
+ 20601231235959 20201008165912 34876 example.com.
+ +PPg6tDZVS2mbxWXOtVEYTQtjK+CkwRk/WFZ
+ dWgX3rzHPQ9AIexC9vKbXdont3s0xdHpcV/8
+ +Sf+N2h44ZTwMQ== )
+ 86400 NSEC example.com. A RRSIG NSEC
+ 86400 RRSIG NSEC 13 3 86400 (
+ 20601231235959 20201008165912 34876 example.com.
+ OCjWQ/5e4SUIWgR84IJLlghKyuowctiZ+b0q
+ eXB0o2qpcWoX6wfxzMlYxGtpgyq3OWKF+R8H
+ UBVCdT+qBt5VOA== )
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-20 03:26:27 +0000