From f449f278dd3c70e479a035f50a9bb817a9b433ba Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 17:24:08 +0200
Subject: Adding upstream version 3.2.6.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 tests/knot/semantic_check_data/cdnskey.cds         |  123 +++
 tests/knot/semantic_check_data/cdnskey.delete.both |  113 ++
 .../cdnskey.delete.invalid.cdnskey                 |  113 ++
 .../semantic_check_data/cdnskey.delete.invalid.cds |  113 ++
 tests/knot/semantic_check_data/cdnskey.invalid     |  123 +++
 .../knot/semantic_check_data/cdnskey.invalid.param |  123 +++
 tests/knot/semantic_check_data/cdnskey.nocdnskey   |  101 ++
 tests/knot/semantic_check_data/cdnskey.nocds       |  110 ++
 tests/knot/semantic_check_data/cdnskey.nodnskey    |  111 ++
 .../semantic_check_data/cdnskey.orphan.cdnskey     |  135 +++
 tests/knot/semantic_check_data/cdnskey.orphan.cds  |  138 +++
 tests/knot/semantic_check_data/cname_extra_01.zone |   18 +
 .../knot/semantic_check_data/cname_extra_02.signed |   76 ++
 tests/knot/semantic_check_data/cname_multiple.zone |   15 +
 tests/knot/semantic_check_data/delegation.signed   |   43 +
 .../different_signer_name.signed                   |   52 +
 .../semantic_check_data/dname_apex_nsec3.signed    |   25 +
 tests/knot/semantic_check_data/dname_children.zone |   16 +
 tests/knot/semantic_check_data/dname_extra_ns.zone |   16 +
 tests/knot/semantic_check_data/dname_multiple.zone |   16 +
 .../semantic_check_data/dnskey_param_error.signed  |   70 ++
 tests/knot/semantic_check_data/duplicate.signature |   19 +
 .../semantic_check_data/glue_apex_both.missing     |   14 +
 .../knot/semantic_check_data/glue_apex_one.missing |   16 +
 .../knot/semantic_check_data/glue_besides.missing  |   17 +
 tests/knot/semantic_check_data/glue_deleg.missing  |   17 +
 .../knot/semantic_check_data/glue_in_apex.missing  |   13 +
 tests/knot/semantic_check_data/glue_in_deleg.valid |   16 +
 .../knot/semantic_check_data/glue_no_foreign.valid |   13 +
 tests/knot/semantic_check_data/glue_wildcard.valid |   22 +
 tests/knot/semantic_check_data/invalid_ds.signed   |  106 ++
 tests/knot/semantic_check_data/missing.signed      |   20 +
 .../no_error_delegation_bitmap.signed              |   61 ++
 .../no_error_nsec3_optout.signed                   |   29 +
 tests/knot/semantic_check_data/no_rrsig.signed     |   48 +
 .../no_rrsig_with_delegation.signed                |   61 ++
 tests/knot/semantic_check_data/ns_apex.missing     |   11 +
 .../knot/semantic_check_data/nsec3_chain_01.signed |   80 ++
 .../knot/semantic_check_data/nsec3_chain_02.signed |   94 ++
 .../knot/semantic_check_data/nsec3_chain_03.signed |   94 ++
 tests/knot/semantic_check_data/nsec3_ds.signed     |   57 +
 .../knot/semantic_check_data/nsec3_missing.signed  |  120 +++
 tests/knot/semantic_check_data/nsec3_optout.signed |   81 ++
 .../knot/semantic_check_data/nsec3_optout_ent.all  |   15 +
 .../semantic_check_data/nsec3_optout_ent.invalid   |   18 +
 .../semantic_check_data/nsec3_optout_ent.valid     |   20 +
 .../semantic_check_data/nsec3_param_invalid.signed |   70 ++
 .../nsec3_wrong_bitmap_01.signed                   |   70 ++
 .../nsec3_wrong_bitmap_02.signed                   |   70 ++
 .../nsec_broken_chain_01.signed                    |   72 ++
 .../nsec_broken_chain_02.signed                    |   65 ++
 tests/knot/semantic_check_data/nsec_missing.signed |   67 ++
 .../knot/semantic_check_data/nsec_multiple.signed  |   66 ++
 .../nsec_wrong_bitmap_01.signed                    |   73 ++
 .../nsec_wrong_bitmap_02.signed                    |   73 ++
 .../semantic_check_data/rrsig_rdata_ttl.signed     |   52 +
 tests/knot/semantic_check_data/rrsig_signed.signed |   62 ++
 tests/knot/semantic_check_data/rrsig_ttl.signed    |   52 +
 tests/knot/test_acl.c                              |  314 ++++++
 tests/knot/test_changeset.c                        |  166 +++
 tests/knot/test_conf.c                             |  274 +++++
 tests/knot/test_conf.h                             |   50 +
 tests/knot/test_conf_tools.c                       |   74 ++
 tests/knot/test_confdb.c                           |  489 +++++++++
 tests/knot/test_confio.c                           | 1100 ++++++++++++++++++++
 tests/knot/test_digest.c                           |  474 +++++++++
 tests/knot/test_dthreads.c                         |  148 +++
 tests/knot/test_fdset.c                            |  150 +++
 tests/knot/test_journal.c                          |  880 ++++++++++++++++
 tests/knot/test_kasp_db.c                          |  233 +++++
 tests/knot/test_node.c                             |  128 +++
 tests/knot/test_process_query.c                    |  201 ++++
 tests/knot/test_query_module.c                     |   87 ++
 tests/knot/test_requestor.c                        |  188 ++++
 tests/knot/test_semantic_check.in                  |  169 +++
 tests/knot/test_server.c                           |   72 ++
 tests/knot/test_server.h                           |  100 ++
 tests/knot/test_unreachable.c                      |   59 ++
 tests/knot/test_worker_pool.c                      |  152 +++
 tests/knot/test_worker_queue.c                     |   57 +
 tests/knot/test_zone-tree.c                        |  135 +++
 tests/knot/test_zone-update.c                      |  337 ++++++
 tests/knot/test_zone_events.c                      |   99 ++
 tests/knot/test_zone_serial.c                      |  159 +++
 tests/knot/test_zone_timers.c                      |  110 ++
 tests/knot/test_zonedb.c                           |  115 ++
 86 files changed, 10024 insertions(+)
 create mode 100644 tests/knot/semantic_check_data/cdnskey.cds
 create mode 100644 tests/knot/semantic_check_data/cdnskey.delete.both
 create mode 100644 tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey
 create mode 100644 tests/knot/semantic_check_data/cdnskey.delete.invalid.cds
 create mode 100644 tests/knot/semantic_check_data/cdnskey.invalid
 create mode 100644 tests/knot/semantic_check_data/cdnskey.invalid.param
 create mode 100644 tests/knot/semantic_check_data/cdnskey.nocdnskey
 create mode 100644 tests/knot/semantic_check_data/cdnskey.nocds
 create mode 100644 tests/knot/semantic_check_data/cdnskey.nodnskey
 create mode 100644 tests/knot/semantic_check_data/cdnskey.orphan.cdnskey
 create mode 100644 tests/knot/semantic_check_data/cdnskey.orphan.cds
 create mode 100644 tests/knot/semantic_check_data/cname_extra_01.zone
 create mode 100644 tests/knot/semantic_check_data/cname_extra_02.signed
 create mode 100644 tests/knot/semantic_check_data/cname_multiple.zone
 create mode 100644 tests/knot/semantic_check_data/delegation.signed
 create mode 100644 tests/knot/semantic_check_data/different_signer_name.signed
 create mode 100644 tests/knot/semantic_check_data/dname_apex_nsec3.signed
 create mode 100644 tests/knot/semantic_check_data/dname_children.zone
 create mode 100644 tests/knot/semantic_check_data/dname_extra_ns.zone
 create mode 100644 tests/knot/semantic_check_data/dname_multiple.zone
 create mode 100644 tests/knot/semantic_check_data/dnskey_param_error.signed
 create mode 100644 tests/knot/semantic_check_data/duplicate.signature
 create mode 100644 tests/knot/semantic_check_data/glue_apex_both.missing
 create mode 100644 tests/knot/semantic_check_data/glue_apex_one.missing
 create mode 100644 tests/knot/semantic_check_data/glue_besides.missing
 create mode 100644 tests/knot/semantic_check_data/glue_deleg.missing
 create mode 100644 tests/knot/semantic_check_data/glue_in_apex.missing
 create mode 100644 tests/knot/semantic_check_data/glue_in_deleg.valid
 create mode 100644 tests/knot/semantic_check_data/glue_no_foreign.valid
 create mode 100644 tests/knot/semantic_check_data/glue_wildcard.valid
 create mode 100644 tests/knot/semantic_check_data/invalid_ds.signed
 create mode 100644 tests/knot/semantic_check_data/missing.signed
 create mode 100644 tests/knot/semantic_check_data/no_error_delegation_bitmap.signed
 create mode 100644 tests/knot/semantic_check_data/no_error_nsec3_optout.signed
 create mode 100644 tests/knot/semantic_check_data/no_rrsig.signed
 create mode 100644 tests/knot/semantic_check_data/no_rrsig_with_delegation.signed
 create mode 100644 tests/knot/semantic_check_data/ns_apex.missing
 create mode 100644 tests/knot/semantic_check_data/nsec3_chain_01.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_chain_02.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_chain_03.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_ds.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_missing.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_optout.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_optout_ent.all
 create mode 100644 tests/knot/semantic_check_data/nsec3_optout_ent.invalid
 create mode 100644 tests/knot/semantic_check_data/nsec3_optout_ent.valid
 create mode 100644 tests/knot/semantic_check_data/nsec3_param_invalid.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed
 create mode 100644 tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed
 create mode 100644 tests/knot/semantic_check_data/nsec_broken_chain_01.signed
 create mode 100644 tests/knot/semantic_check_data/nsec_broken_chain_02.signed
 create mode 100644 tests/knot/semantic_check_data/nsec_missing.signed
 create mode 100644 tests/knot/semantic_check_data/nsec_multiple.signed
 create mode 100644 tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed
 create mode 100644 tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed
 create mode 100644 tests/knot/semantic_check_data/rrsig_rdata_ttl.signed
 create mode 100644 tests/knot/semantic_check_data/rrsig_signed.signed
 create mode 100644 tests/knot/semantic_check_data/rrsig_ttl.signed
 create mode 100644 tests/knot/test_acl.c
 create mode 100644 tests/knot/test_changeset.c
 create mode 100644 tests/knot/test_conf.c
 create mode 100644 tests/knot/test_conf.h
 create mode 100644 tests/knot/test_conf_tools.c
 create mode 100644 tests/knot/test_confdb.c
 create mode 100644 tests/knot/test_confio.c
 create mode 100644 tests/knot/test_digest.c
 create mode 100644 tests/knot/test_dthreads.c
 create mode 100644 tests/knot/test_fdset.c
 create mode 100644 tests/knot/test_journal.c
 create mode 100644 tests/knot/test_kasp_db.c
 create mode 100644 tests/knot/test_node.c
 create mode 100644 tests/knot/test_process_query.c
 create mode 100644 tests/knot/test_query_module.c
 create mode 100644 tests/knot/test_requestor.c
 create mode 100644 tests/knot/test_semantic_check.in
 create mode 100644 tests/knot/test_server.c
 create mode 100644 tests/knot/test_server.h
 create mode 100644 tests/knot/test_unreachable.c
 create mode 100644 tests/knot/test_worker_pool.c
 create mode 100644 tests/knot/test_worker_queue.c
 create mode 100644 tests/knot/test_zone-tree.c
 create mode 100644 tests/knot/test_zone-update.c
 create mode 100644 tests/knot/test_zone_events.c
 create mode 100644 tests/knot/test_zone_serial.c
 create mode 100644 tests/knot/test_zone_timers.c
 create mode 100644 tests/knot/test_zonedb.c

(limited to 'tests/knot')

diff --git a/tests/knot/semantic_check_data/cdnskey.cds b/tests/knot/semantic_check_data/cdnskey.cds
new file mode 100644
index 0000000..6ce5610
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.cds
@@ -0,0 +1,123 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144147 25752 example.com.
+					dEDk41MHSAAoc2eboWOXxGQHYFj1gXuD/gfX
+					Qz6HEq44narP0IHuOWt4ni9HUhYDBuanPp7S
+					j/8nYnZc6gdpMg== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144147 25752 example.com.
+					1HFpOHudUJp7hvrsTmdX6qt+X0I4K9RYo/Uy
+					gpWbJBNhNsPVENVrw8AabhnPaETJGbreS/4T
+					slgbxM1Ks/erzA== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144147 25752 example.com.
+					EA9rtC9Ub4LPDwS6Q8wE4g9nGddbVrg9ivHN
+					oHQzUjTFlxtn8gFPaJkUfHwqwg3PsSVGagyx
+					Bjsool21k/TG7A== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144147 25752 example.com.
+					YLQPkC55O9bpQI/Hg/Ih91UkieeM3wtQvJMT
+					ro3QJ2eDImSyeoIbWsF+ghtoQ+6IUulXLu3k
+					PtDViOe2tfaL/Q== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					1J1lDp/FQFgAGv7EFeDTAru7rUIcUCc7bkYj
+					8OlczfdQjo9IfS5MFg6MqIrE/KPC18CDX1Ki
+					DzaCFaMGDlavjQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 25752
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					hRcbHnvrTqCb215+XsIn96tvHacV5d15lcnS
+					h91pg8Htes3H0vOoG98C5oWXoj7RM4V/tDoH
+					/0ahiLyRzRnvBA==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 20197
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144147 20197 example.com.
+					JLKC5uLW1+JPkOyVcc8D6B6lCC/0FOlak/Qd
+					Na6Nb33hi9io1HMFI1eYiG7u7lxWmXsKnBo9
+					ONROz+WYGds++Q== )
+			3600	CDS	53851 8 2 (
+					6F8129D687EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144147 20197 example.com.
+					pgi1+O/TWU6WCmLLYEibCYj+RzbcOuodnF1i
+					wlBQxDZLTcGYG+1KEC0spZTN1nQncEfdeEKc
+					jnYQUa0izPQRnA== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144147 25752 example.com.
+					MaFyQcB908WIXS+RiLeLXiKdjOo/R6tl9AM/
+					6xokhcvRqQzuyQeoH4snUvcht0m5ghz09Km7
+					MPN0uzJcXIGg0Q== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144147 20197 example.com.
+					Vdo7aYGIByxiC85dyqLKrrNAYYDFBnKXm8uE
+					rYSXBMWiQoFHwzvlavyqhUWlEABfvYD0pUrX
+					PZ27Hz8rPFCSLQ== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144147 25752 example.com.
+					9Llt7e4nm8uMLqliT2NZJINmAmLmKDYqjloj
+					Q3/wNI4K+J0RUmWpg3f6xODVkKjjuVnwpxkK
+					eWV9zqY4jUTAGg== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144147 25752 example.com.
+					lZSHyLdXGFvoL9fhk26y70ifFwui2A5bpdir
+					Su7VhfsnNdLgNuCceRXbYwxQaUyODCl7dcJ9
+					UkRzq2eDs0evKQ== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144147 25752 example.com.
+					dDE1XApt4lZ9u20Z/vXwhJxE27AZJQzKwLkk
+					jpwEDVJo6/SdV2smB7s7+qmGnSKhIehVpUFX
+					wv3/3YaFxSTifQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.delete.both b/tests/knot/semantic_check_data/cdnskey.delete.both
new file mode 100644
index 0000000..b3b840b
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.delete.both
@@ -0,0 +1,113 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144234 36859 example.com.
+					uHjgn9WEMdw/d//q2ZhGF1GAQItK9UPyByET
+					VDuZgER/JBHuFd1/MMEkkFmCRneXuVudSnki
+					aXiza0GLV0ujfw== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144234 36859 example.com.
+					39YAhtx1qe9sbJ/6N1fS7F4QLS9iqagdbQN4
+					w6VRyMRrseRY16G2n3Th9yw1+R9aXOazb6iP
+					BL6azQJiUCZJ5g== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144234 36859 example.com.
+					EXv3vV7Njpz59INdubRpDsGANROKfEhqBzQ8
+					zSL1vujpUOdaZWqmS3uoKusxHCghJacCFeUA
+					KQNrWNuZHT2S8g== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144234 36859 example.com.
+					LgXpsIgBZBO03iU6D2nqsbmal6AK51ev21Cj
+					PQFfFBLQ+ARqyE3k7mlTK4A+/UfIpWgpkKnz
+					St4SbtL3r6GK+g== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					l/Uak3BSxeoEO8n42GtZkS1aTdEV590rAuwS
+					Jvt8Gzyj1S5Aqx5Tytm+nb93ZtO3eSL2OpJg
+					p7tdmPjtHKxYpg==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 36859
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					jNkK9sXUo8jTJ2snaD+3Mao2q0m5UjyZ7ykD
+					6yQqTJ2xgldvTCyuu/YlSCoR9gli8pOGz+KT
+					3YA9HjG46ob8ug==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 65430
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144234 65430 example.com.
+					id6EVGBrg2vZm6vIIGNhSukuI2Uv6/MzZiJk
+					C1N9k5P3zAP6Es9aLp9m4cR8qGIdUu3DZ3AU
+					ngKndEZvk5YUUg== )
+			3600	CDS	0 0 0 (
+					00 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144234 36859 example.com.
+					mDmiCviPRxQ1BiinR2+/lQ/KabHgIu/LSKZ2
+					yZFsgiF8YF4IT8mJc/qiKVtaCWLK4Sszxk/F
+					P8kMTmTKORT40Q== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144234 65430 example.com.
+					O1KH8u+VPLnd5TwGPRbv7VpMss+Mjwr+nIOE
+					UxSS7unksPUldU0e9qXby0fydlN5LTf/L0sD
+					daMwGOA2fuD/dA== )
+			3600	CDNSKEY	0 3 0 (
+					AA==
+					) ; ZSK; alg = 0 ; key id = 768
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144234 36859 example.com.
+					Hj8WJNT51BdqA6szAI7sn8gZftHY6/1/Y7qQ
+					DRsunh1J1cNRuqHtLBnRKpVdteZ4znNKnavb
+					uoC6kzSzbRiJzQ== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144234 65430 example.com.
+					7YGVqSgaiHXwY+GdMkUJXZyqkGvkfA8LliB6
+					6Nn4AvuETs4lX080MNq3dWmjI/tHSg5ptQz7
+					Hukvd6cYWNgtBQ== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144234 36859 example.com.
+					SVatJA8FhwAotw625XttyhgD8Rcp4ukcidii
+					By06YX9e5rCgOHOvjsHwA57kBBzcZg0ZXAbF
+					SOhDdUQibKaRSg== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144234 36859 example.com.
+					D+r82Tvm8eGuYrJKVCUMw1Gz+tevXwE2IGoG
+					7pXErKbDv13p/eFAPsRdUKtdmsOq4mHSxQuZ
+					GVGAULfJjcs3pQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey
new file mode 100644
index 0000000..366edaf
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cdnskey
@@ -0,0 +1,113 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144623 39533 example.com.
+					wXvCukXPMbON0oD2nKINzyauQRgeYE/kIYKZ
+					pYaMwV5Z6yZ9SKSSy7oRBn7t1+rOmGI69NSx
+					3WHXaRiLjcH1Sg== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144623 39533 example.com.
+					XNdl4tiEhUPOpEgwGO2njssc8QMB8IeP5QDM
+					9/LZJUPZ0hZ76F7fX9C3X3edgysEoDFR1HAE
+					JdTxkJ5Oqv7Xig== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144623 39533 example.com.
+					Or2a9ZLl2FnBmNM1KbUcgAjgLKRS6O9H4XmK
+					VAGM3QxutaTZuF1sjsz+kNh6yrT38eLm5B8M
+					PLCxUmkTSUmgeA== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144623 39533 example.com.
+					5SBXb1HpSfhPinO3hadK7E0lhRHwyUAsjZpy
+					/7jTO7/uUNXD6asY9V6kvOJmRgMpSeXFJKFw
+					+Vsyx0jifistyg== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					TQSEqjdF8egQ1YjZPdVXrX+pngPHTdCgwJFR
+					AefWVHOLsMADS3/LL5G+pZTSldB3j3Xo4Na/
+					1tsuCgNmV+58xA==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 39533
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					VARBBNSEYzAbBYxgdQi/epYgWFaGnL49509p
+					CeZWg4LO4jhjVT7uyhsSQny2wyahP2Y37YeO
+					d+sY503BNpqzMQ==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 59324
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144623 59324 example.com.
+					YRhAwruTjWmu6drb4+iJ/QOwQg8dnGur8LH7
+					bsn1ZCHQYNDHiIai8JqikqzkhEYKIK8HIqT8
+					F2RY/LqFxKebjg== )
+			3600	CDS	0 0 0 (
+					00 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144623 39533 example.com.
+					cHTGBug23nTe/aS09JaakuG4wa9EEbWxL3gu
+					LQpCK8HV/JMsNSGqh1FsUlX92y4tSIvJn+Lx
+					vvdN+Qzh+zASHg== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144623 59324 example.com.
+					GU9Q/CipUscofDL6uhT2ZmhQoyApLX9zbyfN
+					dG5XW6sXYaB94hVSiT2DSyt19fyQwYoKK2Br
+					fJwy4pI890kKoQ== )
+			3600	CDNSKEY	0 3 0 (
+					BA==
+					) ; ZSK; alg = 0 ; key id = 1792
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144623 39533 example.com.
+					CXeUfFxa7aT2tivKLovVQ2CA0HYZxxlUrbm1
+					voABTNkU7lb5W9Z7GQ/VDugd8QeKNK8YWOaQ
+					Tdl79jkL1rQKXw== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144623 59324 example.com.
+					sd+fzJmLLIoFIcbKCJ+rHE+tOs0PwHjjY9ml
+					Dsbel1k5sANI4xR8iMv6YAEhcpvb0S+8Nd7h
+					7BT45SkKVtyFsQ== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144623 39533 example.com.
+					VGa9LkgVATBLHOwMBNc6g74iXCCSXnWWNs8O
+					ndoXk4ZMMRRkmaxSWXH2pBdJLZPL5f26aEVl
+					4toVcsE722LoFA== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144623 39533 example.com.
+					i+94RvIQBBEOza7Y963huNEWYrqt/VT/eE1E
+					Gqx5kngvZgZ7wO8tcOsaE7ctb69SvgZwRR9c
+					RBgb2N6ezo9OxA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.delete.invalid.cds b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cds
new file mode 100644
index 0000000..9d63eb9
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.delete.invalid.cds
@@ -0,0 +1,113 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144646 56106 example.com.
+					1CRyeUic9BIwBWcjk95VQJktQng6f3dLQm64
+					JwGGqivUM3Hgp7URguNIx0BsCvfo67NIpk7N
+					mMIFwMkMGOHmgg== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144646 56106 example.com.
+					pB4+Z3ltuzY+/NkAeCb9LOS7Zlh7QLfHKimR
+					JPtvdOuIhd8vB0NZLzcYX0lIkrqyP3LadbrS
+					u8r9BMIlu4cKpg== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144646 56106 example.com.
+					x8XhP7r3/glI7AenoSLVmfqhZXQfj6YllgxA
+					jkVxExiM9OJZOPdyeDTuRyUD1PFiBOEsP7Wu
+					vNgWA9eyQFOslA== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144646 56106 example.com.
+					TCn7V7sHR2TNY5ywyEpbYZMegZwTX+I/TPeO
+					76D3WORu9pN0kJWjGPAebwTvL/a7p8xS8B9U
+					X9ivUVFORG+mJA== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					cOjtacSzGkoh6bO4clqYPM2y+g5ezQUtCNdx
+					iRqickHCvQnL9OM/h7V8txqEsSulG5ZCeW+O
+					LDhDQDUchpNv7A==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 56106
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					pB2mCNXFJ8e+UaMeMmy1LSCv6TJ92Fs3kFxY
+					I8NyZPyGvfePpMlzWZr7Bw7wS6G6Jhayhj94
+					MMJ4lM/5+ZzVJw==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 45911
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144646 45911 example.com.
+					uOAPEzDkPNI9Uo2N+iiRkIb2p1Y0VhgqwUom
+					+Dssd6X0CEdQEmD8YQ43Cuq9ZNwk8Bm+lgm3
+					X+ImdIKeE4MvNQ== )
+			3600	CDS	0 0 0 (
+					01 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144646 45911 example.com.
+					IN5tLpm7OKjIL4VpucR1ero1Gv5UEyVqjzB9
+					rRJefwUtlZFKNaTbU0oQD33vQXEjUiIMr66b
+					zIC3Ju/YtYFDLg== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144646 56106 example.com.
+					f8VJa9GRwSWNmg0AR4nA3OD4X8im7BriZjME
+					2ypYUOJkdIafolyb0LDz7XWTaVsFHQWO0z+J
+					14g0CgCroTm3pQ== )
+			3600	CDNSKEY	0 3 0 (
+					AA==
+					) ; ZSK; alg = 0 ; key id = 768
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144646 45911 example.com.
+					89oeIQuH82i2RYIj/fnX/71s8kspDHcI8lIa
+					R02OZZ9bF37bi6LbGkypdXpmxN9/rEjk4ThF
+					IHRX2USEPtl+wQ== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144646 56106 example.com.
+					Hgf4SgtoV0IHsF6feSP8YqeibPTtwZelLpLs
+					hux/D94MFKtYa6OseyzT3qIDdixav+mlI2ud
+					0JyflYZ6MCBlxg== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144646 56106 example.com.
+					XdhVQ3Na3LsvdtT2HwdsM3ItiD3UH0HO6TZD
+					W6/jy8r0NA6fTN4b4oVr6wSqHAQIQVYUbWER
+					7pav2Ek03LDa0Q== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144646 56106 example.com.
+					dVTxTNAfZy5sa0SW8eme+KMx3hByBnPIrRlF
+					zGDsGN1Xzw3OBhsTmuOwhbnZSnnvdBrhBOJw
+					8eU/6zpcZypyFQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.invalid b/tests/knot/semantic_check_data/cdnskey.invalid
new file mode 100644
index 0000000..6937db5
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.invalid
@@ -0,0 +1,123 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144725 7800 example.com.
+					fIUb0+hjrELDVphcGgDZemNVpq1TBgyTt184
+					9YnzaAhADynsscEd5iZRjuA5r7mlI/M9fFtU
+					l6wpEmqAs7sG5w== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144725 7800 example.com.
+					86HnJEU3jP+bL9JmnY+2TGwna7DGtUVvgdhu
+					slzGQWN3EHb51vx1fHQGGfQlJ4P4ch5US3TE
+					1rd/OKNUBE+p7w== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144725 7800 example.com.
+					33SrrSRr8KwasK7qfxYAPxP//dj8Y9i95oza
+					2Fwvt23QxfZS3TBLqMyMA6G/nmXyavUxsye8
+					C+mks7QsS7HJCA== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144725 7800 example.com.
+					WRb17ehBEEjIVl//Zw8vtDmbnTY6eLWe2KQ2
+					+E+pCMEK0QE1qXwcethJ9PkM+gKFmN9RscXH
+					DjrmWIAfgndjsA== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					VxRHPS89GaMJvJ1xL8/HulwW75tDXUZ6nYlI
+					8VCFOMB7vU+SoZhaaoZu4YcCZqzjzfZLl8Lt
+					SEaXZPQbnpkhyA==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 7800
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					MWndPmlRdffYHO8Z2quMkXq80Nm3PNmWpTix
+					xJLJ71Oph+ta4XaTuiza6AQgVkCSzrfwoTuJ
+					UKHL13s4/IrRGg==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 46605
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144725 46605 example.com.
+					GRVgc202uXoxu8f36V/Tc4r9BzCKK07SCmS6
+					MCJ+mXO7PCv4RIzN9Dp8t6sVuDb5smLe6cV6
+					5lgyPYJwr1TVJA== )
+			3600	CDS	53851 8 2 (
+					668159D684EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144725 7800 example.com.
+					r+OpHWsZ0enCPKtUIZFXSb/8YbLdfYb3Ihpt
+					n/5kAWbOkkkVzAJX2/sCrVExMCVcP/nFSIIf
+					hACGKBjTvuLFLA== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144725 46605 example.com.
+					buNL2/GqYvtwcXMPSiOeaEB5L6r5InyVxzaJ
+					1PaaJigmJHbdNKGFl8ijDiH7WBdQECb8M3oU
+					zeuWGebSLuy0AQ== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144725 7800 example.com.
+					wYB3zuX5/bt3Pg2nz9F0j6MK1bkY19QvDcRb
+					pk/0rHXLbSjTepbIwy8O0KbJndHy+a70fN5p
+					3dBGN5J56KymFg== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144725 46605 example.com.
+					pXWJCUC0kKqWpjZetDhGJLNPpXGqc8sJZ9wY
+					HKs4Sd734p+Gr45vnJ94pGYjjtZi9bwPo2nF
+					DmFP5K3NLACG+Q== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144725 7800 example.com.
+					Khv6ptUd4l4SgJI/H+L6Ls/gQHnmmQJcg0fB
+					xv7zECmQfQFguVIJ1bmoz4jP26ejsNH1pG+o
+					Wz9U7I5oWsDzYg== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144725 7800 example.com.
+					z8omQAty9S0cNyFATnM8DZ+RbMly/7staAmc
+					RF+PmOp/E7FtdKOZe5+ega/+aQV9VpePYXMA
+					UwmIeeYYU2pAJQ== )
diff --git a/tests/knot/semantic_check_data/cdnskey.invalid.param b/tests/knot/semantic_check_data/cdnskey.invalid.param
new file mode 100644
index 0000000..2814ddd
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.invalid.param
@@ -0,0 +1,123 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144756 33730 example.com.
+					tBomI7xR670RBUw9IjNL2A5eMVKtYqDUdhiq
+					XJI3CFdb4j6plfdUF75SfaiCP70aLX8Atzxm
+					2RAzpR6M2Q3gbQ== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144756 33730 example.com.
+					8mHEeq/7fnXpM/CaOFsIqTKyTrixQVZr8V+P
+					Lwn641YbbKniEP+KacrJ7Ul2jt2jCT2cnxC0
+					b9XicHENmd0phA== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144756 33730 example.com.
+					f8ZdC3vD/oIltQLyL4zBmwo9rRyijN183BGw
+					L6iZ6DnH4BASlUyrGa0IceRH4yD5pP+gnhCc
+					lBzWFgvtEIyPPQ== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144756 33730 example.com.
+					UK+oQx75Gdn82LKBzht8KxrtwPE5JCBhEMcR
+					hRhHTeMqRUjbbeEOSWRdjg/36329yNYrxC60
+					l7bBcqolo9dDmw== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					kr0M2egbhUXhH0i6fYiSl+zRH1pU7XhamCdO
+					nPhMEgFa3CsGp61kCuZFulpY0ODh8WrAPZcO
+					qC0tCj5Bz7nWZQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 33730
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					7fs6TMYYlkkxI1PCunVT9dxcxWVGXu1N7xVv
+					2EUyVYMXSn/Z04URNTaxXcoWuDafy99G8rcT
+					oPycl2oOhc+s0w==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 60664
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144756 60664 example.com.
+					WpjHrB8ZfAhOSjq79gAaPEiQgSxvEatTi8nC
+					AYYpGs4dc1n54iYZ4IjCfMW/etlkZsMzXbVE
+					s6t+Dj/gJ3JKZg== )
+			3600	CDS	53851 4 2 (
+					6F8129D687EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144756 33730 example.com.
+					IAgBYDhTIYQvmF2vUy72TWoRlPJQGyGErJuT
+					0xxZDStaSfoAVM3Hr6VEqIq7R3B+Xel/urDM
+					WYUbIAinEnvpOw== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144756 60664 example.com.
+					IpzPg5fx+O1HUqjN0lR1Bbo6Zx/Lq1wrrJvv
+					Y518ooGelg8Q2wH7NgScsyhLY342+MHk0fKX
+					RcxRzfaFohiEZg== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144756 33730 example.com.
+					WMqSVG8Tcq7e5E2y8oHThr6Ip7ASu/35m10m
+					TzsEANrlFf0e1Z6XG5ca/6//NSolXoTu6jBx
+					2kvnsX2bA222PA== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144756 60664 example.com.
+					LLGAWxuAhlKM/3i9+FFGngy6Zqo6NsxdXScR
+					wgVe3Ilw+3vU/Nih70uRE/xUjZpfFBOlMEk6
+					EBSf/DJr6awY/A== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144756 33730 example.com.
+					mpcGxsR9c/K6wuaJCeFds1kg0af6Xj8K24o6
+					FHzqn60w7HXXNnDjxS0jPTHpaVUkWhuKUcCR
+					9EcvMW7uwVfULQ== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144756 33730 example.com.
+					gLwhcu1t0qloiWb5/XHuv0PAQZ+ChmDdMuMS
+					qS3hi0VPk9cscMjd7ZH7shJBH+9KKMI6YbMz
+					VGU4MSCj5/kT0A== )
diff --git a/tests/knot/semantic_check_data/cdnskey.nocdnskey b/tests/knot/semantic_check_data/cdnskey.nocdnskey
new file mode 100644
index 0000000..a7bac63
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.nocdnskey
@@ -0,0 +1,101 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144854 39620 example.com.
+					0JDLQ/bZj4SSmqvLPAzt1v/UUb8mfJQnuLC9
+					B1CL4oRD45Hw00KgmbE7xgJVflYZJxfx7KIw
+					ydsB0/1/dMJzbA== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144854 39620 example.com.
+					Mnk/oSM7sdAhGYbWUMLpYFR1ahcvULo/8z42
+					giRwzAX8HiqvxxkqRCFbvzYeRkZLLw0fYTeR
+					Mqit0zQuWuc0ow== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144854 39620 example.com.
+					qPQblbJyzHdmhqYhYx4wfUHWe3SYGUA65hZR
+					UFYcx99Vhs1CXUobjCk9NBedRbBHR04kQ5Bo
+					/72fhuCPJFIC1Q== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144854 39620 example.com.
+					H5So5m0YdxOBU3k0+pi6KOgPNF2V4hU+GLxa
+					c0JdGnALP4Wz6lWCdMRPXIaMjImb3TK9vFti
+					89lB/2MMDe4dTw== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					6R8b9KzH06NQ/4AUqrmp8rFmY0AmHpbW/vhj
+					xLul6ON720xvdeKBzi0nLSeTdUO8/gK8s8jh
+					RmJ8Fw279eXXZQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 39620
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					hfwsa6JnfqjMRma2PlO+gt8qqLytVIygLZHB
+					5APAuz2cheZCMD8A2kyt5NziCCj6szmCK4oZ
+					fColPGaDgYtpmA==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 6821
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144854 6821 example.com.
+					UbEQQoX5j1FVOqpkQBqckaG4WnCd7+4dBJax
+					5sgjHQnfSSwKGfJx0zxd3ZbPCEKj+Ymrhpsm
+					nqfPzVRZhUPKuQ== )
+			3600	CDS	53851 8 2 (
+					6F8129D687EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144854 6821 example.com.
+					Sc/K9xI1C9rzujnllO5o7sKoJiEKFUEfPxt8
+					gsxs3sb9Q1s0/uSocrPc2OcaLgEzuFGS5FzA
+					fg7HcgZN63I5TA== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144854 39620 example.com.
+					ykGu61Yjp24MJjp0wIYV20LSQ9ovRHT0zqp2
+					CSvlROIVpbUGlNjAAKJdWwYJAqNUD571gJ7E
+					TkhrLEIX02ySqw== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144854 39620 example.com.
+					ye5pM/p8OWbdRNhLfbfWsY6lG8lr0Ae80LKv
+					rVOCMhAowrtKmDL6hUByovCV7MjCIYwGM26C
+					Vl9CRmrWwJEULw== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144854 39620 example.com.
+					JHP3TuxCuZ+N0lWtRI7Xl0qIcHSrn/X+WDUr
+					0cVBfQTsFrAZs14bJhvw0zMGgONAgnFsXlxg
+					QmAqIPmpRvKtnA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.nocds b/tests/knot/semantic_check_data/cdnskey.nocds
new file mode 100644
index 0000000..ecb3188
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.nocds
@@ -0,0 +1,110 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144849 42608 example.com.
+					GDfM/H4m+FRVp3M/KsOv//eMFaL1LnyrIi8O
+					pUSht1KyYDRoVqSL72XTy1aAJJ49Sd0uq+4U
+					acekI3Xi9OpvXg== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144849 42608 example.com.
+					ICtOUMZr415dJb22HWsrjbYfW7q6hh6gxD2i
+					EikMQAkPncdBHHd7dCrjy1/4CPhixn/BnDfV
+					ZwF87k2Sa7EV8w== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144849 42608 example.com.
+					IokJy9LCiCaOPsluuBKYnwkesiPwsU/KZdA9
+					jK25UmdfD1uU8AA63OOciTZQSv9NI+Q4nzl3
+					LyqkRWFKToMz9A== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144849 42608 example.com.
+					kuhtgHhoeIwJ8IG08x+Tp5M7kQ+LzWoH/hTs
+					V17ZSyPD06YvMEmv9vdB+ATLd+j3uNYnMd4n
+					HW7Jh/ocOWg6+Q== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					p9BANIrBFV9hX2qwbzydeiubQkm9qstpzvUe
+					OFMDOEyyQxI+8s2nfHI76KmRliHuM7fOM9B5
+					e8wNmEeVd9JJmQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 42608
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					5sv4MetMS4KWSgyzvn658Prs0A8tLaWFhRJD
+					E9IznhGY2ogp8Z/uSIqh8QWzf1kQvfDUQiav
+					kOx4CNa3dSx/ZA==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 8616
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144849 8616 example.com.
+					DeZBLj99QbyGhalCZ4UOmBJO/RLNgrPsAdaW
+					swYSg18lvE7jmLn9vxkUVZu0G6z43tulSb+a
+					lQT8m+U+PlusNA== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144849 8616 example.com.
+					IlysaALuak04Zbh0+104PHAuQgnYDBTLpvz+
+					BgirzX9Vp+pg4yZVelAXsaDbcj2ZrXrwBjpo
+					+DHj53HmZygj4g== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144849 42608 example.com.
+					dJhB1Xmd3G1ueRVnFU+M4yc379LH0UrpBcNS
+					xHzjVd+vWtpNGPq03Wi3sczA9UUkXE0F5n22
+					6ZNR5XAswf+SYw== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144849 42608 example.com.
+					3DTwpPojzX4r9ZWeKo+zmJw+2L/uqrtoAZEv
+					ncPJG0AGB9QVzjLFiRg0BV4GiDZCl2Hh4onl
+					OShOi5Nt0GXp5Q== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144849 42608 example.com.
+					1m2PpD3S6/5x3Kkes+1JgbHtsm0xlnKrNCmF
+					xeBvCl55D98zSvs0DjfRjFowAg22nWJkvsWo
+					3N1vnfFZpzmPPA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.nodnskey b/tests/knot/semantic_check_data/cdnskey.nodnskey
new file mode 100644
index 0000000..461e05a
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.nodnskey
@@ -0,0 +1,111 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144347 19649 example.com.
+					Tng1e4Zs8LvGZJqp75aBSX9Ci9bsncY+w8+K
+					rfYdoVe/Smq0I+Hgtygcq0Twc7llW0rwtZ8R
+					jQpbXbp+XNDi3g== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144347 19649 example.com.
+					OcKfgxtnriGsC/9wV9yI71wIVzR+71j3sZ3+
+					ZGVqAo2bWR8QRULa5g5lQpIxlayN7w6xi6vV
+					IVWY3vauy59pPQ== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144347 19649 example.com.
+					CtZFcGvbco6ZreotcmfSYl8SlRdN/JiSuoOG
+					KtdauRz9+a+xkT2k1Wy6dADfLpwHwXL8yElg
+					/LdNXKEWK96HcQ== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144347 19649 example.com.
+					6GVUlXemDUb6W9IID4qK+PPDSizeURGJEJlN
+					Hoof218/H/k8/BLNphFIGpdhCC2jHnAx2Nxd
+					Af65dTLtt7OBjQ== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					LiJCYpav6haPA3M3GhTZ/L6wtSqS7e9mwKsU
+					TdBkZ71RS8qmXsITLz5bFHMSy7K8mCuQIdTT
+					J3cGkbguNBqgJg==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 19649
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					j18Cd+0frtc1WPeWn8bwdxYd9iTe7XsqTwnO
+					W46ZpPJPGBq/n31+7/N9TRAtXulE2r+rJDRF
+					mMooK5qrWOtqvw==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 24385
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144347 24385 example.com.
+					8O0L6xxTnGMccrMSjaG2/MtljkSOls/BIwoX
+					eUmB9nJvDQNd8jg9XtNYUGG79dmysetBrNQl
+					TohQ1BEVGTJwig== )
+			3600	CDS	53851 8 2 (
+					6F8129D687EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144347 19649 example.com.
+					CLjvJJOAZVToWUQQX06ySDkKo4QO4YcN2vhl
+					JZZ2a1hA2ranrzpeE8cslGKme5lxHKr8Y1ev
+					ffWfrz8KoQVW+A== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144347 24385 example.com.
+					TaPgzUzL+fPwEUNyusjCb6OZOF3DtlMNh3eY
+					ZTvogl2eRq84NA+mfzPmh0NXqVDbsVHGHq1B
+					mJoxuMtIt4G5Rg== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144347 19649 example.com.
+					5sY/Q/1tP9qPMAHyQVMtbFQ0gO24rofCLg/D
+					/BaXTvjp5bnWhGuv1wFbSCyEreYr072Va08t
+					JdntIC8Prt/1MQ== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144347 24385 example.com.
+					UlLhm8Nb6g0jUIs1ldjW4OedzzLXDjCllRSm
+					+6WQuBK1uA7vboyqYVvLxxyFZCxgz6xV02iK
+					eawtsKsOnlfGCg== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144347 19649 example.com.
+					ZRDwnV+YyfKPI58ASagzoCo+qWTscYZZa6j+
+					wr4axJ7jtIO6Firy4R1GlO6NXmN5vcjHAj90
+					NZ26ezRgCMCFQQ== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144347 19649 example.com.
+					c5ILb+AR9BIinFp6mCogN+jwR8067Fm9LT9Y
+					AWaR3pqUC4d+Qdo4pkODLkmhAaSQLJCyPyYB
+					TQ7OFkQCC49MtA== )
diff --git a/tests/knot/semantic_check_data/cdnskey.orphan.cdnskey b/tests/knot/semantic_check_data/cdnskey.orphan.cdnskey
new file mode 100644
index 0000000..70241ab
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.orphan.cdnskey
@@ -0,0 +1,135 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144945 39996 example.com.
+					pdj652v0OfPO/McP8sNpxoE+adY+Qim5je8m
+					TQPcudU3gm7I2L+YqU/ujX1NUOyhUAhzRng7
+					m6nfrudJebq15g== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144945 39996 example.com.
+					7/X57I7FmbSlgxxeaE3Xgoot7KxN6nxtDb0E
+					mEEZNwdLCpjgaftaXXXM3NaZ1W2sdoECCrlz
+					R4/75kqrmNpYPw== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144945 39996 example.com.
+					0tcHIXXPEKy1tpc+Of6s2hTdQ5dGh1IoIoxY
+					se9paUUfhoF2oH5Pb8HP3rNyWLiTqXh4/lxV
+					vFLi4rR5zojxLA== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144945 39996 example.com.
+					kbImDj5vgk5VG9MI+4HJ4FtwnJ4ykSbk8vNY
+					e49ibkZChGsTtIzLwdcNAmOk7w/em67FkGBi
+					oxqCj6b3G0C45w== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					R4pG7HF8CbXgbo4N6UqdSnE8CaClNUw6v/di
+					aScNknRS0eLPOKmpANe0tyiwBV1bRQyjpmxq
+					fgZ9Oxac7plIJw==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 39996
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					cJdrUmmcxe9JKHwHHAkJ8mO1J63Cm6Qoln56
+					CUya+eWuF1A3u9L3wumvY2rAXvzBpplLXeUN
+					GIN0GgLHejH6QQ==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 56026
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144945 56026 example.com.
+					srEjUMAQ4Z/yc22bas+P0ly30IVbZaIIlli9
+					H7avBz013fn90vDRDLiLuHAMvW++xdDJypcg
+					Sr+9I9+nv6jzRA== )
+			3600	CDS	53851 8 2 (
+					6F8129D687EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144945 39996 example.com.
+					inhdpEZ+2W4EM1HSiVZdJa4xT5S319D0x3b5
+					eJpskw/EV/Rx1X87FCr8FP18iBOszsWJjQQq
+					Z66eAxIhpBcb7A== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144945 56026 example.com.
+					TA7UxWd+j6bOXKPxo3XuKlIy87/HvIPGoELS
+					WQyrON5IURgGw/2YWD0M5xw852jl27USezzo
+					pai940D3+VGeOQ== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	CDNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144945 39996 example.com.
+					CSk6oHNIsj3XQgXpPtFOhf4dTv/Wu/vnJfJs
+					Lpc3IoApBMxrpSIzfM/c72JtjSVzjJcdo6kL
+					n71WM21CsMcQ4A== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144945 56026 example.com.
+					hsml4IaJtzvMdvaMTR3MzeCT5fMHJ46rCY0y
+					8DTAvK7/Z6LHbF4G7yRh9ozwcyZbB006cMdc
+					4XUFDtEPK62DGw== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144945 39996 example.com.
+					1cNj6TJEHFxLXFYVt3RU3wC8Wz/F5bfjy8/W
+					jEJdrnVzo1ihmJWoY48e9MlvsGXnGe4+GUrl
+					HSS+2bsGOS7DyA== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144945 39996 example.com.
+					5mtXYcvidkSnG12dZof3xSEaH2eOsV2fuBvb
+					8Eb6XEuPfD9v5g2mweyZYrBtowEsTA9IOsly
+					6AWT5PfZbNAe+Q== )
diff --git a/tests/knot/semantic_check_data/cdnskey.orphan.cds b/tests/knot/semantic_check_data/cdnskey.orphan.cds
new file mode 100644
index 0000000..54732de
--- /dev/null
+++ b/tests/knot/semantic_check_data/cdnskey.orphan.cds
@@ -0,0 +1,138 @@
+example.com.		3600	IN SOA	dns2.example.com. hostmaster.example.com. (
+					2010135808 ; serial
+					10800      ; refresh (3 hours)
+					3600       ; retry (1 hour)
+					1209600    ; expire (2 weeks)
+					7200       ; minimum (2 hours)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201012144942 8996 example.com.
+					ThTlvNtautK64IeJRxNCr5acLrRu8jXkTR3N
+					y5TlXrei2DIagbPja++4vLjhUJAcKTGndD+x
+					wgMrDpCY6pMAYQ== )
+			3600	NS	dns2.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201012144942 8996 example.com.
+					3OJiG3v9Nq9OHkyysT3A6PNPRVn9sYTQkHNS
+					6JL5BzLCQ+uYKJBCu0ZPxDlYpbYnO0HKQ7Ta
+					iZYCjm7vzqtvwA== )
+			3600	MX	10 mail.example.com.
+			3600	RRSIG	MX 13 2 3600 (
+					20601231235959 20201012144942 8996 example.com.
+					9vi3n2cVyr+ghB0ql4Wc8vhpLfAuclopapXw
+					BQV328nEwftj0okcPz4Z7Iye9by4X6NDd13x
+					vzWXDKjZCSxLJg== )
+			7200	NSEC	dns2.example.com. NS SOA MX RRSIG NSEC DNSKEY CDS CDNSKEY
+			7200	RRSIG	NSEC 13 2 7200 (
+					20601231235959 20201012144942 8996 example.com.
+					HP8iIlUO+EKFRgoHUrQWLcaX8oSGEb/tldEP
+					GcJKM+rGMeJvxXOJnjSskUm7AyRK1TKK4RqE
+					xaOHTgIz1uUkzw== )
+			3600	DNSKEY	256 3 8 (
+					AwEAAdKraxDdGTL4HDOkXTDI1Md1UdHuYhVw
+					YkB+u2umVjTJ1H9Qb2oBryqwXI+gklnuCqrH
+					1znkDvzGEAeHRQUCbtKbjmqErTAcRRHW3D+6
+					jsOGXzbyGCfbyzRBwsbNCLWr3ONpPi5JOWEe
+					CUJfyc/mRXcmh5uYl1JvzAM1zprtljZt
+					) ; ZSK; alg = RSASHA256 ; key id = 48849
+			3600	DNSKEY	256 3 13 (
+					bkP3kBcYNsUB6jpKA764AJeNBzGJjNIRPxDl
+					2wK1O7I/bvZDILscWSMUsSRmxZuPWGLjevpp
+					Tve1UMe+dP9VIA==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 8996
+			3600	DNSKEY	257 3 8 (
+					AwEAAaulfU2biYVBiUsGwAyCXbA+gm0yWgH2
+					Z71S16R2YNERlb0he9Od28DcFd0HbaKdFnw/
+					CtX7Z2UWs6/IRu8QmHGn6SKDsLzZ5StdPsJD
+					KilfvSlEcQeqrRAncug1SnA5BogNQSD0/02Y
+					w5KDGn7ALCSYlNgOgy7l+D/urlkuxgsPWvqY
+					XnlxaIcKt96fndwmkfZ5eF+WAqxguaNcvm14
+					6NA53wRrWx8BQbcHk1R+WcQGqFcVOlifCs9z
+					V+87QJy2H660QKqOVDgt8PF8QmRRJqzOKpu2
+					9T+Vd1dM3zjBJ7deLaNH2E5p7Bbp1eeOCeOt
+					WpCG6XfaRmZIF3ZWVM6Ways=
+					) ; KSK; alg = RSASHA256 ; key id = 56474
+			3600	DNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	DNSKEY	257 3 8 (
+					AwEAAetE6qfN/GbtMmvM0PXUTyskauES2FKf
+					jqLVz7EQlfS8iAFWLi1eHjHXDkueZ1OYRzQ4
+					IBy6MIsce4XVXLQoS8njtfaU7c5NZvktH5la
+					7JuH32KYr3PdWL5KDsUdED3GSxfNV+DbcYU8
+					0AZxTxy6Bm6EP+DztL1dpYrmqr8JRl+qlSbm
+					LIrPemZFUEQzhiepcYMWviDUz+ixSVzjEzpM
+					CLsrNxA30Ziiq9GKA8KKlFHdAmxuNcH0TzRn
+					dpo6bu5nKyJHiREIazHVuPBEzUmHtcWETCDs
+					9UVsbji2Z2ozqLz9cqnfYV/kOD+OZBAqvZ0n
+					/4lgdSiBtvByLCXoWEYIGRs=
+					) ; KSK; alg = RSASHA256 ; key id = 19420
+			3600	DNSKEY	257 3 13 (
+					1OgEqruDg7pI2dTIRMdP9ihhdl3wFngZW9bP
+					E4jMg4ByKKoKM/C1QN4Q+BQiQDkcprwE9vLf
+					D/cLgFNspjcBgQ==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 63865
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201012144942 63865 example.com.
+					9d2q8pWH1AftoDmPq3DNblta3oPV+6ROZmVR
+					BvjHj7xJjI27aY514C0qNkQVhioe2mhQjikO
+					gyxvkWwBV/owPg== )
+			3600	CDS	53851 8 2 (
+					6F8129D687EC387C948E6F4B0AC9AA01481C
+					CEBF7570AFEC582897E7725122D6 )
+			3600	CDS	56474 8 2 (
+					260E7ADB07D1ECC40DEE79EFF6527CF7119C
+					0AFC1CFA5DAC1ADFE342568CF32D )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144942 8996 example.com.
+					E7iVsJZjRyGbjMUADsi9Chz74+t1W75zTPmm
+					MYVD77dkRHiEpN41MJB6Z7Fn1lNOE6f8q2B5
+					iL/3UXULB1vpwA== )
+			3600	RRSIG	CDS 13 2 3600 (
+					20601231235959 20201012144942 63865 example.com.
+					fsMqYcBDcTBtaDEqDTYrHHivnuQKb629drhm
+					77RFfBxFJAxlq176PzaddA++zHfWsBgIlJzy
+					VHFy3S3huuyfaQ== )
+			3600	CDNSKEY	257 3 8 (
+					AwEAAcQ1EqTPebcJyUnpxO3Xjx6ehRtsiZYT
+					oARoJsJG12XR6Ci9yy4SCCsejtaWIFO4XVfM
+					2BHzFWqmABtQHtN7AazXAFMLsrSE4DYbgk5W
+					mnQv5Jloi6jhhmmXwr8EOi3HR2jdG0gVq/Ta
+					x7ztNNZsflJrs3rZs2TVO00BkyyOkmO35jCN
+					bGPUwm5cW1vse137BMa7jAcMyNLPIiQubj1/
+					mJcIyzF2duvfpjBTgEmSvNcXqLfYFjK8lG4N
+					odQG8AcK0MvWqN4mxW/hK0U9nMSjhCnfzPg5
+					tjyqdheWRyhkLGjM/mR7gBhtqoSPMr+2KMJQ
+					EHYAd/AP8YgaovS8N1fJyh0=
+					) ; KSK; alg = RSASHA256 ; key id = 53851
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144942 8996 example.com.
+					hhpJcQ4cMcq9fLNtZrTEVAMGB2bjMwcDvv4C
+					Sss9wWDBNxIVOsi4x3j/08PZTqbfmYePWtK8
+					k2R5GOOK1lpVlw== )
+			3600	RRSIG	CDNSKEY 13 2 3600 (
+					20601231235959 20201012144942 63865 example.com.
+					xU82j/dJf8oBd1Ti2lHH0YoxBvgCQo2MOdwJ
+					yOc6fDrT/c39rCMT//VoDmmKj3SavQ92ABBt
+					18JqxCXK7+tnYQ== )
+dns2.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201012144942 8996 example.com.
+					D3O6XOYrOT1tlCieJJvw7zys0ClqXcCvs5+D
+					qSEpKcE6RNNeJG2d3SJg95fbO+eTkw30MROF
+					ajnNh5xJ+8xsMQ== )
+			7200	NSEC	example.com. A RRSIG NSEC
+			7200	RRSIG	NSEC 13 3 7200 (
+					20601231235959 20201012144942 8996 example.com.
+					sGBFze6wRGj8n0B8izUNHO2ufA72sR55U3OQ
+					RLYTx2XqBRvdmapMKK6QDu/6lmwqgYMbjiBJ
+					XqDLv/1RP4DisQ== )
diff --git a/tests/knot/semantic_check_data/cname_extra_01.zone b/tests/knot/semantic_check_data/cname_extra_01.zone
new file mode 100644
index 0000000..ae3f27a
--- /dev/null
+++ b/tests/knot/semantic_check_data/cname_extra_01.zone
@@ -0,0 +1,18 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111218	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+	MX	10 mail
+
+dns1	A	192.0.2.1
+
+; error CNAME, node contains other records
+email	CNAME	mail
+	A	192.0.2.2
diff --git a/tests/knot/semantic_check_data/cname_extra_02.signed b/tests/knot/semantic_check_data/cname_extra_02.signed
new file mode 100644
index 0000000..724a8da
--- /dev/null
+++ b/tests/knot/semantic_check_data/cname_extra_02.signed
@@ -0,0 +1,76 @@
+email.example.com.	3600	IN CNAME mail.example.com.
+			3600	RRSIG	CNAME 7 3 3600 (
+					20840201000000 20160224073150 29600 example.com.
+					IxkF8oqOEzhlZDSRBIi4448EGvQwxm0QDFE3
+					JExA4Byx2QaJvXo8LoCeyQxS/f9E6bXpXQk2
+					4dgQxUrRZqnKEA== )
+			86400	NSEC	example.com. CNAME RRSIG NSEC A
+			86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224073150 29600 example.com.
+					iKA+5qsYA7A7JN7Df99aJnToYESjqordQgVj
+					yMS/1RVBYEGE4y3ggehzAxvc8bsNYnUwGeGt
+					vse5dMVKCcIaPA== )
+; CNAME extra record A
+email.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224073150 29600 example.com.
+					DummySignatureDEADBEEFToYESjqordQgVj
+					yMS/1RVBYEGE4y3ggehzAxvc8bsNYnUwGeGt
+					vse5dMVKCcIaPA== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224073150 29600 example.com.
+					MT+QgXcsDzkrFgncNwFyH8lwXiOTpj1rnPgs
+					OUIOfIhyJyzT1hpozAHt+IWOPHUkKjBN1C5y
+					SwyTnlqwJtG0yw== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224073150 29600 example.com.
+					Mr0Gu7PUu9PsUBflhd8tMhcQ9+ve+z561/ml
+					kP6PL0MHgLg7V8KVmL2tc7+JAhSOVSpJ4BGQ
+					c9HKD15lFDFEgw== )
+			86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224073150 29600 example.com.
+					oEMpoEhi86OM/SdyobPEh90zF3c3FhOgv68j
+					paD5BLUsAntf3qU+KoIMb9iVglp+VTGrg0Ol
+					XdJ2D/xSMA+XHA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224073150 29600 example.com.
+					WOtx+LBKbS2MOahlpDJMqgeH1TI5dZoQitmA
+					SOkDRlJgfPsiKeiaGMrnWN9xnPZOVr9MsInE
+					sKYjh6EZM1nuBQ== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224073150 31323 example.com.
+					nL4eJLv62C56wexu10DMPHqXCXSE/3vRe4es
+					4e0e1CkY9bdj+LgLfgs7CH7UDNXFX2CxKxHd
+					mL4sp5AtaA8fnQ== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224073150 29600 example.com.
+					nn2dG+ORbcNQWHT87ijfOddx0SKCSE+8hAxt
+					SiQQpxAzPw13CZmnbYas8uvFFtth6U689V3h
+					rMzzZcxQEA1z8w== )
+			86400	NSEC	email.example.com. A RRSIG NSEC
+			86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224073150 29600 example.com.
+					BFz1Z7dbBNgHXDOaufuCoIzGHbwyLUrA+Wad
+					QBPD9xCYkXHoHfvVOhtEeMR19Rz+fi6ottJI
+					4AWItiobBC/DAQ== )
diff --git a/tests/knot/semantic_check_data/cname_multiple.zone b/tests/knot/semantic_check_data/cname_multiple.zone
new file mode 100644
index 0000000..971c34f
--- /dev/null
+++ b/tests/knot/semantic_check_data/cname_multiple.zone
@@ -0,0 +1,15 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111214	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+	NS	dns1
+
+dns1	A	192.0.2.1
+
+email	CNAME	mail
+email	CNAME	mail2
diff --git a/tests/knot/semantic_check_data/delegation.signed b/tests/knot/semantic_check_data/delegation.signed
new file mode 100644
index 0000000..2007216
--- /dev/null
+++ b/tests/knot/semantic_check_data/delegation.signed
@@ -0,0 +1,43 @@
+; Delegation NS and glue signed despite mustn't.
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	NS	dns1.example.com.
+			0	NSEC3PARAM 1 0 10 -
+
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400406103150 20210205090150 25674 example.com. 4tMK6g2B0ITXf2haSSuH45nO53GlpZQ97ofC5Pd/S38oeNzWmhfxIBaGtb597qxRA2NC7rYtGsscLrCa0sthMA==
+example.com.        	3600	RRSIG	NS 13 2 3600 20400406102301 20210205085301 61806 example.com. TrCJZgu1hVoUK532mmhQpZcEcPdw4FezPCymtUuQH9XjZNBn3DP/OhM8NvAbtailiOIX/djosTC2cNDlqSoVCQ==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400406102301 20210205085301 61806 example.com. h/+XG/WWQsoAuzOM2wiulY8TOslYTj4MyP7Rjj3VXx8frlheIN84yH7NL6Xgt3ibQJpJl7rujkDuoTBH+snnCw==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400406102301 20210205085301 61806 example.com. TYk9hqD6hWA8YH/G3VeggrUHb7CwX3ut5GGiAOcl9o8I0gdMIOu8E1uUukexvJsZAt1Fbcjc7ZIbsUmvgs2MVg==
+deleg.example.com.  	3600	RRSIG	NS 13 3 3600 20400406102301 20210205085301 61806 example.com. /Xg/3viyTMyd88hcByGifSMHGo3up83exBQQt4FC6qexZffRyNiLrHOfnoz/2LqFMg/oDVCsvqaEomiMM6FlZw==
+dns1.example.com.   	3600	RRSIG	A 13 3 3600 20400406102301 20210205085301 61806 example.com. zc6VOVGfgoB9C8/0WPHOVrdikBzK6xh25UtrdIYuSzcPWbFlWSsV3+xS1q20MBDb2dj635jcyBWRep+287rDLA==
+deleg.example.com.  	3600	RRSIG	A 13 3 3600 20400406103429 20210205090429 61806 example.com. 8hcIsHOARI1XXMcPXwtlmQC071+FBH+I0a6CufDbE7nPa38brBKomqTjiYF26K1KZ4IQASw5vvF0lFg3eEOZog==
+
+deleg.example.com.	3600	NS	deleg.example.com.
+deleg.example.com.  	3600	A	192.0.2.1
+dns1.example.com.	3600	A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008173641 61552 example.com.
+					URGzLYXySdeOtXWW5ph64pNedd7/cq0WYcbd
+					nArHBIN2S08knOfV/OHOMDaR7WufUbIF8bPQ
+					FxDkURlAhZbH9A== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 3600 IN NSEC3 1 0 10 - (
+					MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+					A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 3600 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					NS RRSIG )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 3600 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20g1gol477ro51rk9a9nfd54tfqal7iq.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406102301 20210205085301 61806 example.com. LUBULY9667EsrOHecNjp2QkW9JJW1fOSyTmleWul7vGFwuNC1mKVUQu3H3V5ndtwzU1YD69oa6eI2DOERmiJXg==
+mjv836rjqej5ubghvksq7n44rso3q938.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406105733 20210205092733 61806 example.com. zYuSttG565eDv3FPeKfZs4FNuJHD204/8nv8cNx+9iqbxMdh5s1XJx4nolWyiOJcBq+G8CmtiuJK6plUs7x67w==
+utqvuhu2blk3dhmrr5t1hd9vteohqt0a.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406102301 20210205085301 61806 example.com. aMivM0YOs4Il/WRWqf3SRzh21nZXau7VIJOpX2NK46qxBCW41N/+J7rXaeAT15ayWNjCHP1YoDwyuC/lVZtCqg==
diff --git a/tests/knot/semantic_check_data/different_signer_name.signed b/tests/knot/semantic_check_data/different_signer_name.signed
new file mode 100644
index 0000000..ff92f7b
--- /dev/null
+++ b/tests/knot/semantic_check_data/different_signer_name.signed
@@ -0,0 +1,52 @@
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201008164859 49259 example.com.
+					UH4IJhLwxWI9g2vycAuGAHm5XzsW5LKr6xeI
+					aoaiMeb1pepw9vAWEUO1Byimg7FfhvYpt7+J
+					IhYCvpBb6u3ucA== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201008164859 49259 example.com.
+					ou6B0AgSUxs7//b+c+Gm3XjC83TpgGvRwj9d
+					F48TEZCMRpdvtVNc1hDnNKa8oXA16TafbkqN
+					Z0ekrEo2LlN+hw== )
+			86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 13 2 86400 (
+					20601231235959 20201008164859 49259 example.com.
+					uCzqU8DU8ZMt3t/h0jwZjdVgSj33HhwtGwhE
+					ZglZ0gUVDVLndP5Q+psqlz2jBmiXIN16s/+b
+					di0crJ9LULq0NA== )
+			3600	DNSKEY	256 3 13 (
+					qWpA6ejmc17FHZTN/YoYX4WdNN32LC2IlBmm
+					n2Yoi16OQ1e2ztEusvQaSwzEMbN2pIzfTIlF
+					YQQ1gzLQAhWIpg==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 49259
+			3600	DNSKEY	257 3 13 (
+					rHQi5BOkLnSsZh1v9saRZ38MkzYLL0oGbAK2
+					Dp86tH3lpDqPoR7LM98gyBLZgp81m0YHAYnf
+					2yK617XStIPw+A==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 3753
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201008164859 3753 example.com.
+					81C/yn0gxkwOMUWNZPszGow4UyDuDn1V4WQJ
+					NXJfNiTvT6edQ0rQakhJPGgVyH4LIwWJV8Uk
+					fOubCv7BBgu0wg== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008164859 49259 example.com.
+					x6z2ftS2deCBR9HJeIazQNrDdzw0lEE04UYp
+					npUe2zkIx6aH7MvvgZIjcFTwPOVsI00u7gaU
+					AzuxODSma50TXQ== )
+			86400	NSEC	example.com. A RRSIG NSEC
+; different signer name in RRSIG
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008164859 49259 different.com.
+					K/URrUmli54Noy0E3REXBo/g0LZ/8gneyVfa
+					FrGXLB0kvQydPyceL+BFIoJP6d/Gs/0qkUjT
+					vMQfvF0x3bFS3w== )
diff --git a/tests/knot/semantic_check_data/dname_apex_nsec3.signed b/tests/knot/semantic_check_data/dname_apex_nsec3.signed
new file mode 100644
index 0000000..b083ce9
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_apex_nsec3.signed
@@ -0,0 +1,25 @@
+; Zone without any semantic error
+
+;; Zone dump (Knot DNS 2.6.0)
+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNAME	bar.example.com.
+example.com.        	0	CDNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	CDS	25674 13 2 2EC05563A3537BD32EA3EB92C44794C644F249EE440785CF28207B903E35322D
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+;; DNSSEC signatures
+example.com.        	3600	RRSIG	NS 13 2 3600 20400406111136 20210205094136 61806 example.com. WIlxYlV/hn9mfojITrVbIV+Giy9b5pAKofkw62Yli+jIspQ3dC/WWLrM5Y4HcQwTfNp7yuhIS0jPzkuy0xuAxg==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400406111136 20210205094136 61806 example.com. z71ipK0zBRKKokzXdoZdtkxGC75MJbwmICNjSfd+IX/hneIGvFE7mTose1Zbb0WGgKRdUMEoii7hLZLrx7waqg==
+example.com.        	3600	RRSIG	DNAME 13 2 3600 20400406111136 20210205094136 61806 example.com. 5tIYeBwbwpVF0X5ZLoSpHeB8IYLU5/2fFYXqvctZYqTO24T0EBfu+++j66VSERAI38xf2Z0KkYcwx1XeIeivBQ==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400406111136 20210205094136 25674 example.com. X3n5YVkjpSpK+IOCkhv/wFmF5WIPHUR2LXkNME84i5S4efvQiRRq/jgqos2f7OgfSi/9Q2Q2x6BiMQ1vx/R+Pw==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400406111136 20210205094136 61806 example.com. gogp8pZycFopDodl4IOfpaKCbLqXw2v+5DcV2YwmHr/pMwrc28bClQxw4HVGcYQ13HpC9kKmzmcrn3dEumTb3A==
+example.com.        	0	RRSIG	CDS 13 2 0 20400406111136 20210205094136 25674 example.com. zRQEFycg2sNVVB4TOZO8QcMwRwSA7tHJqkc1l9V+WtEdJY8UvYpYPPgAn9FjWMzzhvRMlws89TBSsQzqCemHiQ==
+example.com.        	0	RRSIG	CDNSKEY 13 2 0 20400406111136 20210205094136 25674 example.com. hLOpPxmKXU//dmQoE5OdCqzWkkJsuBHa8QITWB/A3Tc2CXQTaqFKqTspZvTLOAYKNaSVu6BOLWM7Fi2Bq3I0mQ==
+;; DNSSEC NSEC3 chain
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS SOA DNAME RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
+;; DNSSEC NSEC3 signatures
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406111136 20210205094136 61806 example.com. C3JeKvcKdQO3zTJqg5Z114jTd36tgF7PIL2kCs7X6VnCaVe7E5NtwUuLMLFIw/gUqaLDbE7vQwHMK3Psl536aA==
+;; Written 17 records
+;; Time 2017-10-06 15:58:57 CEST
diff --git a/tests/knot/semantic_check_data/dname_children.zone b/tests/knot/semantic_check_data/dname_children.zone
new file mode 100644
index 0000000..5758833
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_children.zone
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111214	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+	NS	dns1
+
+dns1	A	192.0.2.1
+	AAAA	2001:DB8::1
+
+foo	DNAME	bar
+bar.foo	A	192.0.0.1
diff --git a/tests/knot/semantic_check_data/dname_extra_ns.zone b/tests/knot/semantic_check_data/dname_extra_ns.zone
new file mode 100644
index 0000000..e188742
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_extra_ns.zone
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111214	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+	NS	dns1
+
+dns1	A	192.0.2.1
+	AAAA	2001:DB8::1
+
+foo	DNAME	bar
+foo	NS	dns1
diff --git a/tests/knot/semantic_check_data/dname_multiple.zone b/tests/knot/semantic_check_data/dname_multiple.zone
new file mode 100644
index 0000000..2a6c0a2
--- /dev/null
+++ b/tests/knot/semantic_check_data/dname_multiple.zone
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111214	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+	NS	dns1
+
+dns1	A	192.0.2.1
+	AAAA	2001:DB8::1
+
+foo	DNAME	bar1
+foo	DNAME	bar2
diff --git a/tests/knot/semantic_check_data/dnskey_param_error.signed b/tests/knot/semantic_check_data/dnskey_param_error.signed
new file mode 100644
index 0000000..1a2e936
--- /dev/null
+++ b/tests/knot/semantic_check_data/dnskey_param_error.signed
@@ -0,0 +1,70 @@
+; Zone without any semantic error
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					W9EprjaR4loSnNW96h4rLsquPDw3LHYvD05k
+					djkQofHSkMNZAJ7Q+eA3Fs2ik5fnJFM7wi5C
+					MtFsV2TfqMJFmg== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					I9Je1S7XhZIW9C0fWE8NwFLC2rhHklddNYBO
+					dxVKL/lxENU4jPPBwZBGrcYn2WVHgkIzjG0n
+					EOHONAgRFPi3Xw== )
+			3600	DNSKEY	1 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 5 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					vO2UQiTN/CNUZOmSEg8kJlR/UqiAZHc4qMwj
+					9u31sbPmOMuni+ZGuVCFFoEMtZerIkkQowkB
+					sXJFkvCP5oF2rA== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229083110 31323 example.com.
+					Z+aaLu4rmzekfhlj6A0ClREloRi8MloRHf/3
+					Dlw/RYY1hrOCfcZKEY6AXeVdUwESEsSkSOco
+					CbhyGHH10dKAAg== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160229083110 29600 example.com.
+					d69kc52VdALI8fbdbflsVsltc1m7bI6QsJ5U
+					IDE9fy5VqcufZecZMKuozPDuF2vBA8ADFIRU
+					OfYgKs6YNIOLWg== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 1 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					A RRSIG )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					D24JCtCcNzwsY1FXVliAjxMm+x95N2eUTXn0
+					M8NK5glSk1yLtnAUKzHxpRExAJLGUiaG4yPu
+					2yGZuqwNvJztzw== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					F7y+xW/C7iICgmZeYrF4e7Yx4kWZAZPAMzlu
+					PtWVuf37ySg1VfEWcQcDP04vF2rXVUqSMEcj
+					bqUVN5W8Hoazxw== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					MoYrL/lToC4AHo6KCZRiBRmCMWHUAx2Xt32A
+					P4lDpwA+wiBWkCZSfVTh60AosS/BIGtBb2BK
+					mszMx8CLBvkjRg== )
diff --git a/tests/knot/semantic_check_data/duplicate.signature b/tests/knot/semantic_check_data/duplicate.signature
new file mode 100644
index 0000000..77bf21f
--- /dev/null
+++ b/tests/knot/semantic_check_data/duplicate.signature
@@ -0,0 +1,19 @@
+;; Zone dump (Knot DNS 2.5.0-dev)
+example.com.        	3600	SOA	dns1.example.com. hostmaster.example.com. 2010112269 10800 3600 1209600 7200
+example.com.        	3600	NS	dns1.example.com.
+example.com.        	3600	DNSKEY	256 3 7 AwEAAd0e6EjJ0PgChDpbjB9QtvJ0ZqwKC/j7wlEOOB9owqefH/taZ37w6QR8Ysvvv2058AflDcCP3qlaOXp+ogq7AhayA+K4kc/UQyTPCe2jXKlX9IB0KAsr8nO9UEXzjYuyBw80Ry86Xxmj7OGYRu8eRm3ruOjVJy8hCrEQ7680an303Iu3Ixnmo8lPTPPMg4dbFXZ/RW6Sanrr/Sy6fre87XY58yywqX9lZOh5eqBeZG9WvU/HycrDkx5AcwD5etVk98tVTnofShY34ePZWDmRHEtvBpMzNObdomgM5we+DawC6P+Z8PFeGz+OgN7WVzkjm+MmYAk1aIeLQyNIE8SyMts=
+example.com.        	3600	DNSKEY	257 3 7 AwEAAea81n0wL09ZMejh806rJ0Km3MYC+ySPWnOmV70nEmONbnduRPpXWjYSqFmH5kldfNdCH403kI/YCMYDYBAPFPbhxuZuVBaJJqOQVsI4rpwj+XiANfGFAq9pZ0oA8iH7gSoNUCf6+g2hcP0ajYoqCjUZ7ZZQNytV/x6foW5t5PbyPNeAU1AEKxk2VSg1TMfkccZqTIx1ofS0N102Z4tOBn26judPqLc0tXMCJc7wgekqG04IGe7UWfk9xWtwo2SbtX9diErF8DJ93C17OWkb04n1xCm3i8/XZadA/HrBjfX/NvlHF8qnUQzzxN7UGrvBD4hE12R9ICj4YNFZViOTdvs=
+dns1.example.com.   	3600	A	192.0.2.1
+;; DNSSEC signatures
+example.com.        	3600	RRSIG	NS 7 2 3600 20170403124401 20170403124311 40703 example.com. ltKNDw2O/sIwQUsv3UCKqOtZYvWNJ0mHo2xDxpzZXfAiMbgR4k7jBIkpSEpcBiBlH7EvWom7CYVigPu8Y+j/Jq4uv+wmVF47OVY3YZvuzfprWj+iOQwPlfDJfUPx+U+73SSsZ21B5/+auB5cada730B4gQKmldleVGg5aov4H2+BpEyrsSs2o79qiXNBzLPqrZEmT0nfUAvQC8xhFV/71I8Q5qtfa3vO6DLSOBmBUtAlGKqfpWoZ2w+QDdA6rtOe0haizTZUtghL2ut47bdTR253brhUccL6nnLc5//jTUBToIhmG/p698xLnU9BYnuHIi74xsb3hVr5b46W5gAGKw==
+example.com.        	3600	RRSIG	SOA 7 2 3600 20170403124401 20170403124311 40703 example.com. E9a+I8HDh6ycTVkFgOWkzbH7PWds7ewp1M5lUci13ZzMVWsJeFW7t1tLnnOtvz2H8pq5/BevPB8iZBA7rHH7GxoQ5P8xrxAO6HvuRZT8O4kYAWRZ0QHhMIvY8f6VqTyoOmzgIGt0nJ3BL/XJgxIiFrsiLyih6+dkckEu62F22+FFvlv49ufKkCo+EUQPCzo7ZYODc8xKWo97SmaADzjfz7Hq9UPHraUgLhNkfBDbI9YPCGKaJaAiqCBy/6ih3SyHxVPLcIz95okeo5AJVszFIS+8pNPZssJBpWsLKYyAGzs2dsliRwS9z+a3wkHXJIfbLX+r3kGhcG4lQMYDz9SrFA==
+example.com.        	7200	RRSIG	NSEC 7 2 7200 20170403124401 20170403124311 40703 example.com. poh0BT+nUD3sM05axVGC+k7jj1r3YVNcx4bn/0cviNxzCqLY9RGgImPWsmkTgbJpmCox9SHzpTqL8acIQDNZaciNH9WeYKvn7wkap3z6jtCuQRezM3nUx7E37fzbnNC8MUoWkV37y3FSmtiza9l1isrE5dGkNMOsBcPvIp5wrbQ+dH4cMdcgQuW+NDjee6czIeeYtyarBWhq30S2lxroh8VXlrFDTcbiIY4UoGzJDfevvsonNFQXc+p7qq2fU1fyU1e3Ugty9I23g6fLhLcrmflVbYpcgE8/02K4asu5D7x/dOq21OU/jJfeudk66l6CVw7c3Qh/N63jRn8SsCj0Sg==
+example.com.        	3600	RRSIG	DNSKEY 7 2 3600 20170403124401 20170403124311 5154 example.com. RmAPllqg+CEX+vj5KKmXGYsF8vqbqLoXSYqSOSWbvgWRazKaQU98fpJWdrmqylkR6Xa1fnbvliP4N/0MGremNejsNPvMsJ4GvpyM75Mb4BEf5mwwikW6xov9V/n1AN9grWofj/r5evsZYcxIR7naM9oxV6qJvy8fFIjthG805MO18bYk1/Och2x9TgUf6DTqKNBHQjk1AfrhVvpuLjdNnNT16Ak3izrCLOm2tuNTaflkYkD0n06ZIAsz1krJWztpncA2csnKQmdybSL95wZnFeb6nkmq+P5vk3PuTENIMURYMCNfzBHogLfbVG5HpDhaHkcM2zSe1qATbp9xRZujLw==
+dns1.example.com.   	3600	RRSIG	A 7 3 3600 20170403124401 20170403124311 40703 example.com. iYfVT+HPDqMyH9f8aLrzNK6sOCoo38tlRJ5tjiko0DOpsWp20LLgVQLvKsTs3SfdC0gYzMVQCgzfDMbAgrEvmm4ZEQT/NSUhcO2t08f6pABn6GSdoswFupi0LGdQmgj/MbOET02OTALh9I6g3Ir1+bF+C10GS/8CYqffO/52IEJylc6AzDCwAjfkI/55hsuv2H8Wp5cqEG5yAlL4fK+U2zQWEuAGOtGbEuzeKcEDV6iiAuFge7ClW+CbB3gQxEhDdx5TQNNAcpzHmum5yfsfcFkIezZqIzEvOQWg1nJVcLvYnuBqyMWv/uGbG4CxTDy49U9JB/6QfilMk38VVcitZA==
+dns1.example.com.   	7200	RRSIG	NSEC 7 3 7200 20170403124401 20170403124311 40703 example.com. gtRE8TafAp50tzk3rAub93X69pp4J7uPzXPM0UAAp97oVMqcqvuZh80fICLmKl7xShvBx+AYfV+2CoeMW66CXVHTP8CyIjLyi32EGgL75Y2xs55/lEOaMl8hREgxniopCWGX/5vjmY0SBdGWVQVyeQeb0DbTXFWQNw/1LUPueoM1zqGcHFKFt5Y1GidboUEDsNeCmG3ZzGV9/v9sVUezzDK53uaHm8Ojz6E4N7kg6qXDF32ZAxs0dDjh46bsaTNvMLCEXqO2imHx9Omc2wYyCt/roMoeYiulXQ7yHYt0yQuCYwqxxMqJ4z9jvLNdLxH3YZYV0CVUrNgNC/5vtUILsQ==
+dns1.example.com.   	3600	RRSIG	A 7 3 3600 20170216152943 20170216152853 45258 example.com. j7H3N22L+tqfwuSd4GhIwMyjrFSY3+kypIcOvg0Ipbj4pAHsJOJTiW454Ueq54G/0ntoHxgmGLv3d/EV9prMPPQz8eqtRcYFip2NuEF9bJsIG3SMy+0HolPK+8D7B0MOGFA2TExKNknS7sJy/Jn/yQrf7BHubC61zWnqB+vN7MNlJASXEvy3008oi4FScSsrAVIrZK+z7utY4exkCVfELC7flGenoyPDFR12y8WpN/Tk6q1H37x+EKaQgFj361Bm6f/InPKW8Npn/SNCIJ2DvSWAnj6+2n1mse0sC+rKhRIDMDopu7JzTjpVs9U/p9BY5dtH/3YvST4Vz3syqd1unA==
+;; DNSSEC NSEC chain
+example.com.        	7200	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.   	7200	NSEC	example.com. A RRSIG NSEC
+;; Written 13 records
+;; Time 2017-04-03 14:43:12 CEST
diff --git a/tests/knot/semantic_check_data/glue_apex_both.missing b/tests/knot/semantic_check_data/glue_apex_both.missing
new file mode 100644
index 0000000..74e37f6
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_apex_both.missing
@@ -0,0 +1,14 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+	NS	dns2
+
+; missing glue for dns1 and dns2
diff --git a/tests/knot/semantic_check_data/glue_apex_one.missing b/tests/knot/semantic_check_data/glue_apex_one.missing
new file mode 100644
index 0000000..47ee797
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_apex_one.missing
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+	NS	dns2
+
+dns1	A	192.0.2.1
+
+; missing glue for dns2
diff --git a/tests/knot/semantic_check_data/glue_besides.missing b/tests/knot/semantic_check_data/glue_besides.missing
new file mode 100644
index 0000000..38ad890
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_besides.missing
@@ -0,0 +1,17 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+
+dns1	A	192.0.2.1
+
+deleg	NS	dns2	
+
+; missing glue for dns2
diff --git a/tests/knot/semantic_check_data/glue_deleg.missing b/tests/knot/semantic_check_data/glue_deleg.missing
new file mode 100644
index 0000000..291b450
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_deleg.missing
@@ -0,0 +1,17 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+
+dns1	A	192.0.2.1
+
+deleg	NS	ns1.deleg
+
+; missing glue for ns1.deleg
diff --git a/tests/knot/semantic_check_data/glue_in_apex.missing b/tests/knot/semantic_check_data/glue_in_apex.missing
new file mode 100644
index 0000000..a02f6bf
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_in_apex.missing
@@ -0,0 +1,13 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	@
+
+; missing glue for @
diff --git a/tests/knot/semantic_check_data/glue_in_deleg.valid b/tests/knot/semantic_check_data/glue_in_deleg.valid
new file mode 100644
index 0000000..42adf6b
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_in_deleg.valid
@@ -0,0 +1,16 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	ns2.d
+
+d	NS	ns1.d
+ns1.d	A	1.2.3.4
+
+; glue below another delegation is not mandatory
diff --git a/tests/knot/semantic_check_data/glue_no_foreign.valid b/tests/knot/semantic_check_data/glue_no_foreign.valid
new file mode 100644
index 0000000..4cdcbe0
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_no_foreign.valid
@@ -0,0 +1,13 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	foreign.
+
+; glue for foreign. is not mandatory
diff --git a/tests/knot/semantic_check_data/glue_wildcard.valid b/tests/knot/semantic_check_data/glue_wildcard.valid
new file mode 100644
index 0000000..9e36b5e
--- /dev/null
+++ b/tests/knot/semantic_check_data/glue_wildcard.valid
@@ -0,0 +1,22 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111217	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+	NS	dns1
+
+dns1	A	1.2.3.4
+
+abc	NS	a.ns.abc
+deleg1	NS	a.ns.abc
+deleg2	NS	a.ns.ns.ns.ns.xyz
+
+; wildcard glue
+
+*.ns.abc	AAAA	::1
+*.ns.xyz	AAAA	::2
diff --git a/tests/knot/semantic_check_data/invalid_ds.signed b/tests/knot/semantic_check_data/invalid_ds.signed
new file mode 100644
index 0000000..2435014
--- /dev/null
+++ b/tests/knot/semantic_check_data/invalid_ds.signed
@@ -0,0 +1,106 @@
+
+
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+			3600	IN	DS 60485 5 3 ( 2BB183AF5F22588179A53B0A
+					               98631FAD1A292118 )
+			3600	IN	DS 60485 5 7 ( 2BB183AF5F22588179A53B0A
+					               98631FAD1A292118 )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					6DFJITU5VML86QNKU9FO2LJDDQQTQPVT 
+					A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 1 10 - (
+					UI312KQOP1NG8IQEIEFNPSLA94KB5Q92
+					A RRSIG )
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A 
+					A RRSIG)
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					KElp8dLKBKFzgEFV8r5aP9pCyYUD+Z8rLBA9
+					KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+					Qbiek52n6umbEw== )
+
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+					jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+					1y506ytGbX/q4Q== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+					eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+					XCO6BdZkmk/aQA== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+					zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+					OSV1D5SL7utX5w== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+					Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+					TUmriM3ihfXxIg== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 31323 example.com.
+					mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+					qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+					YyYRaaQC6yhm4g== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160302125715 29600 example.com.
+					K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+					tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+					YJrD7TvrFDot8Q== )
+
+
+
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+					5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+					lqhxunAbh08dsQ== )
+
+www.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+					ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+					0Ru0tX9R65NlKw== )
+
+
diff --git a/tests/knot/semantic_check_data/missing.signed b/tests/knot/semantic_check_data/missing.signed
new file mode 100644
index 0000000..75c7d22
--- /dev/null
+++ b/tests/knot/semantic_check_data/missing.signed
@@ -0,0 +1,20 @@
+;; Zone dump (Knot DNS 2.5.0-dev)
+example.com.        	3600	SOA	dns1.example.com. hostmaster.example.com. 1081539379 3600 300 3600000 3600
+example.com.        	3600	NS	dns1.example.com.
+example.com.        	3600	DNSKEY	256 3 7 AwEAAaBgc4O+4UWd7mzSyelnPb/le/x0q/E90B/xnlf56kgEFMvEGz++o6CMRXr5JfgyxDDsahxTwFoWu30KJry4MjgcwlETM63DFpIYtyDBsi8TlQFEp5NDrlYUWlPGiPfywZBVkHGFMcFct+5/ZalTzYIP39tDytZcPZ/IgQRQZA9qeHYIw51YX9IlNMalHFCtJyrpzCdo22FY/vwBwSbdCa+vzkH1Uu8JkIqyAvAGkuwVisgpMpzWhvJNi5WSAnQfwOcsYCftINAHdRXtuqyG+uU/RDcZ2psx+woi+mYzEPeYV9MEqWpDyIz7jS7e1hK/1o05+qY8Eu2gt4enRj9BQr0=
+example.com.        	3600	DNSKEY	256 3 7 AwEAAfcfJSUnim+cR3YEc4VfdJ5W65GNlK0LQaAh6vAejH7uol8VYmXdlyz+wlhad+DyRM5Jl+XJVFMMyFUqWx+Q63DPRtl+TlN/2pWU2gsNHUoovFhFpdX1cQMVoxr2QLgsm1ASTeqvZV8Dn0xAlNRihNv877sTySjveaH0JpuVCMpe5DB1zVbAzLgDqFKAvwJCumdycp7RzMi9PqS1XtsEInKi+X/zZteTJbDO7l+tFt9/NgFxiaLgNo8Gz2oVBTQvAbjCDEi2mPA/YJrpOGZWNkB2L9HFSfzZih8BbgUI3Fh4lhS8XCVrfVV7K9YR2F5NBVi7h0Mk15hzNsSS7tRK1FM=
+example.com.        	3600	DNSKEY	257 3 7 AwEAAcjdwuJkjM8G5rk967z1cJqF88BqpvN2GN/6Tj1XA5AbIx+33qy5JI6K43ehlT/neLizOCk/JyXaw8gcjQaDKcIy0vKysXvI6yK4PNgHTdzQunBqGTfvPDlXKCle550R/DJF2OZH/T7jgX2GhQlem6UB3A23n24YP50IzAmXK9RYdE/dMFXU5jEz+CjcHNkB8ZCb2VrKE9RDjY88vr6lyM2kPbvBtx4UaUSEzwlDMRc3Wf+dBWKm6mKWAPsHZM/cux+S2mca/cxEA1ngCgBBbm7824WjTXgDs14QWuwruMTqLPDujUYND5kbsiuhQsfEFGVq2UyhGEZG/NoIEEg7qLc=
+dns1.example.com.   	3600	AAAA	2001:db8::3
+;; DNSSEC signatures
+example.com.        	3600	RRSIG	NS 7 2 3600 20840201000000 20160302125715 7242 example.com. B/6k7YAQGkiz6IkssLZblExgMZBE+Flkhv/leVgvM4RLPPpQ2znouYyrSbVCcU5irA7PFLbee5Mn1aWj2S57L8yGJjHBuamQSIO0GcvGcmXi1CrdaYXSofo3PtnKpM8/mG3+8RCUL5YhoxhTK4Y5gJrYGPkRPKsBTw2Qd2TUJFebtYgCuGN8Q3UwbeYPw89rNbqC3a7zsGwJoZKgDnm3NwCWcv6NRTcQA/H5v6T0/QvYbZpBMrjl3EiAWOccdUlQnALngGSzbJ2GnmK933VXYhuAoSKEN6thauOBSLkdCh9afkUzo/t7xhTJszo0F1uuavs8PYf3HjmdnMwdPMkUuQ==
+example.com.        	3600	RRSIG	SOA 7 2 3600 20840201000000 20160302125715 7242 example.com. dHmPqRl9snHFavwkkAFZqHDmvUrI3+e+dmEexqgW9txr30fbrkeGAp6ApdZlqJiDTJ/2q0UoyQxSYe/BzgV4gEBgTTgfmC7m9eHVLTD70KMlNuvwC4jkh1vWT1Zn6IFUsQtJ+54XfRTe/2VHyeK7saqsA/ARRZGOzk6To8CWxNCApUdLZMQO9UTX7uVcXKkPvfMvlhx1fmn4OE8ntwbY1oPosQb987N8V8x9Rb2hINr4DCkXNDydDZAh4vsZO0DHPlmyfkyNguQDmdgnDz1CVbJzguy8tqeMGT7CrwU8AmX3JADQTHoxjnWEidLLUa/gNDRFcRc5YMcdZyImHqdNZQ==
+example.com.        	3600	RRSIG	NSEC 7 2 3600 20840201000000 20160302125715 7242 example.com. bjw2G/BwF2xTP/QSkKqdr7byUS+nqMvfppuhZmH0VcysAKN2oqsV51bn7gWej6dnx0svtX7nCOlwdDFSCMJld5BGZFnAfhS+XVc/wTeZGMi1BkeJxlT3UbGLhf2DuLLyL969HPltL527vSysjBEmi7OsTlH+wXD6SW35ZClajNSRLjxrRpVHTGpA5uyyysHRYNXAKS3+SSc1N/Fovjgzi68exWD0BKTGia7Nf9Fn+bqvhbYh+pMHA7djPFJIsER3OCBx7H1KMxl6rap7Q3rC0I289xnnsOqRh/GnzSVgvobKWozOOs9XXNg+w9ioSos+kbzTxxSEvLKqNBgCbLjUHg==
+example.com.        	3600	RRSIG	DNSKEY 7 2 3600 20840201000000 20160302125715 37855 example.com. EHXazcQ27b5Cjqd1T8TAui2PrUqEq7cBxk45OA8BfBDmOuH2vXFVL+juCM2gCvQ+0oZmcJmpkjMCxUqQekXgxRy21PlEzJfR3VHRDSYCSogR9cCLw9T9OiFXugZAtYcLVXVHddKu0+t5yeQqdStgLBiz9EmeuPFYd/h/BxKI8FGx/TjHNzd06SKgxlZAT/vCGhEswgSIpxJm4Ju561vT2/Hh+NmD4jIKVf0OUSkfRVRbxpzMs0HaZx6s0T2mcL8so/rEXjSIORkw56Q7x3EmYQDxNJjoNo4nHKT0/pciCey+vHj9pxxaiave8wLBG96JpgJgSV7BG8TTbE2q62wX1Q==
+dns1.example.com.   	3600	RRSIG	AAAA 7 3 3600 20840201000000 20160302125715 7242 example.com. h0oZ7ghuhANB27zD+M1m0NyVUHND7g2qI1IfEKDjMzZ34wyqM0xWLm/Izln86ol4naDvJU3a7hsJS/95DdvW/s711Oi2nKhX/Hkjvnzu8WVcf5DvEKYQe/fyZ676hnwviKqFzwmfTAKgIuSvt2uZzJkpcyL8ZE6O/GdPrcR6rTuuDI30F4zXIWPmuMNLR2qJv59DwM0tZScLdmRGKGnZNpdxDvtbCsZrXBUPrOE5XpAw+fe8+oL3UEeKQZq8qFhVvegl4TAuk1a8CS+zG4E1ABQKp86J1h0G4l/ajmWqq2T59lHsBAOuX0IbKHEHIJzwRd9EV7LM59EtJVacx8ZCkw==
+dns1.example.com.   	3600	RRSIG	NSEC 7 3 3600 20840201000000 20160302125715 7242 example.com. Pq6F6akEhyIqch7vwWJ5C53FW1UW/Y8vseFqB6tzql5bnIYjEwikgiWR85uvSUNGvsjHbadBYiVh2i68k80ws/2LecQCvguSH+rMkqqY9go+pBh3pdiNlJaJZp3zJQ6+E35xOA+p0G5t84Et3satJl3OcpVthrdBKuotpDg4P+nOpfLHkI3FO5vehxs71HmESQli5JllhPNMH6WZfWsP74D4DgRjUpIK9hGznCeuZxJT5+S5wL4fzqb+P20W30bsQqMbo9GNdPy5AdbwZoEKJVoN3HC/sv03ScQzWUxjamHCQOeZFys25fFlh7+JU1xYSb3V/fPhUUuf7OsBVvn7+g==
+mail.example.com.   	7200	RRSIG	NSEC 7 3 7200 20840201000000 20160302125715 19578 example.com. gjNXoKVddN+Z3MmHXxs0v4Gv/3zaTAg0mBSLkSp8Ion6qKj/aR2y50QhNfZGVEZSmyerDiaVpfPMN+q9mwx+6xmv4/G97DkadXBYt5IXGR1fXhMCF+RLJb5ePYjQKSk2TfRMJAlk1Mowfvlp8rXFrT576y2F+IXKbpiJOdRt/13Wo5IUbw6LLFDOeZ3fUiZtBmoWTTjBnrGWYdb+ePcSXID+qM5TmRXqIOFceJvt/RhGZ5LYAchgM2sZDf4Asacxg6Z6vS2cA1opTLMAIu+cuEmq61cSJxWHblfXIpPMXFG+4i+nkCxEFxWyxt9edlAeHS/l2AiHQl5QeuzwEjFI2g==
+;; DNSSEC NSEC chain
+example.com.        	3600	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.   	3600	NSEC	example.com. AAAA RRSIG NSEC
+;; Written 14 records
+;; Time 2017-03-31 15:38:20 CEST
diff --git a/tests/knot/semantic_check_data/no_error_delegation_bitmap.signed b/tests/knot/semantic_check_data/no_error_delegation_bitmap.signed
new file mode 100644
index 0000000..abbf088
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_error_delegation_bitmap.signed
@@ -0,0 +1,61 @@
+; Zone without any semantic error
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201008173446 32411 example.com.
+					/R/djqaZWRo1zCmz7B58/93D8ZxJoZAAKEbH
+					xuCsAJ5dm2ubvtgvqmhNXMqdVBvpb2OPdBX8
+					VF1j9RsjuE7ORQ== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201008173446 32411 example.com.
+					AmyqpqMfMEztA9S1Urv6yEtKd5yc6kkSedRU
+					uLp7velyCkipFzWgpzRVDqn+wp2ZaHig0Fod
+					kryw3j4yHOLlHA== )
+			86400	NSEC	deleg.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 13 2 86400 (
+					20601231235959 20201008173446 32411 example.com.
+					9tR3kL4pVEYsHzt888pbP0TtS/npeApAEUfZ
+					L5rXQE0WqBLQGtyEPYxujFuaruvxH0SgLl6r
+					n6MKCEB07DjhTA== )
+			3600	DNSKEY	256 3 13 (
+					C7v6eelCoXgBoUjHe/gKdsnWNw04GH7PpYMo
+					2hF5jaeq1zkLSXkF2xS/04MgBTFFYuDU+LGt
+					8kMKNc8o2wH2jQ==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 32411
+			3600	DNSKEY	257 3 13 (
+					m6KdGBizfDaUhcW+nIHuRdufZFcSYlZ5Xoky
+					+GcH23OxZtPzPwKwpg5rTx+RCRPlVpmwyiW3
+					aC69n0Q8mr8NpA==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 60051
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201008173446 60051 example.com.
+					SD4149dui/vuky4G6wiJQLUw5b8XpG+Cy/cf
+					+9CSbuKWHRcC1K0wVEw6xyEah6eD/7Sh0eFA
+					EECgej5etJbL3A== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+			86400	NSEC	dns1.example.com. NS RRSIG NSEC
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008173446 32411 example.com.
+					HFA1XBdjaUvb8lbyhXVDYxTUn8Nr2HNC5ktc
+					kPBW2AGMQiVUtyR3vPxUIiusxsQn+uyRL2QC
+					NBG3ANo5exT8ug== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008173446 32411 example.com.
+					4NLhmO0Sa3yk1ZikWSRYEX0FpHK0NkTGk++h
+					RHJO3E9M6Og1am/PiPf67DAe/2n4ANItC/SH
+					u/1WSvYQV7OZqg== )
+			86400	NSEC	example.com. A RRSIG NSEC
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008173446 32411 example.com.
+					pQgr7WzGpL8gbbAcbeYEIYBLq8lCAuE9NaUf
+					itYKBFh7Cbg4YrLOoeAV6v6V4tfZPpmNpd2U
+					9VUrY9es4QfX6Q== )
diff --git a/tests/knot/semantic_check_data/no_error_nsec3_optout.signed b/tests/knot/semantic_check_data/no_error_nsec3_optout.signed
new file mode 100644
index 0000000..a03f4ea
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_error_nsec3_optout.signed
@@ -0,0 +1,29 @@
+; Zone without any semantic error
+
+;; Zone dump (Knot DNS 3.1.dev.1612270066.d215637a6)
+example.com.        	3600	SOA	dns1.example.com. hostmaster.example.com. 2010111222 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.example.com.
+example.com.        	0	CDNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	CDS	25674 13 2 2EC05563A3537BD32EA3EB92C44794C644F249EE440785CF28207B903E35322D
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg.example.com.  	3600	NS	deleg.example.com.
+deleg.example.com.  	3600	A	192.0.2.1
+dns1.example.com.   	3600	A	192.0.2.1
+;; DNSSEC signatures
+example.com.        	3600	RRSIG	NS 13 2 3600 20400406110811 20210205093811 61806 example.com. VD3IclxLUSi1tgv4+FJ+9e3EWiRny6de1y4jUFn1Ama8+Cl2vZO2Jc34Q9MKY/S9m4id7Xe8MtkkrKThQcaaXw==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400406110811 20210205093811 61806 example.com. BniH53lEM1hYGcorTmqF7At3+neZkifPT1sM15nGlQUQ6RfkPxh7Uy8Pj3PxLL5v7WDTyFGbLVThEFWZUh/h6w==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400406110811 20210205093811 25674 example.com. 3FSDEJ9f54++FX/EHWXXnbHW8iJPaDG4kc7qf772y62dtqTfAvb22lq2yKzCOaRFFwpPKEdcS4OEkhx0IbC27w==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400406110811 20210205093811 61806 example.com. BTT+7Gj8V2pATxogxJ8xEO5eiVHoVIDxdK60zDS3MWNcbUc/n9vJR8NrCECel9egQUWrejawikO4DkyQxLZpkw==
+example.com.        	0	RRSIG	CDS 13 2 0 20400406110811 20210205093811 25674 example.com. h43kZiM1EFETWQEtMM8Xls/RFDsAkLIpLf+DUnJ+zzxv37xpGvtf/s//3ew9qEhouBnGh/1FWtNr8vjhzh0tsg==
+example.com.        	0	RRSIG	CDNSKEY 13 2 0 20400406110811 20210205093811 25674 example.com. 4mf7C/zyWoFRllUEaLHpdxJdlbEQXIRKNH6JOH3sTKSQMGj1SMmkWm9qlO9tVaUm1ggB6r8TPWgrAUBG+4A9gQ==
+dns1.example.com.   	3600	RRSIG	A 13 3 3600 20400406110811 20210205093811 61806 example.com. lMj63MgZYiCl6Fdf0Q5C4/K99AAXTqCI9HSBQcrc7qiZDjRpZXzBUO8yv7+5JSMIo/A3tJtQL/12VFPGZ9NQ5w==
+;; DNSSEC NSEC3 chain
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F rvcd9h11kcnenarqcmtmrhusdmb24rm4 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
+rvcd9h11kcnenarqcmtmrhusdmb24rm4.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc A RRSIG
+;; DNSSEC NSEC3 signatures
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406110811 20210205093811 61806 example.com. 7AdxaQLQ16ORwtf3t9lNQrzOP1BKu0TOIiKfx8/7o0JKoVtDYjqTC+ilWSD/Mbfb6PI6ND3NQKsIbnApOa2SUA==
+rvcd9h11kcnenarqcmtmrhusdmb24rm4.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406110811 20210205093811 61806 example.com. bOUzqzuIhV/SPyXiFOgsJbnS77dijFWcLDY/0X3r9aNiAo3/vSE4OTT0f6CkcBQDka+LjIoRaE7NIaTMl24fdg==
+;; Written 21 records
+;; Time 2021-02-05 12:08:11 CET
diff --git a/tests/knot/semantic_check_data/no_rrsig.signed b/tests/knot/semantic_check_data/no_rrsig.signed
new file mode 100644
index 0000000..6a3161b
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_rrsig.signed
@@ -0,0 +1,48 @@
+dns1.example.com.	3600	IN A	192.0.2.1
+			86400	NSEC	example.com. A NSEC
+; missing RRSIGs
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224081310 29600 example.com.
+					ieEKhIV69ywg+YFSqdz0t17eE+PLl1eR4kpv
+					Mq6Q6TfjC7V5/PcFW6KRoP50RFp4m4cD0E7T
+					GpmpnPF++QV1Vw== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224081310 29600 example.com.
+					kYbAbCGzyWPBEfc0TH1calUiKsZi12MH3TNV
+					7vtjOvIYEqeNmuJkrw899a7nOPNoahB6h7o/
+					DXuRlFqYYCC16Q== )
+			86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224081310 29600 example.com.
+					PchT9RWRkLCMxWAQ3ut6LZlh4MYT4CkAPThQ
+					cnIn0ORi/fVgGzlifQ88xfEdEr1ZoXk9PlhT
+					5b+wocBOl2HhGg== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224081310 29600 example.com.
+					JLcSyR8KgSicUou0c7Zs7Ol1DYiaQ8Lfyort
+					8a+5OP3em3r3NH1nJkiVfs8+xdvUcGlGkbib
+					RKlfRWiIcOEalQ== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224081310 31323 example.com.
+					EQMX5DPXhwa+blMRkzl+swUW3BtzpGJ5tGEU
+					hkH7bJfM51gIAO5qnUO/mMPnEA8b4dc20nnZ
+					8j8lETDjqBLgDQ== )
diff --git a/tests/knot/semantic_check_data/no_rrsig_with_delegation.signed b/tests/knot/semantic_check_data/no_rrsig_with_delegation.signed
new file mode 100644
index 0000000..2c36b9b
--- /dev/null
+++ b/tests/knot/semantic_check_data/no_rrsig_with_delegation.signed
@@ -0,0 +1,61 @@
+ns.deleg.example.com.	3600	IN A	192.168.0.2
+deleg.example.com.	3600	IN NS	ns.deleg.example.com.
+			86400	NSEC	dns1.example.com. NS NSEC
+; missing RRSIG for NSEC record
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224081610 29600 example.com.
+					HhnlCtlIaZFVklpzVUnzm6AzFd65CSc4WCJL
+					f2o7Gkevu+HTnkiPN6gqtERC/BKJz1EKd2fC
+					KDyLxXw6KeTRAw== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224081610 29600 example.com.
+					rcHuZd9wTYykzis+9Z8uyqD8V9h22szf2bmE
+					GYNyJBlHZO0sOmys31xnvDfQ9sdk9hf1TUfB
+					9ACGIF5lDHBEog== )
+			86400	NSEC	deleg.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224081610 29600 example.com.
+					YGSe1OINjOY3I8BY1EoxcOJsDZ/DjGCT5nqY
+					J6BBjTcbT5S1W61SN50xc2sGB4Q8F2KTotAe
+					arzn4DGDt9mOMw== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224081610 29600 example.com.
+					rdmqHOUXqhwrJusNt/7FTV+AtO/v6Md3LXzj
+					/QzR/pCADNC6ZA+FvqaOycnUxoryKk7PY3pM
+					5ispCMuEx/1OGA== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224081610 31323 example.com.
+					jELyXsaJx+G4heZJ96dyE12hSyTNFazwWDkq
+					1Mkja9/bTTdYAd+t8fhf/c35bUiTVJWMivJe
+					+YcCwqGf2U+2zw== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224081610 29600 example.com.
+					ln2xuvghOWBDOfyk19Wwtv3oc8+1go3WQuMf
+					vel5x/uHVx6voNA25cpFIQ6nPlCo8pmd5R3w
+					paMxgoQtBkzBcA== )
+			86400	NSEC	example.com. A RRSIG NSEC
+			86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224081610 29600 example.com.
+					EEKcIegUeyn/1FIgxHV+gSX3b/ygQPAcjD8g
+					aCt1yiO0B1xmVm09RJNxzCLaTKxQENhxIoUZ
+					2l7250pBQnrlAQ== )
diff --git a/tests/knot/semantic_check_data/ns_apex.missing b/tests/knot/semantic_check_data/ns_apex.missing
new file mode 100644
index 0000000..fd7b7be
--- /dev/null
+++ b/tests/knot/semantic_check_data/ns_apex.missing
@@ -0,0 +1,11 @@
+$ORIGIN example.com.
+$TTL 3600
+
+@	IN	SOA	dns1.example.com. hostmaster.example.com. (
+		2010111214	; serial
+		6h		; refresh
+		1h		; retry
+		1w		; expire
+		1d )		; minimum
+
+; missing NS in apex
diff --git a/tests/knot/semantic_check_data/nsec3_chain_01.signed b/tests/knot/semantic_check_data/nsec3_chain_01.signed
new file mode 100644
index 0000000..cd90b9f
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_chain_01.signed
@@ -0,0 +1,80 @@
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+					A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ ; wrong next record
+					NS )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+; RRSIGs for NSEC3s
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229140652 29600 example.com.
+					PjEM7Bxxb7w67366fKCLkR9BVFAL0RI8RJCZ
+					5aqoMVuy+ui7MLKxKT2LfeTHgBw1Cww1bbJw
+					Ip2zu0/ZGPfKzA== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229140652 29600 example.com.
+					DUMMYDUMMYDUMMYgc7Jx/FgAlruRjwsS/YJa
+					sZRspDGZhSqK2daV5K0lmK+XL8BoOtp7aXtq
+					VER5XcWLOebCdw== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229140652 29600 example.com.
+					XsJa0IUE2ddTohJmiuNVd/Po1ZOK0PDCuU7/
+					CS0/wiZ5ZlxPdVUAYXuC7HhGH+ZPsqwZ4oUU
+					ToDbFqfdzmC1XQ== )
+
+; other zone data without error
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160229140652 29600 example.com.
+					u5QMvOSkZBUM5tLiEAq3A+x4Ha17ZsNUYqeI
+					SuYA1+NbaBDxAtT6scB9aeA4lOTQ0TZvpGFE
+					YF/XxGtqvwdZ8g== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160229140652 29600 example.com.
+					ELZOh4iS9DpAafa8NTaI/eNL3Qwy+lsmgrzF
+					7jaoR5yOURl/RZSJY+m9Peaq4ALcROdGJ0O4
+					miSpdTIZsBSGZg== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229140652 29600 example.com.
+					sjxCP/grgOR+4vmXw7HU/hGSx5dS5QxM00IA
+					gZNJ6Lqf+4OSL3TEa1/qqRSFTl5uv3rqh5W4
+					8p2JoT1ZkcJj6w== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229140652 31323 example.com.
+					jrH48r1iPFRfbyIZWcARQrejVgrE9v8qqt4R
+					uPHjz5t7PYmZYH544SI9HtaWGkIJ9jzlxr5l
+					ikCWo1we50y9Lg== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160229140652 29600 example.com.
+					yIXzhQw8c/c/in+doXX5JmqoGiqoYD2Hhw6d
+					/aGXc5QLQqxyATXln02vkwt1d7DK/ha1vkfx
+					bvGdduXDQ7YZ+g== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160229140652 29600 example.com.
+					aMRzV/1+m9wQHWezSiwkmDEbnS85wB9dA5x/
+					u2P7NPsgwMnRdfpVIMfaVhSJH88i5OlLTvL1
+					sSK+RADpuoqnLA== )
diff --git a/tests/knot/semantic_check_data/nsec3_chain_02.signed b/tests/knot/semantic_check_data/nsec3_chain_02.signed
new file mode 100644
index 0000000..ca70cfa
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_chain_02.signed
@@ -0,0 +1,94 @@
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					6DFJITU5VML86QNKU9FO2LJDDQQTQPVT
+					A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ ; wrong next
+					A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					NS )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938 ; wrong next
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					oErbN3Xw+0zAqkz5KC5nOsINblBc4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature+Z8rLBA9
+					KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+					Qbiek52n6umbEw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					ep1TVqEISn2ZOiBtizK2eyuuhsYyD37X9Bw2
+					9JOkecZnmzCwBqfMCBvRYmNRpMd512+ZnW/I
+					1vIViE7CGwkHyA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySginature6IqpQS6Q
+					jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+					1y506ytGbX/q4Q== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+					eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+					XCO6BdZkmk/aQA== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+					zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+					OSV1D5SL7utX5w== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+					Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+					TUmriM3ihfXxIg== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 31323 example.com.
+					mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+					qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+					YyYRaaQC6yhm4g== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160302125715 29600 example.com.
+					K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+					tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+					YJrD7TvrFDot8Q== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+					5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+					lqhxunAbh08dsQ== )
+
+www.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+					ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+					0Ru0tX9R65NlKw== )
diff --git a/tests/knot/semantic_check_data/nsec3_chain_03.signed b/tests/knot/semantic_check_data/nsec3_chain_03.signed
new file mode 100644
index 0000000..80112f8
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_chain_03.signed
@@ -0,0 +1,94 @@
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A ; wrong next
+					A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 0 10 - (
+					MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+					A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+					6DFJITU5VML86QNKU9FO2LJDDQQTQPVT ; wrong next
+					NS )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					KElp8dLKBKFzgEFV8r5aP9pCyYUD+Z8rLBA9
+					KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+					Qbiek52n6umbEw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignatureD37X9Bw2
+					9JOkecZnmzCwBqfMCBvRYmNRpMd512+ZnW/I
+					1vIViE7CGwkHyA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+					jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+					1y506ytGbX/q4Q== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+					eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+					XCO6BdZkmk/aQA== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+					zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+					OSV1D5SL7utX5w== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+					Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+					TUmriM3ihfXxIg== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 31323 example.com.
+					mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+					qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+					YyYRaaQC6yhm4g== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160302125715 29600 example.com.
+					K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+					tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+					YJrD7TvrFDot8Q== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+					5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+					lqhxunAbh08dsQ== )
+
+www.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+					ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+					0Ru0tX9R65NlKw== )
diff --git a/tests/knot/semantic_check_data/nsec3_ds.signed b/tests/knot/semantic_check_data/nsec3_ds.signed
new file mode 100644
index 0000000..ad5da7c
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_ds.signed
@@ -0,0 +1,57 @@
+
+
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+			3600	IN	DS 60485 5 2 ( 4EFB4310DB01A42E7882E102
+					               7A73CC28E2E0FE938F2D5888
+					               A0DA0005B99E7FF8 )
+deleg.example.com.	3600	IN	RRSIG DS 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 3600 IN NSEC3 1 0 10 - (
+					6DFJITU5VML86QNKU9FO2LJDDQQTQPVT 
+					A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 3600 IN NSEC3 1 1 10 - (
+					UI312KQOP1NG8IQEIEFNPSLA94KB5Q92
+					A RRSIG )
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 3600 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A 
+					A RRSIG)
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 3600 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+20g1gol477ro51rk9a9nfd54tfqal7iq.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. k2hYD9qbLM8cRuN1fcLar/GsSufK/5oQYxRnE9bUDiKvC1WhCDF3pee6MSqybb3LoNkQUeOgGV4jdzvslzDlhQ==
+6dfjitu5vml86qnku9fo2ljddqqtqpvt.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. fGQRezo0T9Hd1tGJqhCXPyLONKSxOPmX1Kl7MjD1OVDLg9l5Ei9DmhrpCFxahXMBGIA4yy1J7mSK3PqelPMyFw==
+ui312kqop1ng8iqeiefnpsla94kb5q92.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. 6AmfjUgzO4Ew9FmW6koVhQ+98Vd7xI7kpFXwj8wb4ObmuM8uFu6tpvcT/jDcUduFuUb//DS5fS9fXraLNL8JUQ==
+utqvuhu2blk3dhmrr5t1hd9vteohqt0a.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400406101515 20210205084515 61806 example.com. WMvFzIf9Ekvr0UVRzbZpxUAjT2Sf2KgsXek6iG786Iw6nZ/rzPVNlfNLhWvdqQmi5LEDp03UExshDlPz3JgOkQ==
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	NS	dns1.example.com.
+			0	NSEC3PARAM 1 0 10 -
+dns1.example.com.	3600	IN A	192.0.2.1
+www.example.com.	3600	IN A	192.0.2.1
+
+example.com. 3600 DNSKEY 257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com. 3600 DNSKEY 256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400405162736 20210204145736 25674 example.com. 5nIsRsT30KNhPS/i8rNhT/C3uPli0jb+7fLYL+eHKggTHk5UK69Z5EHA/ISKnbEOMIQA3QJ98XNreLJk+sTZ4w==
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400405162736 20210204145736 61806 example.com. nzKbYNX9cbrf3zNMSRK4ftG/p4DLn/uB3BM29txIj0nyKxL1cmK0wsTltGmwLzJTegBy/LV1VtMudDLWEFU3sQ==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400405162736 20210204145736 61806 example.com. HvtxfzCSLHjFSHuAyO+KKymy/vxOGLS8T1DuhfAoUtweHv1zVeYfbFOfCdcfs15PKO31ldqwWRvFWAhM+3hnrA==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400405162736 20210204145736 61806 example.com. 8uDKYTVd+XuYFyzf/aNm6kMjZhbI8r+22v1AuuYYqgP5aH6/ZFXusczSGkPdcauVIgKLV1I7dBBQkQm2LNIqAA==
+deleg.example.com.  	3600	RRSIG	A 13 3 3600 20400405162736 20210204145736 61806 example.com. beD3O8cnCQ+8HWZpn35gFrR2tLkb9tGpe143BfUA0aOkAr2PdK9CUBs47uSyWAATYoa11gtxxdFUzW6coa7l/w==
+deleg.example.com.  	3600	RRSIG	NS 13 3 3600 20400405162736 20210204145736 61806 example.com. HJCAXBevueFA2BOP6eOnsbP1X+2VUQRGXRcYI2SDqqq4U2DQHWQMOfI+pKVpkfdc8D6qDYnFZSg6II/dDJQ0AQ==
+deleg.example.com.  	3600	RRSIG	DS 13 3 3600 20400405162736 20210204145736 61806 example.com. DhZsh6wiPACEUz7GY4WpvcIrMOF+sU27kJAGKaCcpxv9jQBY7Jpf/otRf+yn+Bmm32RZUr5swSXMXAvDtCj6qA==
+dns1.example.com.   	3600	RRSIG	A 13 3 3600 20400405162736 20210204145736 61806 example.com. z/pEp4EcGkmy+niefZRLgRo1LraBlJABdgpSo94cYEqJM3GBMHsPZeAKmqnMAYA5Nz0hQtTplqS3rsJHJJdQ7w==
+www.example.com.    	3600	RRSIG	A 13 3 3600 20400405162736 20210204145736 61806 example.com. FpOwodJYlk3NxEEjGvY75r8Ptef13P4Um9N74NxV1QWQlqtBhg+1bndvaY376uBFVDFGsEiDFEgIoFL0Ao+PeA==
+
+
diff --git a/tests/knot/semantic_check_data/nsec3_missing.signed b/tests/knot/semantic_check_data/nsec3_missing.signed
new file mode 100644
index 0000000..4974956
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_missing.signed
@@ -0,0 +1,120 @@
+
+; extra record without corresponding NSEC3
+extra.example.com.	3600	IN A	1.2.3.4
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature12345678
+					123456789123456789123456789123456789
+					lqhxunAbh08dsQ== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					6DFJITU5VML86QNKU9FO2LJDDQQTQPVT 
+					A RRSIG )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400 IN NSEC3 1 0 10 - (
+					MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+					A RRSIG )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+					UI312KQOP1NG8IQEIEFNPSLA94KB5Q92 
+					NS )
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A 
+					A RRSIG)
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN A 1.2.3.4
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	A 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+					jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+					1y506ytGbX/q4Q== )
+
+
+UI312KQOP1NG8IQEIEFNPSLA94KB5Q92.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignature4ey0Qcln
+					uquQZT+z2HIdCE9HeslAkTlu/Xt78vF4+3db
+					t2Vno21DkteA+w== )
+6DFJITU5VML86QNKU9FO2LJDDQQTQPVT.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					KElp8dLKBKFzgEFV8r5aP9pCyYUD+Z8rLBA9
+					KkCDm1y82x5T/Cu5UXuZJwhvDGDzwPqoY5Dr
+					Qbiek52n6umbEw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DummySignatureDummySignatureD37X9Bw2
+					9JOkecZnmzCwBqfMCBvRYmNRpMd512+ZnW/I
+					1vIViE7CGwkHyA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160302125715 29600 example.com.
+					DPwNyH7r/4wIBfTGxikNv4pY7omY6IqpQS6Q
+					jtTNuStA+5gk98dvcgRjluxqo/+ZlZz4V53f
+					1y506ytGbX/q4Q== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					bGk1vLxVuJpcEy7n0gPvQVzfanbvINLJLcbD
+					eeie4sXZZAOwu6oQZy6kd8tvKtV4mL0OJzpH
+					XCO6BdZkmk/aQA== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					roe4aBp4G3TqQ4x5eRxbVIjApIh17gXDjfOY
+					zvRFLOkrwqKz3eX9WrRiCk3bYNn8s1fuenaQ
+					OSV1D5SL7utX5w== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					c1yhXb8wRGYndpVqG61+lHAAbZg+JcVYGPX3
+					Fw0jYigN4G+P0+VUCqPLkC4yfJylzuefyGfk
+					TUmriM3ihfXxIg== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160302125715 31323 example.com.
+					mZiLLTzbdaj7EJ8uj3TwvcvAfaMxYjyavlGT
+					qpa+cElfvBDm7R6MF4MaEQ9aZ2ylMt1lppjq
+					YyYRaaQC6yhm4g== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160302125715 29600 example.com.
+					K3PkVYZZV8QvZFtDsz9+ZfiM9wDkFu/eO2S5
+					tAtCXd1fktcW44TLWL0qADfFEEcMotvzLqv1
+					YJrD7TvrFDot8Q== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					vlzRtVFa44pRtdD8XZcgDa6021uA9A3TnNEw
+					5jRnor4aoftUuVQNAanQMCgrWk63d14XZ2d0
+					lqhxunAbh08dsQ== )
+
+www.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160302125715 29600 example.com.
+					NWFuYaSEg3z3K4l/fHu/X9dK+rDZ177BbCNN
+					ZeFTPCAdOnX0nw1CQys629k7Vzdv1pHaanmy
+					0Ru0tX9R65NlKw== )
+
+
diff --git a/tests/knot/semantic_check_data/nsec3_optout.signed b/tests/knot/semantic_check_data/nsec3_optout.signed
new file mode 100644
index 0000000..c9caa5d
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout.signed
@@ -0,0 +1,81 @@
+
+; insecure delegation, not covered by NSEC3 or opt-out
+zzz.example.com.	3600	IN NS	zzz.example.com.
+			3600	A	192.0.2.1
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					W9EprjaR4loSnNW96h4rLsquPDw3LHYvD05k
+					djkQofHSkMNZAJ7Q+eA3Fs2ik5fnJFM7wi5C
+					MtFsV2TfqMJFmg== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					I9Je1S7XhZIW9C0fWE8NwFLC2rhHklddNYBO
+					dxVKL/lxENU4jPPBwZBGrcYn2WVHgkIzjG0n
+					EOHONAgRFPi3Xw== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					vO2UQiTN/CNUZOmSEg8kJlR/UqiAZHc4qMwj
+					9u31sbPmOMuni+ZGuVCFFoEMtZerIkkQowkB
+					sXJFkvCP5oF2rA== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229083110 31323 example.com.
+					Z+aaLu4rmzekfhlj6A0ClREloRi8MloRHf/3
+					Dlw/RYY1hrOCfcZKEY6AXeVdUwESEsSkSOco
+					CbhyGHH10dKAAg== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160229083110 29600 example.com.
+					d69kc52VdALI8fbdbflsVsltc1m7bI6QsJ5U
+					IDE9fy5VqcufZecZMKuozPDuF2vBA8ADFIRU
+					OfYgKs6YNIOLWg== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938
+					A RRSIG )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					D24JCtCcNzwsY1FXVliAjxMm+x95N2eUTXn0
+					M8NK5glSk1yLtnAUKzHxpRExAJLGUiaG4yPu
+					2yGZuqwNvJztzw== )
+MJV836RJQEJ5UBGHVKSQ7N44RSO3Q938.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					NS )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					jRNMrWLfS4yzRHQOBxs6/GKWIzx6AZV5lyCm
+					7bYTV9wS3owDJSQhJ7lft0WbBmUMtV3tP9Xr
+					Yc+yW48p2Vr+QQ== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					F7y+xW/C7iICgmZeYrF4e7Yx4kWZAZPAMzlu
+					PtWVuf37ySg1VfEWcQcDP04vF2rXVUqSMEcj
+					bqUVN5W8Hoazxw== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					MoYrL/lToC4AHo6KCZRiBRmCMWHUAx2Xt32A
+					P4lDpwA+wiBWkCZSfVTh60AosS/BIGtBb2BK
+					mszMx8CLBvkjRg== )
diff --git a/tests/knot/semantic_check_data/nsec3_optout_ent.all b/tests/knot/semantic_check_data/nsec3_optout_ent.all
new file mode 100644
index 0000000..5ebd917
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout_ent.all
@@ -0,0 +1,15 @@
+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg1.ent.example.com.	3600	NS	glue.outofzone.net.
+deleg2.ent.example.com.	3600	NS	glue.outofzone.net.
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400410173442 20210209160442 61806 example.com. laxHzto10anAyWXb/IqVEoBsybVmb/aCMb4SdxEC3YiJFj1IX9rxChVnuXrQ5zgr1f6YaRyc/DDTP8NFvwyTWg==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400410173442 20210209160442 61806 example.com. /eNl2bkB/SJ6qBX+Jpm5KTXIs5Xi978JWRN2jtbEh5Z9udy7liS73oMkBLlJ33amKc7Gwfqi2+SgdHHud4j0Ug==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400410173442 20210209160442 25674 example.com. TpePckJM7GcsE72vbfSf49LzEM1chUFIiKBN0VyCHdB3YFpRH5d8Qx+XWh8Vs9AuLoKMWTQ0UD4kZK8yF70N4A==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400410173442 20210209160442 61806 example.com. RfPCpoA94H+dm7fqxhZ+GIf4fQwzN19yJVbhmEOtx6if9U/H6mJalvoy4d5UD/L2bferTBbie4I/TzAIXgVETQ==
+
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS SOA RRSIG DNSKEY NSEC3PARAM
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410181548 20210209164548 61806 example.com. EBPlHXYdARm1T0TaYadx0ETwC6w0g5J1yPR6LB3ur9IItcEWRONhqDrNwUbYGbW5c4nWep/hnJYdmMFq1bTfiw==
diff --git a/tests/knot/semantic_check_data/nsec3_optout_ent.invalid b/tests/knot/semantic_check_data/nsec3_optout_ent.invalid
new file mode 100644
index 0000000..114d5d7
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout_ent.invalid
@@ -0,0 +1,18 @@
+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg1.ent.example.com.	3600	NS	glue.outofzone.net.
+deleg2.ent.example.com.	3600	NS	glue.outofzone.net.
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400410173442 20210209160442 61806 example.com. laxHzto10anAyWXb/IqVEoBsybVmb/aCMb4SdxEC3YiJFj1IX9rxChVnuXrQ5zgr1f6YaRyc/DDTP8NFvwyTWg==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400410173442 20210209160442 61806 example.com. /eNl2bkB/SJ6qBX+Jpm5KTXIs5Xi978JWRN2jtbEh5Z9udy7liS73oMkBLlJ33amKc7Gwfqi2+SgdHHud4j0Ug==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400410173442 20210209160442 25674 example.com. TpePckJM7GcsE72vbfSf49LzEM1chUFIiKBN0VyCHdB3YFpRH5d8Qx+XWh8Vs9AuLoKMWTQ0UD4kZK8yF70N4A==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400410173442 20210209160442 61806 example.com. RfPCpoA94H+dm7fqxhZ+GIf4fQwzN19yJVbhmEOtx6if9U/H6mJalvoy4d5UD/L2bferTBbie4I/TzAIXgVETQ==
+
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F gtr2v0c3d7eqh7ob8rbad7ta90tq8lci NS SOA RRSIG DNSKEY NSEC3PARAM
+
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173442 20210209160442 61806 example.com. gb3uKByt54iwCsd284xzOVnnpN97r7ARz6UacMdm2Xs4M8t6Ao9bRG7jvbNpFCALfaU/xDQF7K3v31iKBeVwjw==
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173442 20210209160442 61806 example.com. kpuFRuzOhsG5zy0Sdql0AB44IDUtf9ccTwJXdULoIqUNKeRqvgWJ7ekEhBKvntVHlBQZPescgPMvvq7PLcA2Dw==
diff --git a/tests/knot/semantic_check_data/nsec3_optout_ent.valid b/tests/knot/semantic_check_data/nsec3_optout_ent.valid
new file mode 100644
index 0000000..c9fe657
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_optout_ent.valid
@@ -0,0 +1,20 @@
+example.com.        	3600	SOA	dns1.com. hostmaster.com. 2010111217 21600 3600 604800 86400
+example.com.        	3600	NS	dns1.com.
+example.com.        	3600	DNSKEY	256 3 13 tCoteOM+A4o/A9uxgLyDg3HOg2DClU+3d+1XPQRtTfuaEFOGIpyH6qiFUv2b4DYuvmMyTkL99nxvyhA8yo0Cgg==
+example.com.        	3600	DNSKEY	257 3 13 Yk8KOmyVzOij3x+Zs+eT4J2Up9+ipwXEKOhL9fTYY/DU10yIQt+zYm02UFZJX2oVTdHBCajpBFsZLH2X4ho1yw==
+example.com.        	0	NSEC3PARAM	1 0 10 151E9F1094FE188F
+deleg1.ent.example.com.	3600	NS	glue.outofzone.net.
+deleg2.ent.example.com.	3600	NS	glue.outofzone.net.
+
+example.com.        	3600	RRSIG	NS 13 2 3600 20400410173236 20210209160236 61806 example.com. C4ierSNpy03xjH5rQEfb01wCj4SVIzX9b15FVEMIbn3lmDo5jXO6stOrW8Z7OjoVuCaRi1Qj997TeCYqOxNXSQ==
+example.com.        	3600	RRSIG	SOA 13 2 3600 20400410173236 20210209160236 61806 example.com. NNyQzYOcPbfEsqv61I78MuMguN/KIFi/wSJc940pj7rv+riA3J+XVzpaHSSh//q8CmrvpBAk2g8KsQG/6kOXmg==
+example.com.        	3600	RRSIG	DNSKEY 13 2 3600 20400410173236 20210209160236 25674 example.com. ZY3nxZJeOfSOEhs02mfhQgt6N1EgZubtPp3HuV69gStFSu4aCLi8a2aseQGilOFW64dOAYNm3LL/WqhPi7MZ1Q==
+example.com.        	0	RRSIG	NSEC3PARAM 13 2 0 20400410173236 20210209160236 61806 example.com. JITs/EH8nLaFRidlkT6+mcTwEpjgp2TMjb9fU5TBIlKn94og8YtOWFbNmzdEYBKlGLlkg8LwY2ortrSoRHS6Hw==
+
+ej69a9a2k2j0ntktmdvihrv5ao8fl1jt.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F gtr2v0c3d7eqh7ob8rbad7ta90tq8lci
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ple28jlp3q5anh045ssk9f3u7ltd4qlc NS
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	NSEC3	1 1 10 151E9F1094FE188F ej69a9a2k2j0ntktmdvihrv5ao8fl1jt NS SOA RRSIG DNSKEY NSEC3PARAM
+
+ej69a9a2k2j0ntktmdvihrv5ao8fl1jt.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. yatL/lbFSUyN4UyRtMXymxsiqhOXHp+N+pTI/zNOc0NXCdaaLceh+tZHlc+E4napRfP53XXEhuGavjShTIJ/+g==
+gtr2v0c3d7eqh7ob8rbad7ta90tq8lci.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. 20XNZrfJ4l/JIDjCbsba3mUOrNyOxJ2VuCju/yLc0XbdzqMcKJR87g3u967GEnoYY5f5+rJt/IHsuJWHcLApCQ==
+ple28jlp3q5anh045ssk9f3u7ltd4qlc.example.com. 3600	RRSIG	NSEC3 13 3 3600 20400410173236 20210209160236 61806 example.com. eLRo9y8Rxf157qcciWM/LSUbtjYks2zLO5xQ9Ff5bidHc9m2XEqjWxqdPZz5gurEf+uPnM8mnix36X4YH4ZXwg==
diff --git a/tests/knot/semantic_check_data/nsec3_param_invalid.signed b/tests/knot/semantic_check_data/nsec3_param_invalid.signed
new file mode 100644
index 0000000..c7d8d6d
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_param_invalid.signed
@@ -0,0 +1,70 @@
+; Zone without any semantic error
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					W9EprjaR4loSnNW96h4rLsquPDw3LHYvD05k
+					djkQofHSkMNZAJ7Q+eA3Fs2ik5fnJFM7wi5C
+					MtFsV2TfqMJFmg== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					I9Je1S7XhZIW9C0fWE8NwFLC2rhHklddNYBO
+					dxVKL/lxENU4jPPBwZBGrcYn2WVHgkIzjG0n
+					EOHONAgRFPi3Xw== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					vO2UQiTN/CNUZOmSEg8kJlR/UqiAZHc4qMwj
+					9u31sbPmOMuni+ZGuVCFFoEMtZerIkkQowkB
+					sXJFkvCP5oF2rA== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160229083110 31323 example.com.
+					Z+aaLu4rmzekfhlj6A0ClREloRi8MloRHf/3
+					Dlw/RYY1hrOCfcZKEY6AXeVdUwESEsSkSOco
+					CbhyGHH10dKAAg== )
+			0	NSEC3PARAM 1 4 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160229083110 29600 example.com.
+					d69kc52VdALI8fbdbflsVsltc1m7bI6QsJ5U
+					IDE9fy5VqcufZecZMKuozPDuF2vBA8ADFIRU
+					OfYgKs6YNIOLWg== )
+deleg.example.com.	3600	IN NS	deleg.example.com.
+			3600	A	192.0.2.1
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 1 15 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					A RRSIG )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					D24JCtCcNzwsY1FXVliAjxMm+x95N2eUTXn0
+					M8NK5glSk1yLtnAUKzHxpRExAJLGUiaG4yPu
+					2yGZuqwNvJztzw== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 4 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+			86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160229083110 29600 example.com.
+					F7y+xW/C7iICgmZeYrF4e7Yx4kWZAZPAMzlu
+					PtWVuf37ySg1VfEWcQcDP04vF2rXVUqSMEcj
+					bqUVN5W8Hoazxw== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160229083110 29600 example.com.
+					MoYrL/lToC4AHo6KCZRiBRmCMWHUAx2Xt32A
+					P4lDpwA+wiBWkCZSfVTh60AosS/BIGtBb2BK
+					mszMx8CLBvkjRg== )
diff --git a/tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed
new file mode 100644
index 0000000..a3024d8
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_01.signed
@@ -0,0 +1,70 @@
+; example.com -- missing DNSKEY in type bitmap
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG NSEC3PARAM )
+; dns1.example.com
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					A RRSIG )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					li23VC44fumpMHhKwWug2J1C2fwCMiwgofYO
+					DKydNYsJyYTlyi8ezLJ2KoBlCtOc4Fp0NbqS
+					aN8CKWh7fQVnkQ== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					Y8olY2OClZgC+QHnOhY52LONVOcctOnl8jNY
+					/c7sCHZO4TdPPDHDhpbVntQD+Vc4fUTx+cXY
+					GrF5sLbhddBJXg== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					fx2rZzhyYrp1b4tNH1SmM852VbGEeZdKrD+f
+					ZoInny1m8sovb1J9ORtVbGkOYOnInDMLWMCX
+					fghHC2MafuFV+Q== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160225083237 31323 example.com.
+					TcNU6AlrYhJLrNlkfOPJzO6A77j6C39IPoP4
+					OfmY2ClA5Vx2JO0vQ4bIHR7GIW8fiMe6M6tt
+					ZwQImhVWdG414A== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160225083237 29600 example.com.
+					iY0WB0dN1hQXoctaMwvvXzn7paQt5xUyucT3
+					xwo6HAI8Y+OJlecUfOpkkQ9lqIfsqPTXmgbY
+					RieoZGrWR6ZvaQ== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					QptUkTNS7umNQ5V6Z9DyGl6z+rG7G3TFmHG8
+					p9HGaKifSxjwSFW0nZ9/s86XHQ8ql5+bQmPa
+					xw39ntBmQLVxfg== )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160225083237 29600 example.com.
+					CPx6000z5m1zUUpVhki1u9U7P/WMr7PUJAk3
+					G0w3v+/Lw56mDzYzNuTpPzS0noe0LKuecqRu
+					m99KpLyLOx+9QA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160225083237 29600 example.com.
+					m2z+hx+8hTA7Phu6QzGJrq+o4MiURpda3fYm
+					0wTDmXtfPKsHmojGr3kBlvUMg16s2gpvNyCL
+					MSlnJ+7KCkI+Mw== )
diff --git a/tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed
new file mode 100644
index 0000000..e3e4940
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec3_wrong_bitmap_02.signed
@@ -0,0 +1,70 @@
+; example.com
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400 IN NSEC3 1 0 10 - (
+					20G1GOL477RO51RK9A9NFD54TFQAL7IQ
+					NS SOA RRSIG DNSKEY NSEC3PARAM )
+; dns1.example.com -- extra type in bitmap - NSEC
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400 IN NSEC3 1 0 10 - (
+					UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A
+					A RRSIG NSEC)
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					li23VC44fumpMHhKwWug2J1C2fwCMiwgofYO
+					DKydNYsJyYTlyi8ezLJ2KoBlCtOc4Fp0NbqS
+					aN8CKWh7fQVnkQ== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					Y8olY2OClZgC+QHnOhY52LONVOcctOnl8jNY
+					/c7sCHZO4TdPPDHDhpbVntQD+Vc4fUTx+cXY
+					GrF5sLbhddBJXg== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					fx2rZzhyYrp1b4tNH1SmM852VbGEeZdKrD+f
+					ZoInny1m8sovb1J9ORtVbGkOYOnInDMLWMCX
+					fghHC2MafuFV+Q== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160225083237 31323 example.com.
+					TcNU6AlrYhJLrNlkfOPJzO6A77j6C39IPoP4
+					OfmY2ClA5Vx2JO0vQ4bIHR7GIW8fiMe6M6tt
+					ZwQImhVWdG414A== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 2 0 (
+					20840201000000 20160225083237 29600 example.com.
+					iY0WB0dN1hQXoctaMwvvXzn7paQt5xUyucT3
+					xwo6HAI8Y+OJlecUfOpkkQ9lqIfsqPTXmgbY
+					RieoZGrWR6ZvaQ== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160225083237 29600 example.com.
+					QptUkTNS7umNQ5V6Z9DyGl6z+rG7G3TFmHG8
+					p9HGaKifSxjwSFW0nZ9/s86XHQ8ql5+bQmPa
+					xw39ntBmQLVxfg== )
+
+20G1GOL477RO51RK9A9NFD54TFQAL7IQ.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160225083237 29600 example.com.
+					CPx6000z5m1zUUpVhki1u9U7P/WMr7PUJAk3
+					G0w3v+/Lw56mDzYzNuTpPzS0noe0LKuecqRu
+					m99KpLyLOx+9QA== )
+UTQVUHU2BLK3DHMRR5T1HD9VTEOHQT0A.example.com. 86400	RRSIG	NSEC3 7 3 86400 (
+					20840201000000 20160225083237 29600 example.com.
+					m2z+hx+8hTA7Phu6QzGJrq+o4MiURpda3fYm
+					0wTDmXtfPKsHmojGr3kBlvUMg16s2gpvNyCL
+					MSlnJ+7KCkI+Mw== )
diff --git a/tests/knot/semantic_check_data/nsec_broken_chain_01.signed b/tests/knot/semantic_check_data/nsec_broken_chain_01.signed
new file mode 100644
index 0000000..cb41dce
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_broken_chain_01.signed
@@ -0,0 +1,72 @@
+; not coherent NSEC chain
+example.com.		86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.	86400	NSEC	example.com. A RRSIG NSEC
+www.example.com.	86400	NSEC	example.com. A RRSIG NSEC
+
+; signatures for NSECs
+example.com.		86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+					oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+					cY14UkYqsdP3fA== )
+dns1.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+					COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+					cEg+DBI7qZ88NA== )
+www.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+					COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+					cEg+DBI7qZ88NA== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+					+ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+					B7Cx+BILQRev8w== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+					XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+					iWLeZzFR1+aJBA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+					/ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+					kcMw0GqUzOVb9w== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 31323 example.com.
+					tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+					rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+					o63Vcqyy3gZfvA== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+					Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+					TAGEqGRYFSY9Ew== )
+www.example.com.	3600	IN A	192.0.2.2
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+					xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+					EETdmMeQzkiuNw== )
diff --git a/tests/knot/semantic_check_data/nsec_broken_chain_02.signed b/tests/knot/semantic_check_data/nsec_broken_chain_02.signed
new file mode 100644
index 0000000..5c5f004
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_broken_chain_02.signed
@@ -0,0 +1,65 @@
+; not coherent NSEC chain
+example.com.            86400   NSEC    dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.       86400   NSEC    www.example.com. A RRSIG NSEC
+www.example.com.        86400   NSEC    www.example.com. A RRSIG NSEC
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201008171141 31772 example.com.
+					Qwf3qgLbSvE4PmUVU8rpIASe0v1T1K0ie3Lw
+					g+6o3tpBS8vWcmHMUiKns/6rAvoum7vHQRmO
+					dH7X3Pp1/X3xCw== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201008171141 31772 example.com.
+					92/D4j7CUCKkykxMzdjfJoaNrMwO93OQtZlB
+					APsfcEyYl+W0sSnow/2RgYvKfX+kdcmp5VXD
+					vQxTGC0VqdMwCQ== )
+			86400	RRSIG	NSEC 13 2 86400 (
+					20601231235959 20201008171141 31772 example.com.
+					shdsucYBfD8/zV1h1QgUBiC7VgYdFxFEcF1k
+					FQfY+UHkfD/AyOkiFPQxysimgzqJn2/z5Q+v
+					GT1CzzzemgzoXw== )
+			3600	DNSKEY	256 3 13 (
+					/4RnFpCmaYIIrL/zP1T6LvfhXdpun0ZyYDKL
+					ho0zuUD+RMDe31IQCzr9AuSn1BAIQWIunxFs
+					EaTSlvpiUd+CAg==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 31772
+			3600	DNSKEY	257 3 13 (
+					/KEwa6qUWHdkpEMGX55UaIvl7do5l2IADCDq
+					iNnawoCLu7Tm4MU6ylzYS1htz1mTd8Zcuzl0
+					gkRe4FXwOmOzvQ==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 14119
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201008171141 14119 example.com.
+					FPftK2atu4GMOspSR24p5iIvmq2VKgPJMUTu
+					5RiwflEf8UgD7s2WFe7A6/JLurwEhqa/313T
+					eEURk7m313h4jQ== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008171141 31772 example.com.
+					+Xvcx4bZ536B8DtNwzurqmPPoDVdtS5nlRhQ
+					pMZ+OLsHECDnFaI50dSw4F1/c3DERz1ktM0+
+					QCC96MZ7QdAYQw== )
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008171141 31772 example.com.
+					64MPHHZG8wrbAtk+LY/5ISicI1vU7V19q9lF
+					wOm0mcpvoBERyDwadgZpmHsvin1sRt/LZYDr
+					iBKxcnaviHfULg== )
+www.example.com.	3600	IN A	192.0.2.2
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008171141 31772 example.com.
+					+/+14BFYf5Iq9IIeX1Oz5XqxsaPaw3T6PTPH
+					neJz6N9QhnI6aKkGZFYBuqY0Zhmcr52zbhPi
+					1yZAUTP7OvouhA== )
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008171141 31772 example.com.
+					fPqL9hFml35JLmfX3MA32hMnMhh9UA1Mc2OZ
+					nY+0j4wTtVR0PVMWHOv9UaULzTCM+5mlpFXm
+					nRUMj8sMTGzFzw== )
diff --git a/tests/knot/semantic_check_data/nsec_missing.signed b/tests/knot/semantic_check_data/nsec_missing.signed
new file mode 100644
index 0000000..e901607
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_missing.signed
@@ -0,0 +1,67 @@
+example.com.		86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.	86400	NSEC	example.com. A RRSIG NSEC
+; missing NSEC for www.example.com.
+
+; signatures for NSECs
+example.com.		86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+					oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+					cY14UkYqsdP3fA== )
+dns1.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					GF3mqBf6Ny481XSbEor1uTzQZtT2DSA/3jU2
+					ZcLXXhlmHG3nI/PB49lG+17O83rDrbhcYc8G
+					cHEbLIGNr/6+Mw== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+					+ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+					B7Cx+BILQRev8w== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+					XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+					iWLeZzFR1+aJBA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+					/ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+					kcMw0GqUzOVb9w== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 31323 example.com.
+					tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+					rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+					o63Vcqyy3gZfvA== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+					Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+					TAGEqGRYFSY9Ew== )
+
+www.example.com.	3600	IN A	192.0.2.2
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+					xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+					EETdmMeQzkiuNw== )
diff --git a/tests/knot/semantic_check_data/nsec_multiple.signed b/tests/knot/semantic_check_data/nsec_multiple.signed
new file mode 100644
index 0000000..0cd6aec
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_multiple.signed
@@ -0,0 +1,66 @@
+; not coherent NSEC chain
+example.com.            86400   NSEC    dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.       86400   NSEC    www.example.com. A RRSIG NSEC
+www.example.com.        86400   NSEC    example.com. A RRSIG NSEC
+www.example.com.        86400   NSEC    www.example.com. A RRSIG NSEC
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201008170543 19445 example.com.
+					dEcgYVtA8cRE8ErOZGO/aaMat99+KuJdKoDc
+					0+8fauQ3dcTUHVg2I+v4hdizjlmAJzGXJN+7
+					6ssZgcvXCnWOsQ== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201008170543 19445 example.com.
+					2OEk6Lpt+1c58vnCEHBrV7//7gyoo1bGJSHo
+					k+oWaF9Uh07XVkVWznq6mmCErqukUPLnW1Bn
+					rysjk4i5Yflqkg== )
+			86400	RRSIG	NSEC 13 2 86400 (
+					20601231235959 20201008170543 19445 example.com.
+					icB72dzHg9d9klcTL/mW53mGIX6KzF0GLWUt
+					DKLCcu2Ailyp3kdM64dyJxRYTr7F7KfxyHi4
+					3KJtphYNEA6ZWA== )
+			3600	DNSKEY	256 3 13 (
+					H1roLYze5AZ+ouWMduBJtoJ8N5BPFdF3n6Pv
+					+Nfw5bNHUtCzgvMhmtX2gcRlmZ70Ycv1C/U+
+					mCvLWVdfJm08lA==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 19445
+			3600	DNSKEY	257 3 13 (
+					MSWkrHjEr7zi143oQdRthBBzl70MXeILunB7
+					8j55a5a9+Q39YKaIiRM4zyCV6WTXpm9H6eOS
+					RRgdQqGNL1gsKQ==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 23836
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201008170543 23836 example.com.
+					ejlk2L0CVBWuAxr1g+qivdvyIXqzp3+9U0tu
+					a2geLUtaVx8ErYnIvUug15S54g75+lZoZ1uK
+					l2WFWuy751kIsw== )
+www.example.com.	3600	IN A	192.0.2.2
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008170543 19445 example.com.
+					8k4wk4+kCs1kO3+8sL6zZdpkHw0U58oua/Ur
+					C8CHo6TjlLx/jRrLdQKcFy5H7gBMcJY76SDs
+					mT91HuWH+BpwNA== )
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008170543 19445 example.com.
+					3XbwYx32/Y8sLtQ+dW1lg+s1eaOSZlmkdJeO
+					IsLOAF6U9kq/2zrUTYCtFBMfqs5yYDEISK6X
+					W5UfBBdFRdYzgw== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008170543 19445 example.com.
+					DDTolVJ5Mxfm8srRVi/SRu0+5y3OBTQCVFuQ
+					ywdv4IahQoE11pjXRCBUXvroTeDgoHrmD7PD
+					b1aIBxHLiC/2pg== )
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008170543 19445 example.com.
+					DDhuGYMEij4vbJZlscX3os8qj/wgq55w63jc
+					8mPr/LquDr6o6lrEYdcnZl4Rz22snnF2+po1
+					3SEjRSJ0ROmTbw== )
diff --git a/tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed b/tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed
new file mode 100644
index 0000000..058a0a3
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_wrong_bitmap_01.signed
@@ -0,0 +1,73 @@
+example.com.		86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.	86400	NSEC	www.example.com. A RRSIG NSEC
+
+; extra AAAA type in NSEC bitmap
+www.example.com.	86400	NSEC	example.com. A RRSIG NSEC AAAA
+www.example.com.	3600	IN A	192.0.2.2
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+					xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+					EETdmMeQzkiuNw== )
+
+; signatures for NSECs
+example.com.		86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+					oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+					cY14UkYqsdP3fA== )
+dns1.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					GF3mqBf6Ny481XSbEor1uTzQZtT2DSA/3jU2
+					ZcLXXhlmHG3nI/PB49lG+17O83rDrbhcYc8G
+					cHEbLIGNr/6+Mw== )
+www.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+					COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+					cEg+DBI7qZ88NA== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+					+ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+					B7Cx+BILQRev8w== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+					XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+					iWLeZzFR1+aJBA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+					/ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+					kcMw0GqUzOVb9w== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 31323 example.com.
+					tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+					rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+					o63Vcqyy3gZfvA== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+					Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+					TAGEqGRYFSY9Ew== )
diff --git a/tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed b/tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed
new file mode 100644
index 0000000..dafdc92
--- /dev/null
+++ b/tests/knot/semantic_check_data/nsec_wrong_bitmap_02.signed
@@ -0,0 +1,73 @@
+example.com.		86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+dns1.example.com.	86400	NSEC	www.example.com. A RRSIG NSEC
+
+; missing A type in NSEC bitmap
+www.example.com.	86400	NSEC	example.com. RRSIG NSEC
+www.example.com.	3600	IN A	192.0.2.2
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					FLR8e2k6u7dhQA1xZ3YMxkvuktoydXC+ZNwl
+					xzW9hLpF3oKoqqY/V+kw7m2OMgnOEu2jWN4Q
+					EETdmMeQzkiuNw== )
+
+; signatures for NSECs
+example.com.		86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FHLUUQTvnVboNzGoQVLpwQAcB+fUEF5xQqMQ
+					oKhE86sdvlQUiEfUpv2PJ9y3YfXHeYxJUtvm
+					cY14UkYqsdP3fA== )
+dns1.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					GF3mqBf6Ny481XSbEor1uTzQZtT2DSA/3jU2
+					ZcLXXhlmHG3nI/PB49lG+17O83rDrbhcYc8G
+					cHEbLIGNr/6+Mw== )
+www.example.com.	86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160224082919 29600 example.com.
+					FDPJTLixRBZtMFLqk5wfYTSLnLMZiLtN7uTA
+					COEqyphK33oW+7XJzfG6ADvwGewY4hTCPQkk
+					cEg+DBI7qZ88NA== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					xJIoENJ4d24FIVd9ZSGpQlcWN4zuriU90r/H
+					+ufcM2qtWcOGR1M1LVNIAWEVJEcD2dBGA2w1
+					B7Cx+BILQRev8w== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					vBffD+/kBuxUHfeXKYBVYxeMIbuW5f8BstRM
+					XJnC1GTGfdNvb8NknHuv5fEytBmnnpH6f9pC
+					iWLeZzFR1+aJBA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					LMyY8+vWsFB7CziWt8rnR5jfg4Loe/xzy4TQ
+					/ITEDbz5pkoadG+0mqTHQ0F5XCe6ZJPamcyr
+					kcMw0GqUzOVb9w== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160224082919 31323 example.com.
+					tpHcGRuIkul47hHXVpNAOL48c5YYMsaIJkFE
+					rlQi9wU4TCiukdJkLuPk7ykk9XrxbiCB/FwD
+					o63Vcqyy3gZfvA== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160224082919 29600 example.com.
+					HlfZThngg+1xglDUh8kjDtzVn5D5a9T3emMt
+					Uxfryu9va7bj+xoK4gLADGau69GCZxJNSvwK
+					TAGEqGRYFSY9Ew== )
diff --git a/tests/knot/semantic_check_data/rrsig_rdata_ttl.signed b/tests/knot/semantic_check_data/rrsig_rdata_ttl.signed
new file mode 100644
index 0000000..28b118c
--- /dev/null
+++ b/tests/knot/semantic_check_data/rrsig_rdata_ttl.signed
@@ -0,0 +1,52 @@
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201008172615 16105 example.com.
+					UkbSKt1soIfnM7ZkNAfOcS4D3eHBzMQOef1d
+					bFK+ne+MtJsKEGM9brUD23v0f0CdvteVkeNS
+					2oRrfrb3avZ08A== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201008172615 16105 example.com.
+					Mu/BsXIC10V5uRFUGR42/ntmT5eYt4192AQe
+					a5zdWnLo7A3GYHlPcOcZRMdqvsa3SAPOK2Br
+					UmFkHsWTawhWJQ== )
+			86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 13 2 86400 (
+					20601231235959 20201008172615 16105 example.com.
+					IexJzu8x2GxGzGrWlceYZmUbry2D+E67py6B
+					/7j2K5IPjNQVGKbItfvqjQTUm+eVrdcwFbyK
+					iiEuVeU7qG5hIw== )
+			3600	DNSKEY	256 3 13 (
+					tGxruia7b3JYm32MDdFLYX1M1e44DQJmXpVM
+					EWDjcNulSNY5sWR/zgDzhqiQSKEKCFolwhB/
+					MFVIF71WNjE65Q==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 16105
+			3600	DNSKEY	257 3 13 (
+					24gAMJg6uXIBEdWkrAXmwP6znng79lTelLDg
+					WxeHbXriSxVPLSTYxrp7SO1FUi2N03v1RXcn
+					5jONJdQYlxLtSg==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 17031
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201008172615 17031 example.com.
+					Tm4MkXCDkavltvRYnEp/enJzzjyjX3EgI8yY
+					OF2VuJY8uQHD0/uzZF3JTmXj7pkGShAUpFKI
+					Uzn5e3jrGqtMGA== )
+dns1.example.com.	3600	IN A	192.0.2.1
+; wrong RRSIG original-ttl
+			3600	RRSIG	A 13 3 600 (
+					20601231235959 20201008172615 16105 example.com.
+					7J01Zyly+ky0F94kfaDtERQDVyxhHexzqETa
+					qgsemJkH0pP9FKsEY/dTkeZUwCY4EFZeps7C
+					AOKyGTKdqR5N7Q== )
+			86400	NSEC	example.com. A RRSIG NSEC
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008172615 16105 example.com.
+					0evb+3+rXrrx0f8Za//w6q2acUZPvYbW+Ezj
+					BoJFvwBYHrhyiiVHlfUzmr/jJh9cTEdxPnL3
+					ow6ZUsfF0HJ4hg== )
diff --git a/tests/knot/semantic_check_data/rrsig_signed.signed b/tests/knot/semantic_check_data/rrsig_signed.signed
new file mode 100644
index 0000000..2798026
--- /dev/null
+++ b/tests/knot/semantic_check_data/rrsig_signed.signed
@@ -0,0 +1,62 @@
+dns1.example.com.	86400	RRSIG	RRSIG 7 3 86400 (
+					20840201000000 20160201000000 29600 example.com.
+					DummySignatureDEADBEEF8ijooV1IMfEtki
+					kLbaIvFcgZbPvTnXXHyesHO2OPiRsc7zF576
+					Z6prBT8CkMM7bw== )
+
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 7 2 3600 (
+					20840201000000 20160201000000 29600 example.com.
+					kINKkWiBvb9Dpb0vghlLhXyObSzsYYNsOqe9
+					pWJN4lI4F2O3T6biPTQPsq3mYMR+6x9gPr6v
+					ysEPHlGtLdTLag== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 7 2 3600 (
+					20840201000000 20160201000000 29600 example.com.
+					LkagMndC+wJGlQycPDvNmCZ0/QuBB7Zo4UVZ
+					He5jzQrE3Hnq8tn+/QfJ/yn62qCZ87DETwTT
+					rGaLqOTYRb1isg== )
+			86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 7 2 86400 (
+					20840201000000 20160201000000 29600 example.com.
+					YDJ1tQvNlv8Y7cGioq8nkbaETx7wmyJKqa0B
+					8hDLClYA4nf9UtyVXqZCISa2PlgRdBc5GEEh
+					U5BuLr4wYXqEFA== )
+			3600	DNSKEY	256 3 7 (
+					AwEAAcvvW/oJAjcRdntRC8J52baXoNFVWOFz
+					oVFe3Vgl8aBBiGh3gnbuNt7xKmy9z2qc2/35
+					MFwieWYfDdgUnPxyKMM=
+					) ; ZSK; alg = NSEC3RSASHA1; key id = 29600
+			3600	DNSKEY	257 3 7 (
+					AwEAAeXCF7sHLcFiaCwCFH4xh2CJcCp55i04
+					exG41EtzILS2waabEM5byhRkoylbv91q6HY+
+					JH9YXitS21LMD0Hqp1s=
+					) ; KSK; alg = NSEC3RSASHA1; key id = 31323
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160201000000 29600 example.com.
+					FPOm8y3e09jh0fv0ZaOecWbdIXDAoERVKdjz
+					qsg1Etop1n6nDhO/lW3pwOUe02Zq2vretu2W
+					DozlDr5E6ZoqPA== )
+			3600	RRSIG	DNSKEY 7 2 3600 (
+					20840201000000 20160201000000 31323 example.com.
+					cZTevjvA8UO9Tqet/pbsN0Peep6aN8heyxMK
+					XP/Twsj4u0DeClKeIN7pd7Gi7Aac/UV2dev/
+					x/90SM22VQVpeQ== )
+dns1.example.com.	3600	IN A	192.0.2.1
+			3600	RRSIG	A 7 3 3600 (
+					20840201000000 20160201000000 29600 example.com.
+					f24sVhH1P/0mEMYTMbFLrWmJtl6kqZF6yzaS
+					TcyK6JhVM4sDT//YnjizJGsTVGSCelz3FxMj
+					LdiUm9AD05uY6A== )
+			86400	NSEC	example.com. A RRSIG NSEC
+			86400	RRSIG	NSEC 7 3 86400 (
+					20840201000000 20160201000000 29600 example.com.
+					FgQ4VD1yDeA+uvJ+o8e1F28ijooV1IMfEtki
+					kLbaIvFcgZbPvTnXXHyesHO2OPiRsc7zF576
+					Z6prBT8CkMM7bw== )
diff --git a/tests/knot/semantic_check_data/rrsig_ttl.signed b/tests/knot/semantic_check_data/rrsig_ttl.signed
new file mode 100644
index 0000000..1aeef78
--- /dev/null
+++ b/tests/knot/semantic_check_data/rrsig_ttl.signed
@@ -0,0 +1,52 @@
+example.com.		3600	IN SOA	dns1.example.com. hostmaster.example.com. (
+					2010111220 ; serial
+					21600      ; refresh (6 hours)
+					3600       ; retry (1 hour)
+					604800     ; expire (1 week)
+					86400      ; minimum (1 day)
+					)
+			3600	RRSIG	SOA 13 2 3600 (
+					20601231235959 20201008165912 34876 example.com.
+					NaUbzn4tb3bsVI4O2YgrefFtZPJSYlLKbVKB
+					HyIqwfQjwdkbIKZ5tqH/IGJagvj8oxeStwF/
+					vEoG9c/o/MNs4g== )
+			3600	NS	dns1.example.com.
+			3600	RRSIG	NS 13 2 3600 (
+					20601231235959 20201008165912 34876 example.com.
+					YZqxQKpj3kxfRHxoQda1z9JD9nmX8uNJTBGV
+					qdMMU3cPOVamTzOqymseQYjBPaaeoxL1kyqk
+					K2w/ixOUCFp8qg== )
+			86400	NSEC	dns1.example.com. NS SOA RRSIG NSEC DNSKEY
+			86400	RRSIG	NSEC 13 2 86400 (
+					20601231235959 20201008165912 34876 example.com.
+					88QLNDpFWd2FIag2vcKGvY1HQFVeOaRIiMU5
+					2VZfLFOPBmuTniTcnPvCt76i5ObPVsWdwJhM
+					/7NVMxoRPfMC1w== )
+			3600	DNSKEY	256 3 13 (
+					9+7buhxES5wZQZ54+O1qQGuRcKz3P3URZwws
+					30CacknPsdcWAy7RN1yYmUjP80geUrxJVQt3
+					boo1BwFW4Rnnsg==
+					) ; ZSK; alg = ECDSAP256SHA256 ; key id = 34876
+			3600	DNSKEY	257 3 13 (
+					eYNrBYFUn5JIhTlS3N0i2aFj1YE8127h3tlb
+					VJP9JAfMMxQT+Mg6lwDpUa0oQkNFbEoHhqrD
+					0pcMvp4VeMgJ7g==
+					) ; KSK; alg = ECDSAP256SHA256 ; key id = 36952
+			3600	RRSIG	DNSKEY 13 2 3600 (
+					20601231235959 20201008165912 36952 example.com.
+					AVF7u7FzDx2ORApl74nP2hcJd4Szs1o1LXH5
+					OWe6JULh80kITEb9zogpCryQu41bYSZYuxMk
+					yeblfo1OEI2DZg== )
+dns1.example.com.	3600	IN A	192.0.2.1
+; TTL of RRSIG differs from original-ttl
+			600	RRSIG	A 13 3 3600 (
+					20601231235959 20201008165912 34876 example.com.
+					+PPg6tDZVS2mbxWXOtVEYTQtjK+CkwRk/WFZ
+					dWgX3rzHPQ9AIexC9vKbXdont3s0xdHpcV/8
+					+Sf+N2h44ZTwMQ== )
+			86400	NSEC	example.com. A RRSIG NSEC
+			86400	RRSIG	NSEC 13 3 86400 (
+					20601231235959 20201008165912 34876 example.com.
+					OCjWQ/5e4SUIWgR84IJLlghKyuowctiZ+b0q
+					eXB0o2qpcWoX6wfxzMlYxGtpgyq3OWKF+R8H
+					UBVCdT+qBt5VOA== )
diff --git a/tests/knot/test_acl.c b/tests/knot/test_acl.c
new file mode 100644
index 0000000..6a66404
--- /dev/null
+++ b/tests/knot/test_acl.c
@@ -0,0 +1,314 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <tap/basic.h>
+
+#include "test_conf.h"
+#include "libknot/libknot.h"
+#include "knot/updates/acl.h"
+#include "contrib/sockaddr.h"
+
+#define ZONE	"example.zone"
+#define ZONE2	"example2.zone"
+#define KEY1	"key1_md5"
+#define KEY2	"key2_md5"
+#define KEY3	"key3_sha256"
+
+static void check_sockaddr_set(struct sockaddr_storage *ss, int family,
+                               const char *straddr, int port)
+{
+	int ret = sockaddr_set(ss, family, straddr, port);
+	ok(ret == 0, "set address '%s'", straddr);
+}
+
+void check_update(conf_t *conf, knot_rrset_t *authority, knot_tsig_key_t *key,
+                  knot_dname_t *zone_name, bool allowed, const char *desc)
+{
+	struct sockaddr_storage addr;
+	check_sockaddr_set(&addr, AF_INET, "1.2.3.4", 0);
+
+	knot_pkt_t *query = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, NULL);
+	assert(query);
+	knot_pkt_begin(query, KNOT_AUTHORITY);
+	knot_pkt_put(query, 0, authority, 0);
+
+	knot_pkt_t *parsed = knot_pkt_new(query->wire, query->size, NULL);
+	ok(knot_pkt_parse(parsed, 0) == KNOT_EOK, "Parse update packet");
+
+	conf_val_t acl = conf_zone_get(conf, C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+
+	bool ret = acl_allowed(conf, &acl, ACL_ACTION_UPDATE, &addr, key,
+	                       zone_name, parsed);
+	ok(ret == allowed, "%s", desc);
+
+	knot_pkt_free(parsed);
+	knot_pkt_free(query);
+}
+
+static void test_acl_allowed(void)
+{
+	int ret;
+	conf_val_t acl;
+	struct sockaddr_storage addr = { 0 };
+
+	knot_dname_t *zone_name = knot_dname_from_str_alloc(ZONE);
+	ok(zone_name != NULL, "create zone dname");
+	knot_dname_t *zone2_name = knot_dname_from_str_alloc(ZONE2);
+	ok(zone2_name != NULL, "create zone2 dname");
+	knot_dname_t *key1_name = knot_dname_from_str_alloc(KEY1);
+	ok(key1_name != NULL, "create "KEY1);
+	knot_dname_t *key2_name = knot_dname_from_str_alloc(KEY2);
+	ok(key2_name != NULL, "create "KEY2);
+	knot_dname_t *key3_name = knot_dname_from_str_alloc(KEY3);
+	ok(key3_name != NULL, "create "KEY3);
+
+	knot_tsig_key_t key0 = { 0 };
+	knot_tsig_key_t key1 = { DNSSEC_TSIG_HMAC_MD5,    key1_name };
+	knot_tsig_key_t key2 = { DNSSEC_TSIG_HMAC_MD5,    key2_name };
+	knot_tsig_key_t key3 = { DNSSEC_TSIG_HMAC_SHA256, key3_name };
+
+	const char *conf_str =
+		"key:\n"
+		"  - id: "KEY1"\n"
+		"    algorithm: hmac-md5\n"
+		"    secret: Zm9v\n"
+		"  - id: "KEY2"\n"
+		"    algorithm: hmac-md5\n"
+		"    secret: Zm9v\n"
+		"  - id: "KEY3"\n"
+		"    algorithm: hmac-sha256\n"
+		"    secret: Zm8=\n"
+		"\n"
+		"remote:\n"
+		"  - id: remote_v6_ko\n"
+		"    address: [ 2009::1 ]\n"
+		"    key: key1_md5\n"
+		"  - id: remote_v6_ok\n"
+		"    address: [ 127.0.0.1, 2001::1 ]\n"
+		"    key: key1_md5\n"
+		"\n"
+		"acl:\n"
+		"  - id: acl_key_addr\n"
+		"    remote: [ remote_v6_ko, remote_v6_ok ]\n"
+		"    action: [ transfer ]\n"
+		"  - id: acl_deny\n"
+		"    address: [ 240.0.0.2 ]\n"
+		"    action: [ notify ]\n"
+		"    deny: on\n"
+		"  - id: acl_no_action_deny\n"
+		"    address: [ 240.0.0.3 ]\n"
+		"    deny: on\n"
+		"  - id: acl_multi_addr\n"
+		"    address: [ 192.168.1.1, 240.0.0.0/24 ]\n"
+		"    action: [ notify, update ]\n"
+		"  - id: acl_multi_key\n"
+		"    key: [ key2_md5, key3_sha256 ]\n"
+		"    action: [ notify, update ]\n"
+		"  - id: acl_range_addr\n"
+		"    address: [ 100.0.0.0-100.0.0.5, ::0-::5 ]\n"
+		"    action: [ transfer ]\n"
+		"  - id: acl_deny_no_action_no_key\n"
+		"    address: [ 240.0.0.4 ]\n"
+		"    deny: on\n"
+		"  - id: acl_notify_key\n"
+		"    address: [ 240.0.0.0/24 ]\n"
+		"    key: "KEY1"\n"
+		"    action: [ notify ]\n"
+		"  - id: acl_update_key\n"
+		"    key: "KEY1"\n"
+		"    update-owner: key\n"
+		"    update-type: [ AAAA, A ]\n"
+		"    action: [ update ]\n"
+		"  - id: acl_update_name\n"
+		"    key: "KEY2"\n"
+		"    update-owner: name\n"
+		"    update-owner-name: [ a, b."KEY2". ]\n"
+		"    update-owner-match: equal\n"
+		"    action: [ update ]\n"
+		"\n"
+		"zone:\n"
+		"  - domain: "ZONE"\n"
+		"    acl: [ acl_key_addr, acl_deny, acl_no_action_deny ]\n"
+		"    acl: [ acl_multi_addr, acl_multi_key ]\n"
+		"    acl: [ acl_range_addr ]\n"
+		"  - domain: "ZONE2"\n"
+		"    acl: [ acl_deny_no_action_no_key, acl_notify_key ]\n"
+		"  - domain: "KEY1"\n"
+		"    acl: acl_update_key\n"
+		"  - domain: "KEY2"\n"
+		"    acl: acl_update_name";
+
+	ret = test_conf(conf_str, NULL);
+	is_int(KNOT_EOK, ret, "Prepare configuration");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_QUERY, &addr, &key1, zone_name, NULL);
+	ok(ret == true, "Address, key, empty action");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key1, zone_name, NULL);
+	ok(ret == true, "Address, key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "2001::2", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key1, zone_name, NULL);
+	ok(ret == false, "Address not match, key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key0, zone_name, NULL);
+	ok(ret == false, "Address match, no key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key2, zone_name, NULL);
+	ok(ret == false, "Address match, key not match, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key1, zone_name, NULL);
+	ok(ret == false, "Address, key match, action not match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key0, zone_name, NULL);
+	ok(ret == true, "Second address match, no key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key1, zone_name, NULL);
+	ok(ret == false, "Second address match, extra key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.2", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key0, zone_name, NULL);
+	ok(ret == false, "Denied address match, no key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.2", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_UPDATE, &addr, &key0, zone_name, NULL);
+	ok(ret == true, "Denied address match, no key, action not match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.3", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_UPDATE, &addr, &key0, zone_name, NULL);
+	ok(ret == false, "Denied address match, no key, no action");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "1.1.1.1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_UPDATE, &addr, &key3, zone_name, NULL);
+	ok(ret == true, "Arbitrary address, second key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET, "100.0.0.1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key0, zone_name, NULL);
+	ok(ret == true, "IPv4 address from range, no key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone_name);
+	ok(acl.code == KNOT_EOK, "Get zone ACL");
+	check_sockaddr_set(&addr, AF_INET6, "::1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key0, zone_name, NULL);
+	ok(ret == true, "IPv6 address from range, no key, action match");
+
+	acl = conf_zone_get(conf(), C_ACL, zone2_name);
+	ok(acl.code == KNOT_EOK, "Get zone2 ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.4", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key1, zone2_name, NULL);
+	ok(ret == false, "Address, key, action, denied");
+
+	acl = conf_zone_get(conf(), C_ACL, zone2_name);
+	ok(acl.code == KNOT_EOK, "Get zone2 ACL");
+	check_sockaddr_set(&addr, AF_INET, "240.0.0.1", 0);
+	ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key1, zone2_name, NULL);
+	ok(ret == true, "Address, key, action, match");
+
+	knot_rrset_t A;
+	knot_rrset_init(&A, key1_name, KNOT_RRTYPE_A, KNOT_CLASS_IN, 3600);
+	knot_rrset_add_rdata(&A, (uint8_t *)"\x00\x00\x00\x00", 4, NULL);
+	check_update(conf(), &A, &key1, key1_name, true, "Update, tsig, type");
+
+	check_update(conf(), &A, &key2, key2_name, false, "Update, tsig, bad name");
+	knot_rdataset_clear(&A.rrs, NULL);
+
+	knot_rrset_t MX;
+	knot_rrset_init(&MX, key1_name, KNOT_RRTYPE_MX, KNOT_CLASS_IN, 3600);
+	knot_rrset_add_rdata(&MX, (uint8_t *)"\x00\x00\x00", 3, NULL);
+	check_update(conf(), &MX, &key1, key1_name, false, "Update, tsig, bad type");
+	knot_rdataset_clear(&MX.rrs, NULL);
+
+	knot_rrset_t aA;
+	knot_dname_t *a_key2_name = knot_dname_from_str_alloc("a."KEY2".");
+	ok(a_key2_name != NULL, "create a."KEY2".");
+	knot_rrset_init(&aA, a_key2_name, KNOT_RRTYPE_A, KNOT_CLASS_IN, 3600);
+	knot_rrset_add_rdata(&aA, (uint8_t *)"\x00\x00\x00\x00", 4, NULL);
+	check_update(conf(), &aA, &key2, key2_name, true, "Update, tsig, relative name");
+	knot_dname_free(a_key2_name, NULL);
+	knot_rdataset_clear(&aA.rrs, NULL);
+
+	knot_rrset_t bA;
+	knot_dname_t *b_key2_name = knot_dname_from_str_alloc("b."KEY2".");
+	ok(b_key2_name != NULL, "create b."KEY2".");
+	knot_rrset_init(&bA, b_key2_name, KNOT_RRTYPE_A, KNOT_CLASS_IN, 3600);
+	knot_rrset_add_rdata(&bA, (uint8_t *)"\x00\x00\x00\x00", 4, NULL);
+	check_update(conf(), &bA, &key2, key2_name, true, "Update, tsig, absolute name");
+	knot_dname_free(b_key2_name, NULL);
+	knot_rdataset_clear(&bA.rrs, NULL);
+
+	knot_rrset_t aaA;
+	knot_dname_t *aa_key2_name = knot_dname_from_str_alloc("a.a."KEY2);
+	ok(aa_key2_name != NULL, "create a.a."KEY2);
+	knot_rrset_init(&aaA, aa_key2_name, KNOT_RRTYPE_A, KNOT_CLASS_IN, 3600);
+	knot_rrset_add_rdata(&aaA, (uint8_t *)"\x00\x00\x00\x00", 4, NULL);
+	check_update(conf(), &aaA, &key2, key2_name, false, "Update, tsig, bad name");
+	knot_dname_free(aa_key2_name, NULL);
+	knot_rdataset_clear(&aaA.rrs, NULL);
+
+	conf_free(conf());
+	knot_dname_free(zone_name, NULL);
+	knot_dname_free(zone2_name, NULL);
+	knot_dname_free(key1_name, NULL);
+	knot_dname_free(key2_name, NULL);
+	knot_dname_free(key3_name, NULL);
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	diag("acl_allowed");
+	test_acl_allowed();
+
+	return 0;
+}
diff --git a/tests/knot/test_changeset.c b/tests/knot/test_changeset.c
new file mode 100644
index 0000000..6775b76
--- /dev/null
+++ b/tests/knot/test_changeset.c
@@ -0,0 +1,166 @@
+/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+#include <assert.h>
+#include <tap/basic.h>
+
+#include "libknot/errcode.h"
+#include "libknot/error.h"
+#include "knot/updates/changesets.h"
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	// Test with NULL changeset
+	ok(changeset_size(NULL) == 0, "changeset: NULL size");
+	ok(changeset_empty(NULL), "changeset: NULL empty");
+
+	// Test creation.
+	knot_dname_t *d = knot_dname_from_str_alloc("test.");
+	assert(d);
+	changeset_t *ch = changeset_new(d);
+	knot_dname_free(d, NULL);
+	ok(ch != NULL, "changeset: new");
+	if (!ch) {
+		return 1;
+	}
+	ok(changeset_empty(ch), "changeset: empty");
+	ch->soa_to = (knot_rrset_t *)0xdeadbeef;
+	ok(!changeset_empty(ch), "changeset: empty SOA");
+	ch->soa_to = NULL;
+	ok(changeset_size(ch) == 0, "changeset: empty size");
+
+	// Test additions.
+	d = knot_dname_from_str_alloc("non.terminals.test.");
+	assert(d);
+	knot_rrset_t *apex_txt_rr = knot_rrset_new(d, KNOT_RRTYPE_TXT, KNOT_CLASS_IN, 3600, NULL);
+	assert(apex_txt_rr);
+	uint8_t data[8] = "\7teststr";
+	knot_rrset_add_rdata(apex_txt_rr, data, sizeof(data), NULL);
+
+	int ret = changeset_add_addition(ch, apex_txt_rr, CHANGESET_CHECK);
+	is_int(KNOT_EOK, ret, "changeset: add RRSet");
+	ok(changeset_size(ch) == 1, "changeset: size add");
+	ret = changeset_add_removal(ch, apex_txt_rr, CHANGESET_CHECK);
+	is_int(KNOT_EOK, ret, "changeset: rem RRSet");
+	ok(changeset_size(ch) == 0, "changeset: size remove");
+	ok(changeset_empty(ch), "changeset: empty");
+	changeset_add_addition(ch, apex_txt_rr, CHANGESET_CHECK);
+
+	// Add another RR to node.
+	knot_rrset_t *apex_spf_rr = knot_rrset_new(d, KNOT_RRTYPE_SPF, KNOT_CLASS_IN, 3600, NULL);
+	assert(apex_spf_rr);
+	knot_rrset_add_rdata(apex_spf_rr, data, sizeof(data), NULL);
+	ret = changeset_add_addition(ch, apex_spf_rr, CHANGESET_CHECK);
+	is_int(KNOT_EOK, ret, "changeset: add multiple");
+
+	// Add another node.
+	knot_dname_free(d, NULL);
+	d = knot_dname_from_str_alloc("here.come.more.non.terminals.test");
+	assert(d);
+	knot_rrset_t *other_rr = knot_rrset_new(d, KNOT_RRTYPE_TXT, KNOT_CLASS_IN, 3600, NULL);
+	assert(other_rr);
+	knot_rrset_add_rdata(other_rr, data, sizeof(data), NULL);
+	ret = changeset_add_addition(ch, other_rr, CHANGESET_CHECK);
+	is_int(KNOT_EOK, ret, "changeset: remove multiple");
+
+	// Test add traversal.
+	changeset_iter_t it;
+	ret = changeset_iter_add(&it, ch);
+	is_int(KNOT_EOK, ret, "changeset: create iter add");
+	// Order: non.terminals.test. TXT, SPF, here.come.more.non.terminals.test. TXT.
+	knot_rrset_t iter = changeset_iter_next(&it);
+	bool trav_ok = knot_rrset_equal(&iter, apex_txt_rr, true);
+	iter = changeset_iter_next(&it);
+	trav_ok = trav_ok && knot_rrset_equal(&iter, apex_spf_rr, true);
+	iter = changeset_iter_next(&it);
+	trav_ok = trav_ok && knot_rrset_equal(&iter, other_rr, true);
+
+	ok(trav_ok, "changeset: add traversal");
+
+	iter = changeset_iter_next(&it);
+	changeset_iter_clear(&it);
+	ok(knot_rrset_empty(&iter), "changeset: traversal: skip non-terminals");
+
+	changeset_add_removal(ch, apex_txt_rr, CHANGESET_CHECK);
+	changeset_add_removal(ch, apex_txt_rr, CHANGESET_CHECK);
+
+	// Test remove traversal.
+	ret = changeset_iter_rem(&it, ch);
+	is_int(KNOT_EOK, ret, "changeset: create iter rem");
+	iter = changeset_iter_next(&it);
+	ok(knot_rrset_equal(&iter, apex_txt_rr, true),
+	   "changeset: rem traversal");
+	changeset_iter_clear(&it);
+
+	// Test all traversal - just count.
+	ret = changeset_iter_all(&it, ch);
+	is_int(KNOT_EOK, ret, "changeset: create iter all");
+	size_t size = 0;
+	iter = changeset_iter_next(&it);
+	while (!knot_rrset_empty(&iter)) {
+		++size;
+		iter = changeset_iter_next(&it);
+	}
+	changeset_iter_clear(&it);
+	ok(size == 3, "changeset: iter all");
+
+	// Create new changeset.
+	knot_dname_free(d, NULL);
+	d = knot_dname_from_str_alloc("test.");
+	assert(d);
+	changeset_t *ch2 = changeset_new(d);
+	knot_dname_free(d, NULL);
+	assert(ch2);
+	// Add something to add section.
+	knot_dname_free(apex_txt_rr->owner, NULL);
+	apex_txt_rr->owner = knot_dname_from_str_alloc("something.test.");
+	assert(apex_txt_rr->owner);
+	ret = changeset_add_addition(ch2, apex_txt_rr, CHANGESET_CHECK);
+	assert(ret == KNOT_EOK);
+
+	// Add something to remove section.
+	knot_dname_free(apex_txt_rr->owner, NULL);
+	apex_txt_rr->owner =
+		knot_dname_from_str_alloc("and.now.for.something.completely.different.test.");
+	assert(apex_txt_rr->owner);
+	ret = changeset_add_removal(ch2, apex_txt_rr, CHANGESET_CHECK);
+	assert(ret == KNOT_EOK);
+
+	// Test merge.
+	ret = changeset_merge(ch, ch2, 0);
+	ok(ret == KNOT_EOK && changeset_size(ch) == 5, "changeset: merge");
+
+	// Test cleanup.
+	changeset_clear(ch);
+	ok(changeset_empty(ch), "changeset: clear");
+	free(ch);
+
+	list_t chgs;
+	init_list(&chgs);
+	add_head(&chgs, &ch2->n);
+	changesets_clear(&chgs);
+	ok(changeset_empty(ch2), "changeset: clear list");
+	free(ch2);
+
+	knot_rrset_free(apex_txt_rr, NULL);
+	knot_rrset_free(apex_spf_rr, NULL);
+	knot_rrset_free(other_rr, NULL);
+
+	return 0;
+}
diff --git a/tests/knot/test_conf.c b/tests/knot/test_conf.c
new file mode 100644
index 0000000..cc625ed
--- /dev/null
+++ b/tests/knot/test_conf.c
@@ -0,0 +1,274 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#define CONFIG_DIR	"/tmp"
+
+#include <tap/basic.h>
+
+#include "knot/conf/conf.c"
+#include "test_conf.h"
+
+#define ZONE_ARPA	"0/25.2.0.192.in-addr.arpa."
+#define ZONE_ROOT	"."
+#define ZONE_1LABEL	"x."
+#define ZONE_3LABEL	"abc.ab.a."
+#define ZONE_UNKNOWN	"unknown."
+
+static void check_name(const char *zone, const char *name, const char *ref)
+{
+	knot_dname_t *z = knot_dname_from_str_alloc(zone);
+
+	char *file = get_filename(conf(), NULL, z, name);
+	ok(file != NULL, "Get zonefile path for %s", zone);
+	if (file != NULL) {
+		ok(strcmp(file, ref) == 0, "Zonefile path compare %s", name);
+		free(file);
+	}
+
+	knot_dname_free(z, NULL);
+}
+
+static void check_name_err(const char *zone, const char *name)
+{
+	knot_dname_t *z = knot_dname_from_str_alloc(zone);
+
+	char *filename = get_filename(conf(), NULL, z, name);
+	ok(filename == NULL, "Invalid name %s", name);
+	free(filename);
+
+	knot_dname_free(z, NULL);
+}
+
+static void test_get_filename(void)
+{
+	int ret = test_conf("", NULL);
+	is_int(KNOT_EOK, ret, "Prepare empty configuration");
+
+	// Name formatter.
+	char *zone = "abc";
+	check_name(zone, "/%s", "/abc");
+
+	zone = ".";
+	check_name(zone, "/%s", "/");
+
+	// Char formatter.
+	zone = "abc.def.g";
+	check_name(zone, "/%c[0]", "/a");
+	check_name(zone, "/%c[3]", "/.");
+	check_name(zone, "/%c[8]", "/g");
+	check_name(zone, "/%c[9]", "/.");
+	check_name(zone, "/%c[10]", "/");
+	check_name(zone, "/%c[255]", "/");
+	check_name(zone, "/%c[0-1]", "/ab");
+	check_name(zone, "/%c[1-1]", "/b");
+	check_name(zone, "/%c[1-3]", "/bc.");
+	check_name(zone, "/%c[1-4]", "/bc.d");
+	check_name(zone, "/%c[254-255]", "/");
+	check_name_err(zone, "/%c");
+	check_name_err(zone, "/%cx");
+	check_name_err(zone, "/%c[a]");
+	check_name_err(zone, "/%c[:]");
+	check_name_err(zone, "/%c[/]");
+	check_name_err(zone, "/%c[-1]");
+	check_name_err(zone, "/%c[256]");
+	check_name_err(zone, "/%c[");
+	check_name_err(zone, "/%c[1");
+	check_name_err(zone, "/%c[1-");
+	check_name_err(zone, "/%c[1-2");
+	check_name_err(zone, "/%c[1-b]");
+	check_name_err(zone, "/%c[8-0]");
+
+	zone = "abcd";
+	check_name(zone, "/%c[2-9]", "/cd.");
+	check_name(zone, "/%c[3]", "/d");
+	check_name(zone, "/%c[4]", "/.");
+
+	zone = ".";
+	check_name(zone, "/%c[0]", "/.");
+	check_name(zone, "/%c[1]", "/");
+
+	// Label formatter.
+	zone = "abc.def.gh";
+	check_name(zone, "/%l[0]", "/gh");
+	check_name(zone, "/%l[1]", "/def");
+	check_name(zone, "/%l[2]", "/abc");
+	check_name(zone, "/%l[3]", "/");
+	check_name(zone, "/%l[255]", "/");
+	check_name(zone, "/%l[0]-%l[1]-%l[2]", "/gh-def-abc");
+	check_name_err(zone, "/%l[0-1]");
+	check_name_err(zone, "/%l[-1]");
+	check_name_err(zone, "/%l[256]");
+
+	zone = ".";
+	check_name(zone, "/%l[0]", "/");
+	check_name(zone, "/%l[1]", "/");
+
+	test_conf_free();
+}
+
+static void test_conf_zonefile(void)
+{
+	int ret;
+	char *file;
+
+	knot_dname_t *zone_arpa = knot_dname_from_str_alloc(ZONE_ARPA);
+	ok(zone_arpa != NULL, "create dname "ZONE_ARPA);
+	knot_dname_t *zone_root = knot_dname_from_str_alloc(ZONE_ROOT);
+	ok(zone_root != NULL, "create dname "ZONE_ROOT);
+	knot_dname_t *zone_1label = knot_dname_from_str_alloc(ZONE_1LABEL);
+	ok(zone_1label != NULL, "create dname "ZONE_1LABEL);
+	knot_dname_t *zone_3label = knot_dname_from_str_alloc(ZONE_3LABEL);
+	ok(zone_3label != NULL, "create dname "ZONE_3LABEL);
+	knot_dname_t *zone_unknown = knot_dname_from_str_alloc(ZONE_UNKNOWN);
+	ok(zone_unknown != NULL, "create dname "ZONE_UNKNOWN);
+
+	const char *conf_str =
+		"template:\n"
+		"  - id: default\n"
+		"    storage: /tmp\n"
+		"\n"
+		"zone:\n"
+		"  - domain: "ZONE_ARPA"\n"
+		"    file: dir/a%%b/%s.suffix/%a\n"
+		"  - domain: "ZONE_ROOT"\n"
+		"    file: /%s\n"
+		"  - domain: "ZONE_1LABEL"\n"
+		"    file: /%s\n"
+		"  - domain: "ZONE_3LABEL"\n";
+
+	ret = test_conf(conf_str, NULL);
+	is_int(KNOT_EOK, ret, "Prepare configuration");
+
+	// Relative path with formatters.
+	file = conf_zonefile(conf(), zone_arpa);
+	ok(file != NULL, "Get zonefile path for "ZONE_ARPA);
+	if (file != NULL) {
+		ok(strcmp(file, "/tmp/dir/a%b/0_25.2.0.192.in-addr.arpa.suffix/") == 0,
+		          "Zonefile path compare for "ZONE_ARPA);
+		free(file);
+	}
+
+	// Absolute path without formatters - root zone.
+	file = conf_zonefile(conf(), zone_root);
+	ok(file != NULL, "Get zonefile path for "ZONE_ROOT);
+	if (file != NULL) {
+		ok(strcmp(file, "/") == 0,
+		          "Zonefile path compare for "ZONE_ROOT);
+		free(file);
+	}
+
+	// Absolute path without formatters - non-root zone.
+	file = conf_zonefile(conf(), zone_1label);
+	ok(file != NULL, "Get zonefile path for "ZONE_1LABEL);
+	if (file != NULL) {
+		ok(strcmp(file, "/x") == 0,
+		          "Zonefile path compare for "ZONE_1LABEL);
+		free(file);
+	}
+
+	// Default zonefile path.
+	file = conf_zonefile(conf(), zone_3label);
+	ok(file != NULL, "Get zonefile path for "ZONE_3LABEL);
+	if (file != NULL) {
+		ok(strcmp(file, "/tmp/abc.ab.a.zone") == 0,
+		          "Zonefile path compare for "ZONE_3LABEL);
+		free(file);
+	}
+
+	// Unknown zone zonefile path.
+	file = conf_zonefile(conf(), zone_unknown);
+	ok(file != NULL, "Get zonefile path for "ZONE_UNKNOWN);
+	if (file != NULL) {
+		ok(strcmp(file, "/tmp/unknown.zone") == 0,
+		          "Zonefile path compare for "ZONE_UNKNOWN);
+		free(file);
+	}
+
+	test_conf_free();
+	knot_dname_free(zone_arpa, NULL);
+	knot_dname_free(zone_root, NULL);
+	knot_dname_free(zone_1label, NULL);
+	knot_dname_free(zone_3label, NULL);
+	knot_dname_free(zone_unknown, NULL);
+}
+
+static void test_mix_ref(void)
+{
+	const char *conf_string =
+		"remote:\n"
+		"  - id: r1\n"
+		"    address: ::1\n"
+		"  - id: r2\n"
+		"    address: ::2\n"
+		"  - id: r3\n"
+		"    address: ::3\n"
+		"  - id: r4\n"
+		"    address: ::4\n"
+		"  - id: r5\n"
+		"    address: ::5\n"
+		"remotes:\n"
+		"  - id: rs2\n"
+		"    remote: [r2]\n"
+		"  - id: rs45\n"
+		"    remote: [r4, r5]\n"
+		"\n"
+		"submission:\n"
+		"  - id: t1\n"
+		"    parent: [r1, rs2, r3, rs45]\n"
+		"  - id: t2\n"
+		"    parent: [rs45, r2, r1]\n";
+
+	int ret = test_conf(conf_string, NULL);
+	is_int(KNOT_EOK, ret, "Prepare configuration");
+
+	size_t cnt1 = 0;
+	conf_val_t test1 = conf_rawid_get(conf(), C_SBM, C_PARENT, (const uint8_t *)"t1", 3);
+	conf_mix_iter_t iter1;
+	conf_mix_iter_init(conf(), &test1, &iter1);
+	while (iter1.id->code == KNOT_EOK) {
+		cnt1++;
+		conf_mix_iter_next(&iter1);
+	}
+	is_int(5, cnt1, "number of mixed references 1");
+
+	size_t cnt2 = 0;
+	conf_val_t test2 = conf_rawid_get(conf(), C_SBM, C_PARENT, (const uint8_t *)"t2", 3);
+	conf_mix_iter_t iter2;
+	conf_mix_iter_init(conf(), &test2, &iter2);
+	while (iter2.id->code == KNOT_EOK) {
+		cnt2++;
+		conf_mix_iter_next(&iter2);
+	}
+	is_int(4, cnt2, "number of mixed references 2");
+
+	test_conf_free();
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	diag("get_filename");
+	test_get_filename();
+
+	diag("conf_zonefile");
+	test_conf_zonefile();
+
+	diag("mixed references");
+	test_mix_ref();
+
+	return 0;
+}
diff --git a/tests/knot/test_conf.h b/tests/knot/test_conf.h
new file mode 100644
index 0000000..1297ec0
--- /dev/null
+++ b/tests/knot/test_conf.h
@@ -0,0 +1,50 @@
+/*  Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include "knot/conf/conf.h"
+#include "libknot/errcode.h"
+
+/* Prepare server configuration. */
+static inline int test_conf(const char *conf_str, const yp_item_t *schema)
+{
+	// Use default schema if not specified.
+	if (schema == NULL) {
+		schema = conf_schema;
+	}
+
+	conf_t *new_conf = NULL;
+	int ret = conf_new(&new_conf, schema, NULL, 2 * 1024 * 1024, CONF_FNONE);
+	if (ret != KNOT_EOK) {
+		return ret;
+	}
+
+	ret = conf_import(new_conf, conf_str, false, false);
+	if (ret != KNOT_EOK) {
+		conf_free(new_conf);
+		return ret;
+	}
+
+	conf_update(new_conf, CONF_UPD_FNONE);
+
+	return KNOT_EOK;
+}
+
+static inline void test_conf_free(void)
+{
+	conf_update(NULL, CONF_UPD_FNONE);
+}
diff --git a/tests/knot/test_conf_tools.c b/tests/knot/test_conf_tools.c
new file mode 100644
index 0000000..dc83a06
--- /dev/null
+++ b/tests/knot/test_conf_tools.c
@@ -0,0 +1,74 @@
+/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <tap/basic.h>
+
+#include "libknot/yparser/yptrafo.h"
+#include "knot/conf/tools.h"
+#include "libknot/libknot.h"
+
+static void mod_id_test(const char *txt, const char *val)
+{
+	int ret;
+	uint8_t b[64];
+	size_t b_len = sizeof(b);
+	char t[64];
+	size_t t_len = sizeof(t);
+	yp_item_t i = { NULL, YP_TDATA, YP_VDATA = { 0, NULL,
+	                                             mod_id_to_bin,
+	                                             mod_id_to_txt } };
+
+	diag("module id \"%s\":", txt);
+	ret = yp_item_to_bin(&i, txt, strlen(txt), b, &b_len);
+	is_int(KNOT_EOK, ret, "txt to bin");
+	ok(memcmp(b, val, b_len) == 0, "compare");
+	ret = yp_item_to_txt(&i, b, b_len, t, &t_len, YP_SNOQUOTE);
+	is_int(KNOT_EOK, ret, "bin to txt");
+	ok(strlen(t) == t_len, "txt ret length");
+	ok(strlen(txt) == t_len, "txt length");
+	ok(memcmp(txt, t, t_len) == 0, "compare");
+}
+
+static void mod_id_bad_test(const char *txt, int code)
+{
+	int ret;
+	uint8_t b[64];
+	size_t b_len = sizeof(b);
+	yp_item_t i = { NULL, YP_TDATA, YP_VDATA = { 0, NULL,
+	                                             mod_id_to_bin,
+	                                             mod_id_to_txt } };
+
+	diag("module id \"%s\":", txt);
+	ret = yp_item_to_bin(&i, txt, strlen(txt), b, &b_len);
+	ok(ret == code, "invalid txt to bin");
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	/* Module id tests. */
+	mod_id_test("module/id", "\x06moduleid");
+	mod_id_test("module", "\x06module");
+	mod_id_bad_test("module/", KNOT_EINVAL);
+	mod_id_bad_test("/", KNOT_EINVAL);
+	mod_id_bad_test("/id", KNOT_EINVAL);
+
+	return 0;
+}
diff --git a/tests/knot/test_confdb.c b/tests/knot/test_confdb.c
new file mode 100644
index 0000000..e149f8d
--- /dev/null
+++ b/tests/knot/test_confdb.c
@@ -0,0 +1,489 @@
+/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include "test_conf.h"
+#include "knot/conf/confdb.c"
+
+static void check_db_content(conf_t *conf, knot_db_txn_t *txn, int count)
+{
+	ok(db_check_version(conf, txn) == KNOT_EOK, "Version check");
+	if (count >= 0) {
+		ok(conf->api->count(txn) == 1 + count, "Check DB entries count");
+	}
+}
+
+static void check_code(
+	conf_t *conf,
+	knot_db_txn_t *txn,
+	uint8_t section_code,
+	const yp_name_t *name,
+	db_action_t action,
+	int ret,
+	uint8_t ref_code)
+{
+	uint8_t code = 0;
+	ok(db_code(conf, txn, section_code, name, action, &code) == ret,
+	   "Compare DB code return");
+
+	if (ret != KNOT_EOK) {
+		return;
+	}
+
+	uint8_t k[64] = { section_code, 0 };
+	memcpy(k + 2, name + 1, name[0]);
+	knot_db_val_t key = { .data = k, .len = 2 + name[0] };
+	knot_db_val_t val;
+
+	ret = conf->api->find(txn, &key, &val, 0);
+	switch (action) {
+	case DB_GET:
+	case DB_SET:
+		ok(code == ref_code, "Compare DB code");
+		is_int(KNOT_EOK, ret, "Find DB code");
+		ok(val.len == 1, "Compare DB code length");
+		ok(((uint8_t *)val.data)[0] == code, "Compare DB code value");
+		break;
+	case DB_DEL:
+		is_int(KNOT_ENOENT, ret, "Find item code");
+		break;
+	}
+}
+
+static void test_db_code(conf_t *conf, knot_db_txn_t *txn)
+{
+	// Add codes.
+	check_code(conf, txn, 0, C_SERVER, DB_SET, KNOT_EOK, KEY1_FIRST);
+	check_db_content(conf, txn, 1);
+	check_code(conf, txn, 0, C_LOG, DB_SET, KNOT_EOK, KEY1_FIRST + 1);
+	check_db_content(conf, txn, 2);
+	check_code(conf, txn, 2, C_IDENT, DB_SET, KNOT_EOK, KEY1_FIRST);
+	check_db_content(conf, txn, 3);
+	check_code(conf, txn, 0, C_ZONE, DB_SET, KNOT_EOK, KEY1_FIRST + 2);
+	check_db_content(conf, txn, 4);
+	check_code(conf, txn, 2, C_VERSION, DB_SET, KNOT_EOK, KEY1_FIRST + 1);
+	check_db_content(conf, txn, 5);
+
+	// Add existing code (no change).
+	check_code(conf, txn, 0, C_SERVER, DB_SET, KNOT_EOK, KEY1_FIRST);
+	check_db_content(conf, txn, 5);
+
+	// Get codes.
+	check_code(conf, txn, 0, C_SERVER, DB_GET, KNOT_EOK, KEY1_FIRST);
+	check_db_content(conf, txn, 5);
+	check_code(conf, txn, 0, C_RMT, DB_GET, KNOT_ENOENT, 0);
+	check_db_content(conf, txn, 5);
+
+	// Delete not existing code.
+	check_code(conf, txn, 0, C_COMMENT, DB_DEL, KNOT_ENOENT, 0);
+	check_db_content(conf, txn, 5);
+
+	// Delete codes.
+	check_code(conf, txn, 0, C_SERVER, DB_DEL, KNOT_EOK, 0);
+	check_db_content(conf, txn, 4);
+	check_code(conf, txn, 2, C_IDENT, DB_DEL, KNOT_EOK, 0);
+	check_db_content(conf, txn, 3);
+
+	// Reuse deleted codes.
+	check_code(conf, txn, 0, C_ACL, DB_SET, KNOT_EOK, KEY1_FIRST);
+	check_db_content(conf, txn, 4);
+	check_code(conf, txn, 2, C_NSID, DB_SET, KNOT_EOK, KEY1_FIRST);
+	check_db_content(conf, txn, 5);
+}
+
+static void check_set(
+	conf_t *conf,
+	knot_db_txn_t *txn,
+	const yp_name_t *key0,
+	const yp_name_t *key1,
+	const uint8_t *id,
+	size_t id_len,
+	int ret,
+	const uint8_t *data,
+	size_t data_len,
+	const uint8_t *exp_data,
+	size_t exp_data_len)
+{
+	ok(conf_db_set(conf, txn, key0, key1, id, id_len, data, data_len) == ret,
+	   "Check set return");
+
+	if (ret != KNOT_EOK || (key1 == NULL && id == NULL)) {
+		return;
+	}
+
+	uint8_t section_code, item_code;
+	section_code = 0, item_code = 0; // prevents Wuninitialized
+	ok(db_code(conf, txn, KEY0_ROOT, key0, DB_GET, &section_code) == KNOT_EOK,
+	   "Get DB section code");
+	if (key1 != NULL) {
+		ok(db_code(conf, txn, section_code, key1, DB_GET, &item_code) == KNOT_EOK,
+		   "Get DB item code");
+	} else {
+		item_code = KEY1_ID;
+	}
+
+	uint8_t k[64] = { section_code, item_code };
+	if (id != NULL) {
+		memcpy(k + 2, id, id_len);
+	}
+	knot_db_val_t key = { .data = k, .len = 2 + id_len };
+	knot_db_val_t val;
+
+	ok(conf->api->find(txn, &key, &val, 0) == KNOT_EOK, "Get inserted data");
+	ok(val.len == exp_data_len, "Compare data length");
+	ok(memcmp(val.data, exp_data, exp_data_len) == 0, "Compare data");
+
+	check_db_content(conf, txn, -1);
+}
+
+static void test_conf_db_set(conf_t *conf, knot_db_txn_t *txn)
+{
+	// Set section without item - noop.
+	check_set(conf, txn, C_INCL, NULL, NULL, 0, KNOT_EOK, NULL, 0, NULL, 0);
+
+	// Set singlevalued item.
+	check_set(conf, txn, C_SERVER, C_RUNDIR, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"\0", 1, (uint8_t *)"\0", 1);
+	check_set(conf, txn, C_SERVER, C_RUNDIR, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"a b\0", 4, (uint8_t *)"a b\0", 4);
+
+	// Set multivalued item.
+	check_set(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"\0", 1, (uint8_t *)"\x00\x01""\0", 3);
+	check_set(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"a\0", 2, (uint8_t *)"\x00\x01""\0""\x00\x02""a\0", 7);
+	check_set(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"b\0", 2, (uint8_t *)"\x00\x01""\0""\x00\x02""a\0""\x00\x02""b\0", 11);
+
+	// Set group id.
+	check_set(conf, txn, C_ZONE, NULL, (uint8_t *)"id", 2, KNOT_EOK,
+	          NULL, 0, (uint8_t *)"", 0);
+
+	// Set singlevalued item with id.
+	check_set(conf, txn, C_ZONE, C_FILE, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"\0", 1, (uint8_t *)"\0", 1);
+	check_set(conf, txn, C_ZONE, C_FILE, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"a b\0", 4, (uint8_t *)"a b\0", 4);
+
+	// Set multivalued item with id.
+	check_set(conf, txn, C_ZONE, C_MASTER, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"\0", 1, (uint8_t *)"\x00\x01""\0", 3);
+	check_set(conf, txn, C_ZONE, C_MASTER, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"a\0", 2, (uint8_t *)"\x00\x01""\0""\x00\x02""a\0", 7);
+	check_set(conf, txn, C_ZONE, C_MASTER, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"b\0", 2, (uint8_t *)"\x00\x01""\0""\x00\x02""a\0""\x00\x02""b\0", 11);
+
+	// ERR set invalid section.
+	check_set(conf, txn, C_MASTER, NULL, NULL, 0, KNOT_YP_EINVAL_ITEM,
+	          NULL, 0, NULL, 0);
+
+	// ERR set invalid item.
+	check_set(conf, txn, C_SERVER, C_DOMAIN, NULL, 0, KNOT_YP_EINVAL_ITEM,
+	          NULL, 0, NULL, 0);
+
+	// ERR redefine section id.
+	check_set(conf, txn, C_ZONE, NULL, (uint8_t *)"id", 2, KNOT_CONF_EREDEFINE,
+	          NULL, 0, NULL, 0);
+
+	// ERR set singlevalued item with non-existing id.
+	check_set(conf, txn, C_ZONE, C_FILE, (uint8_t *)"idx", 3, KNOT_YP_EINVAL_ID,
+	          NULL, 0, NULL, 0);
+}
+
+static void check_get(
+	conf_t *conf,
+	knot_db_txn_t *txn,
+	const yp_name_t *key0,
+	const yp_name_t *key1,
+	const uint8_t *id,
+	size_t id_len,
+	int ret,
+	const uint8_t *exp_data,
+	size_t exp_data_len)
+{
+	conf_val_t val;
+	ok(conf_db_get(conf, txn, key0, key1, id, id_len, &val) == ret,
+	   "Check get return");
+
+	if (ret != KNOT_EOK) {
+		return;
+	}
+
+	ok(val.blob_len == exp_data_len, "Compare data length");
+	ok(val.blob != NULL && memcmp(val.blob, exp_data, exp_data_len) == 0,
+	   "Compare data");
+
+	check_db_content(conf, txn, -1);
+}
+
+static void test_conf_db_get(conf_t *conf, knot_db_txn_t *txn)
+{
+	// Get singlevalued item.
+	check_get(conf, txn, C_SERVER, C_RUNDIR, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"a b\0", 4);
+
+	// Get multivalued item.
+	check_get(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	          (uint8_t *)"\x00\x01""\0""\x00\x02""a\0""\x00\x02""b\0", 11);
+
+	// Get group id.
+	check_get(conf, txn, C_ZONE, NULL, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"", 0);
+
+	// Get singlevalued item with id.
+	check_get(conf, txn, C_ZONE, C_FILE, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"a b\0", 4);
+
+	// Get multivalued item with id.
+	check_get(conf, txn, C_ZONE, C_MASTER, (uint8_t *)"id", 2, KNOT_EOK,
+	          (uint8_t *)"\x00\x01""\0""\x00\x02""a\0""\x00\x02""b\0", 11);
+
+	// ERR get section without item.
+	check_get(conf, txn, C_INCL, NULL, NULL, 0, KNOT_EINVAL, NULL, 0);
+
+	// ERR get invalid section.
+	check_get(conf, txn, C_MASTER, NULL, NULL, 0, KNOT_YP_EINVAL_ITEM,
+	          NULL, 0);
+
+	// ERR get invalid item.
+	check_get(conf, txn, C_SERVER, C_DOMAIN, NULL, 0, KNOT_YP_EINVAL_ITEM,
+	          NULL, 0);
+
+	// ERR get singlevalued item with non-existing id.
+	check_get(conf, txn, C_ZONE, C_FILE, (uint8_t *)"idx", 3, KNOT_YP_EINVAL_ID,
+	          NULL, 0);
+}
+
+static void check_unset(
+	conf_t *conf,
+	knot_db_txn_t *txn,
+	const yp_name_t *key0,
+	const yp_name_t *key1,
+	const uint8_t *id,
+	size_t id_len,
+	int ret,
+	const uint8_t *data,
+	size_t data_len,
+	const uint8_t *exp_data,
+	size_t exp_data_len)
+{
+	ok(conf_db_unset(conf, txn, key0, key1, id, id_len, data, data_len, false) == ret,
+	   "Check unset return");
+
+	if (ret != KNOT_EOK) {
+		return;
+	}
+
+	uint8_t section_code, item_code;
+	ok(db_code(conf, txn, KEY0_ROOT, key0, DB_GET, &section_code) == KNOT_EOK,
+	   "Get DB section code");
+	if (key1 != NULL) {
+		ok(db_code(conf, txn, section_code, key1, DB_GET, &item_code) == KNOT_EOK,
+		   "Get DB item code");
+	} else {
+		item_code = KEY1_ID;
+	}
+
+	uint8_t k[64] = { section_code, item_code };
+	if (id != NULL) {
+		memcpy(k + 2, id, id_len);
+	}
+	knot_db_val_t key = { .data = k, .len = 2 + id_len };
+	knot_db_val_t val;
+
+	ret = conf->api->find(txn, &key, &val, 0);
+	if (exp_data != NULL) {
+		is_int(KNOT_EOK, ret, "Get deleted data");
+		ok(val.len == exp_data_len, "Compare data length");
+		ok(memcmp(val.data, exp_data, exp_data_len) == 0, "Compare data");
+	} else {
+		is_int(KNOT_ENOENT, ret, "Get deleted data");
+	}
+
+	check_db_content(conf, txn, -1);
+}
+
+static void check_unset_key(
+	conf_t *conf,
+	knot_db_txn_t *txn,
+	const yp_name_t *key0,
+	const yp_name_t *key1,
+	const uint8_t *id,
+	size_t id_len,
+	int ret)
+{
+	ok(conf_db_unset(conf, txn, key0, key1, id, id_len, NULL, 0, true) == ret,
+	   "Check unset return");
+
+	if (ret != KNOT_EOK) {
+		return;
+	}
+
+	uint8_t section_code, item_code;
+	ret = db_code(conf, txn, KEY0_ROOT, key0, DB_GET, &section_code);
+	if (key1 == NULL && id_len == 0) {
+		is_int(KNOT_ENOENT, ret, "Get DB section code");
+	} else {
+		is_int(KNOT_EOK, ret, "Get DB section code");
+		ret = db_code(conf, txn, section_code, key1, DB_GET, &item_code);
+		is_int(KNOT_ENOENT, ret, "Get DB item code");
+	}
+
+	check_db_content(conf, txn, -1);
+}
+
+static void test_conf_db_unset(conf_t *conf, knot_db_txn_t *txn)
+{
+	// ERR unset section without item.
+	check_unset(conf, txn, C_INCL, NULL, NULL, 0, KNOT_ENOENT,
+	            NULL, 0, NULL, 0);
+
+	// ERR unset invalid section.
+	check_unset(conf, txn, C_MASTER, NULL, NULL, 0, KNOT_YP_EINVAL_ITEM,
+	            NULL, 0, NULL, 0);
+
+	// ERR unset invalid item.
+	check_unset(conf, txn, C_SERVER, C_DOMAIN, NULL, 0, KNOT_YP_EINVAL_ITEM,
+	            NULL, 0, NULL, 0);
+
+	// ERR unset singlevalued item with non-existing id.
+	check_unset(conf, txn, C_ZONE, C_FILE, (uint8_t *)"idx", 3, KNOT_YP_EINVAL_ID,
+	            NULL, 0, NULL, 0);
+
+	// ERR unset singlevalued item invalid value.
+	check_unset(conf, txn, C_SERVER, C_RUNDIR, NULL, 0, KNOT_ENOENT,
+	            (uint8_t *)"x\0", 2, NULL, 0);
+
+	// Unset singlevalued item data.
+	check_unset(conf, txn, C_SERVER, C_RUNDIR, NULL, 0, KNOT_EOK,
+	            (uint8_t *)"a b\0", 4, NULL, 0);
+	// Unset item.
+	check_unset_key(conf, txn, C_SERVER, C_RUNDIR, NULL, 0, KNOT_EOK);
+
+	// Unset multivalued item.
+	check_unset(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	            (uint8_t *)"a", 2, (uint8_t *)"\x00\x01""\0""\x00\x02""b\0", 7);
+	check_unset(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	            (uint8_t *)"", 1, (uint8_t *)"\x00\x02""b\0", 4);
+	check_unset(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK,
+	            (uint8_t *)"b", 2, NULL, 0);
+	// Unset item.
+	check_unset_key(conf, txn, C_SERVER, C_LISTEN, NULL, 0, KNOT_EOK);
+	// Unset section.
+	check_unset_key(conf, txn, C_SERVER, NULL, NULL, 0, KNOT_EOK);
+
+	// Unset singlevalued item with id - all data at one step.
+	check_unset(conf, txn, C_ZONE, C_FILE, (uint8_t *)"id", 2, KNOT_EOK,
+	            NULL, 0, NULL, 0);
+
+	// Unset multivalued item with id - all data at one step (non-null data!).
+	check_unset(conf, txn, C_ZONE, C_MASTER, (uint8_t *)"id", 2, KNOT_EOK,
+	          NULL + 1, 0, NULL, 0);
+
+	// Unset group id.
+	check_unset(conf, txn, C_ZONE, NULL, (uint8_t *)"id", 2, KNOT_EOK,
+	            NULL, 0, NULL, 0);
+}
+
+static void test_conf_db_iter(conf_t *conf, knot_db_txn_t *txn)
+{
+	const size_t total = 4;
+	char names[][10] = { "alfa", "beta", "delta", "epsilon" };
+
+	// Prepare identifiers to iterate through.
+	for (size_t i = 0; i < total; i++) {
+		check_set(conf, txn, C_RMT, NULL, (uint8_t *)names[i],
+		          strlen(names[i]), KNOT_EOK, NULL, 0, (uint8_t *)"", 0);
+	}
+
+	// Create section iterator.
+	conf_iter_t iter;
+	int ret = conf_db_iter_begin(conf, txn, C_RMT, &iter);
+	is_int(KNOT_EOK, ret, "Create iterator");
+
+	// Iterate through the section.
+	size_t count = 0;
+	while (ret == KNOT_EOK) {
+		const uint8_t *id;
+		size_t id_len;
+		id = NULL, id_len = 0; // prevents Wuninitialized
+		ret = conf_db_iter_id(conf, &iter, &id, &id_len);
+		is_int(KNOT_EOK, ret, "Get iteration id");
+		ok(id_len == strlen(names[count]), "Compare iteration id length");
+		ok(memcmp(id, names[count], id_len) == 0, "Compare iteration id");
+
+		ok(conf_db_iter_del(conf, &iter) == KNOT_EOK, "Delete iteration key");
+
+		count++;
+		ret = conf_db_iter_next(conf, &iter);
+	}
+	is_int(KNOT_EOF, ret, "Finished iteration");
+	ok(count == total, "Check iteration count");
+
+	// Check empty section.
+	ret = conf_db_iter_begin(conf, txn, C_RMT, &iter);
+	is_int(KNOT_ENOENT, ret, "Create iterator");
+
+	// ERR non-iterable section.
+	ok(conf_db_iter_begin(conf, txn, C_SERVER, &iter) == KNOT_ENOTSUP, "Create iterator");
+
+	// ERR empty section.
+	ok(conf_db_iter_begin(conf, txn, C_ZONE, &iter) == KNOT_ENOENT, "Create iterator");
+
+	// ERR section with no code.
+	ok(conf_db_iter_begin(conf, txn, C_LOG, &iter) == KNOT_ENOENT, "Create iterator");
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	ok(test_conf("", NULL) == KNOT_EOK, "Prepare configuration");
+	check_db_content(conf(), &conf()->read_txn, 0);
+
+	knot_db_txn_t txn;
+	ok(conf()->api->txn_begin(conf()->db, &txn, 0) == KNOT_EOK, "Begin transaction");
+
+	diag("db_code");
+	test_db_code(conf(), &txn);
+
+	conf()->api->txn_abort(&txn);
+
+	ok(conf()->api->txn_begin(conf()->db, &txn, 0) == KNOT_EOK, "Begin transaction");
+
+	diag("conf_db_set");
+	test_conf_db_set(conf(), &txn);
+
+	diag("conf_db_get");
+	test_conf_db_get(conf(), &txn);
+
+	diag("conf_db_unset");
+	test_conf_db_unset(conf(), &txn);
+
+	conf()->api->txn_abort(&txn);
+
+	ok(conf()->api->txn_begin(conf()->db, &txn, 0) == KNOT_EOK, "Begin transaction");
+
+	diag("conf_db_iter");
+	test_conf_db_iter(conf(), &txn);
+
+	conf()->api->txn_abort(&txn);
+
+	conf_free(conf());
+
+	return 0;
+}
diff --git a/tests/knot/test_confio.c b/tests/knot/test_confio.c
new file mode 100644
index 0000000..f5d3c94
--- /dev/null
+++ b/tests/knot/test_confio.c
@@ -0,0 +1,1100 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include "test_conf.h"
+#include "knot/conf/confio.h"
+#include "knot/conf/tools.h"
+#include "libknot/yparser/yptrafo.h"
+#include "contrib/string.h"
+#include "contrib/openbsd/strlcat.h"
+
+#define SKIP_OPENBSD	skip("Nested transactions are not supported on OpenBSD");
+#define OUT_LEN		1024
+#define ZONE1		"zone1"
+#define ZONE2		"zone2"
+#define ZONE3		"zone3"
+
+char *format_key(conf_io_t *io)
+{
+	knot_dname_txt_storage_t id;
+	size_t id_len = sizeof(id);
+
+	// Get the textual item id.
+	if (io->id_len > 0 && !io->id_as_data) {
+		if (yp_item_to_txt(io->key0->var.g.id, io->id, io->id_len, id,
+		                   &id_len, YP_SNOQUOTE) != KNOT_EOK) {
+			return NULL;
+		}
+	}
+
+	// Get the item prefix.
+	const char *prefix = "";
+	switch (io->type) {
+	case NEW: prefix = "+"; break;
+	case OLD: prefix = "-"; break;
+	default: break;
+	}
+
+	// Format the item key.
+	return sprintf_alloc(
+		"%s%.*s%s%.*s%s%s%.*s",
+		prefix, (int)io->key0->name[0], io->key0->name + 1,
+		(io->id_len > 0 && !io->id_as_data ? "[" : ""),
+		(io->id_len > 0 && !io->id_as_data ? (int)id_len : 0), id,
+		(io->id_len > 0 && !io->id_as_data ? "]" : ""),
+		(io->key1 != NULL ? "." : ""),
+		(io->key1 != NULL ? (int)io->key1->name[0] : 0),
+		(io->key1 != NULL ? io->key1->name + 1 : ""));
+}
+
+static int append_data(const yp_item_t *item, const uint8_t *bin, size_t bin_len,
+                       char *out, size_t out_len)
+{
+	char buf[YP_MAX_TXT_DATA_LEN + 1] = "\0";
+	size_t buf_len = sizeof(buf);
+
+	int ret = yp_item_to_txt(item, bin, bin_len, buf, &buf_len, YP_SNONE);
+	if (ret != KNOT_EOK) {
+		return ret;
+	}
+
+	if (strlcat(out, buf, out_len) >= out_len) {
+		return KNOT_ESPACE;
+	}
+
+	return KNOT_EOK;
+}
+
+char *format_data(conf_io_t *io)
+{
+	char out[YP_MAX_TXT_DATA_LEN + 1] = "\0";
+
+	// Return the item identifier as the item data.
+	if (io->id_as_data) {
+		if (append_data(io->key0->var.g.id, io->id, io->id_len, out,
+		                sizeof(out)) != KNOT_EOK) {
+			return NULL;
+		}
+
+		return strdup(out);
+	}
+
+	// Check for no data.
+	if (io->data.val == NULL && io->data.bin == NULL) {
+		return NULL;
+	}
+
+	const yp_item_t *item = (io->key1 != NULL) ? io->key1 : io->key0;
+
+	// Format explicit binary data value.
+	if (io->data.bin != NULL) {
+		if (append_data(item, io->data.bin, io->data.bin_len, out,
+		                sizeof(out)) != KNOT_EOK) {
+			return NULL;
+		}
+	// Format multivalued item data.
+	} else if (item->flags & YP_FMULTI) {
+		size_t values = conf_val_count(io->data.val);
+		for (size_t i = 0; i < values; i++) {
+			// Skip other values if known index (counted from 1).
+			if (io->data.index > 0 &&
+			    io->data.index != i + 1) {
+				conf_val_next(io->data.val);
+				continue;
+			}
+
+			if (i > 0) {
+				if (strlcat(out, " ", sizeof(out)) >= sizeof(out)) {
+					return NULL;
+				}
+			}
+
+			conf_val(io->data.val);
+			if (append_data(item, io->data.val->data, io->data.val->len,
+			                out, sizeof(out)) != KNOT_EOK) {
+				return NULL;
+			}
+
+			conf_val_next(io->data.val);
+		}
+	// Format singlevalued item data.
+	} else {
+		conf_val(io->data.val);
+		if (append_data(item, io->data.val->data, io->data.val->len, out,
+		                sizeof(out)) != KNOT_EOK) {
+			return NULL;
+		}
+	}
+
+	return strdup(out);
+}
+
+static int format_item(conf_io_t *io)
+{
+	char *out = (char *)io->misc;
+
+	// Get the item key and data strings.
+	char *key = format_key(io);
+	char *data = format_data(io);
+
+	// Format the item.
+	char *item = sprintf_alloc(
+		"%s%s%s%s",
+		(*out != '\0' ? "\n" : ""),
+		(key != NULL ? key : ""),
+		(data != NULL ? " = " : ""),
+		(data != NULL ? data : ""));
+	free(key);
+	free(data);
+	if (item == NULL) {
+		return KNOT_ENOMEM;
+	}
+
+	// Append the item.
+	if (strlcat(out, item, OUT_LEN) >= OUT_LEN) {
+		free(item);
+		return KNOT_ESPACE;
+	}
+
+	free(item);
+
+	return KNOT_EOK;
+}
+
+static void test_conf_io_begin(void)
+{
+	ok(conf_io_begin(true) == KNOT_TXN_ENOTEXISTS, "begin child txn with no parent");
+	ok(conf()->io.txn == NULL, "check txn depth");
+
+#if defined(__OpenBSD__)
+	SKIP_OPENBSD
+#else
+	ok(conf_io_begin(false) == KNOT_EOK, "begin parent txn");
+	ok(conf()->io.txn == &(conf()->io.txn_stack[0]), "check txn depth");
+
+	ok(conf_io_begin(false) == KNOT_TXN_EEXISTS, "begin another parent txn");
+	ok(conf()->io.txn == &(conf()->io.txn_stack[0]), "check txn depth");
+
+	for (int i = 1; i < CONF_MAX_TXN_DEPTH; i++) {
+		ok(conf_io_begin(true) == KNOT_EOK, "begin child txn");
+		ok(conf()->io.txn == &(conf()->io.txn_stack[i]), "check txn depth");
+	}
+	ok(conf_io_begin(true) == KNOT_TXN_EEXISTS, "begin another child txn");
+	ok(conf()->io.txn == &(conf()->io.txn_stack[CONF_MAX_TXN_DEPTH - 1]),
+	   "check txn depth");
+
+	conf_io_abort(false);
+	ok(conf()->io.txn == NULL, "check txn depth");
+#endif
+}
+
+static void test_conf_io_abort(void)
+{
+#if defined(__OpenBSD__)
+	SKIP_OPENBSD
+#else
+	// Test child persistence after subchild abort.
+	{
+		char idx[2] = { '0' };
+		ok(conf_io_begin(false) == KNOT_EOK, "begin parent txn");
+		ok(conf_io_set("server", "version", NULL, idx) ==
+		   KNOT_EOK, "set single value '%s'", idx);
+	}
+
+	for (int i = 1; i < CONF_MAX_TXN_DEPTH; i++) {
+		char idx[2] = { '0' + i };
+		ok(conf_io_begin(true) == KNOT_EOK, "begin child txn %s", idx);
+		ok(conf_io_set("server", "version", NULL, idx) ==
+		   KNOT_EOK, "set single value '%s'", idx);
+	}
+
+	for (int i = CONF_MAX_TXN_DEPTH - 1; i > 0; i--) {
+		char idx[2] = { '0' + i };
+		conf_io_abort(true);
+		conf_val_t val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+		ok(val.code == KNOT_EOK, "check entry");
+		const char *data = conf_str(&val);
+		ok(*data == (idx[0] - 1), "compare txn data '%s'", data);
+	}
+
+	conf_io_abort(false);
+	ok(conf()->io.txn == NULL, "check txn depth");
+
+	// Test child abort with committed subchild.
+	ok(conf_io_begin(false) == KNOT_EOK, "begin new parent txn");
+	ok(conf_io_begin(true) == KNOT_EOK, "begin child txn");
+	ok(conf_io_begin(true) == KNOT_EOK, "begin subchild txn");
+	ok(conf_io_set("server", "version", NULL, "text") ==
+	   KNOT_EOK, "set single value");
+	ok(conf_io_commit(true) == KNOT_EOK, "commit subchild txn");
+	conf_val_t val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_EOK, "check entry");
+	const char *data = conf_str(&val);
+	ok(strcmp(data, "text") == 0, "compare subchild txn data '%s'", data);
+	conf_io_abort(true);
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+	conf_io_abort(false);
+
+	// Test unchanged read_txn.
+	val = conf_get_txn(conf(), &conf()->read_txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+#endif
+}
+
+static void test_conf_io_commit(void)
+{
+	ok(conf_io_commit(false) == KNOT_TXN_ENOTEXISTS, "commit no txt txn");
+	ok(conf_io_commit(true) == KNOT_TXN_ENOTEXISTS, "commit no txt txn");
+
+#if defined(__OpenBSD__)
+	SKIP_OPENBSD
+#else
+	// Test subchild persistence after commit.
+	{
+		char idx[2] = { '0' };
+		ok(conf_io_begin(false) == KNOT_EOK, "begin parent txn");
+		ok(conf_io_set("server", "version", NULL, idx) ==
+		   KNOT_EOK, "set single value '%s'", idx);
+	}
+
+	for (int i = 1; i < CONF_MAX_TXN_DEPTH; i++) {
+		char idx[2] = { '0' + i };
+		ok(conf_io_begin(true) == KNOT_EOK, "begin child txn %s", idx);
+		ok(conf_io_set("server", "version", NULL, idx) ==
+		   KNOT_EOK, "set single value '%s'", idx);
+	}
+
+	for (int i = CONF_MAX_TXN_DEPTH - 1; i > 0; i--) {
+		char idx[2] = { '0' + i };
+		ok(conf_io_commit(true) == KNOT_EOK, "commit child txn %s", idx);
+		conf_val_t val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+		ok(val.code == KNOT_EOK, "check entry");
+		const char *data = conf_str(&val);
+		ok(*data == ('0' + CONF_MAX_TXN_DEPTH - 1), "compare txn data '%s'", data);
+	}
+
+	ok(conf_io_commit(false) == KNOT_EOK, "commit parent txn");
+	ok(conf()->io.txn == NULL, "check txn depth");
+
+	// Test child persistence after parent commit.
+	ok(conf_io_begin(false) == KNOT_EOK, "begin new parent txn");
+	conf_val_t val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_EOK, "check entry");
+	char idx[2] = { '0' + CONF_MAX_TXN_DEPTH - 1 };
+	const char *data = conf_str(&val);
+	ok(strcmp(data, idx) == 0, "compare final data '%s'", data);
+	conf_io_abort(false);
+
+	// Test unchanged read_txn.
+	val = conf_get_txn(conf(), &conf()->read_txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+#endif
+}
+
+static void test_conf_io_check(void)
+{
+	conf_io_t io = { NULL };
+
+	// ERR no txn.
+	ok(conf_io_check(&io) ==
+	   KNOT_TXN_ENOTEXISTS, "check without active txn");
+
+	ok(conf_io_begin(false) == KNOT_EOK, "begin txn");
+
+	// Section check.
+	ok(conf_io_set("remote", "id", NULL, "remote1") ==
+	   KNOT_EOK, "set remote id");
+	ok(conf_io_check(&io) ==
+	   KNOT_EINVAL, "check missing remote address");
+	ok(io.error.code == KNOT_EINVAL, "compare error code");
+
+	ok(conf_io_set("remote", "address", "remote1", "1.1.1.1") ==
+	   KNOT_EOK, "set remote address");
+	ok(conf_io_check(&io) ==
+	   KNOT_EOK, "check remote address");
+	ok(io.error.code == KNOT_EOK, "compare error code");
+
+	// Item check.
+	ok(conf_io_set("zone", "domain", NULL, ZONE1) ==
+	   KNOT_EOK, "set zone domain "ZONE1);
+	ok(conf_io_set("zone", "master", ZONE1, "remote1") ==
+	   KNOT_EOK, "set zone master");
+
+	ok(conf_io_check(&io) ==
+	   KNOT_EOK, "check all");
+
+	ok(conf_io_unset("remote", NULL, NULL, NULL) ==
+	   KNOT_EOK, "unset remotes");
+
+	ok(conf_io_check(&io) ==
+	   KNOT_ENOENT, "check missing master remote");
+	ok(io.error.code == KNOT_ENOENT, "compare error code");
+
+	conf_io_abort(false);
+}
+
+static void test_conf_io_set(void)
+{
+	// ERR no txn.
+	ok(conf_io_set("server", "version", NULL, "text") ==
+	   KNOT_TXN_ENOTEXISTS, "set without active txn");
+
+	ok(conf_io_begin(false) == KNOT_EOK, "begin txn");
+
+	// ERR.
+	ok(conf_io_set(NULL, NULL, NULL, NULL) ==
+	   KNOT_EINVAL, "set NULL key0");
+	ok(conf_io_set("", NULL, NULL, NULL) ==
+	   KNOT_YP_EINVAL_ITEM, "set empty key0");
+	ok(conf_io_set("unknown", NULL, NULL, NULL) ==
+	   KNOT_YP_EINVAL_ITEM, "set unknown key0");
+	ok(conf_io_set("server", "unknown", NULL, NULL) ==
+	   KNOT_YP_EINVAL_ITEM, "set unknown key1");
+	ok(conf_io_set("include", NULL, NULL, NULL) ==
+	   KNOT_YP_ENODATA, "set non-group without data");
+	ok(conf_io_set("server", "background-workers", NULL, "x") ==
+	   KNOT_EINVAL, "set invalid data");
+
+	// ERR callback
+	ok(conf_io_set("include", NULL, NULL, "invalid") ==
+	   KNOT_EFILE, "set invalid callback value");
+
+	// Single group, no item, no value.
+	ok(conf_io_set("server", NULL, NULL, NULL) ==
+	   KNOT_ENOTSUP, "set group no value");
+	// Single group, no item, value.
+	ok(conf_io_set("server", NULL, NULL, "text") ==
+	   KNOT_YP_ENOTSUP_DATA, "set group value");
+	// Single group, item, no value.
+	ok(conf_io_set("server", "version", NULL, NULL) ==
+	   KNOT_YP_ENODATA, "set group item no value");
+
+	// Single group, single value.
+	ok(conf_io_set("server", "version", NULL, "text") ==
+	   KNOT_EOK, "set single value");
+	conf_val_t val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(strcmp(conf_str(&val), "text") == 0, "check entry value");
+
+	// Single group, multi value.
+	ok(conf_io_set("server", "listen", NULL, "1.1.1.1") ==
+	   KNOT_EOK, "set multivalue 1");
+	ok(conf_io_set("server", "listen", NULL, "1.1.1.2") ==
+	   KNOT_EOK, "set multivalue 2");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_LISTEN);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(conf_val_count(&val) == 2, "check entry value count");
+
+	// Prepare dnames.
+	knot_dname_t *zone1 = knot_dname_from_str_alloc(ZONE1);
+	ok(zone1 != NULL, "create dname "ZONE1);
+	knot_dname_t *zone2 = knot_dname_from_str_alloc(ZONE2);
+	ok(zone2 != NULL, "create dname "ZONE2);
+	knot_dname_t *zone3 = knot_dname_from_str_alloc(ZONE3);
+	ok(zone3 != NULL, "create dname "ZONE3);
+
+	// Multi group no id.
+	ok(conf_io_set("zone", "domain", NULL, NULL) ==
+	   KNOT_YP_ENOID, "set zone empty domain");
+
+	// Multi group ids.
+	ok(conf_io_set("zone", "domain", NULL, ZONE1) ==
+	   KNOT_EOK, "set zone domain "ZONE1);
+	ok(conf_io_set("zone", NULL, ZONE2, NULL) ==
+	   KNOT_EOK, "set zone domain "ZONE2);
+
+	// Multi group, single value.
+	ok(conf_io_set("zone", "file", ZONE1, "name") ==
+	   KNOT_EOK, "set zone file");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_FILE, zone1);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(strcmp(conf_str(&val), "name") == 0, "check entry value");
+
+	// Multi group, single value, bad id.
+	ok(conf_io_set("zone", "file", ZONE3, "name") ==
+	   KNOT_YP_EINVAL_ID, "set zone file");
+
+	// Multi group, single value, all ids.
+	ok(conf_io_set("zone", "comment", NULL, "abc") ==
+	   KNOT_EOK, "set zones comment");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(strcmp(conf_str(&val), "abc") == 0, "check entry value");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(strcmp(conf_str(&val), "abc") == 0, "check entry value");
+
+	// Prepare different comment.
+	ok(conf_io_set("zone", "domain", NULL, ZONE3) ==
+	   KNOT_EOK, "set zone domain "ZONE3);
+	ok(conf_io_set("zone", "comment", ZONE3, "xyz") ==
+	   KNOT_EOK, "set zone comment");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone3);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(strcmp(conf_str(&val), "xyz") == 0, "check entry value");
+
+	knot_dname_free(zone1, NULL);
+	knot_dname_free(zone2, NULL);
+	knot_dname_free(zone3, NULL);
+
+	ok(conf_io_commit(false) == KNOT_EOK, "commit txn");
+
+	// Update read-only transaction.
+	ok(conf_refresh_txn(conf()) == KNOT_EOK, "update read-only txn");
+}
+
+static void test_conf_io_unset(void)
+{
+	// ERR no txn.
+	ok(conf_io_unset("server", "version", NULL, "text") ==
+	   KNOT_TXN_ENOTEXISTS, "unset without active txn");
+
+	ok(conf_io_begin(false) == KNOT_EOK, "begin txn");
+
+	// ERR.
+	ok(conf_io_unset("", NULL, NULL, NULL) ==
+	   KNOT_YP_EINVAL_ITEM, "unset unknown key0");
+	ok(conf_io_unset("unknown", NULL, NULL, NULL) ==
+	   KNOT_YP_EINVAL_ITEM, "unset unknown key0");
+	ok(conf_io_unset("server", "unknown", NULL, NULL) ==
+	   KNOT_YP_EINVAL_ITEM, "unset unknown key1");
+	ok(conf_io_unset("include", NULL, NULL, "file") ==
+	   KNOT_ENOTSUP, "unset non-group item");
+	ok(conf_io_unset("server", "background-workers", NULL, "x") ==
+	   KNOT_EINVAL, "unset invalid data");
+
+	// Single group, single value.
+	ok(conf_io_unset("server", "version", NULL, "") ==
+	   KNOT_ENOENT, "unset zero length text value");
+	conf_val_t val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_EOK, "check entry");
+
+	ok(conf_io_unset("server", "version", NULL, "bad text") ==
+	   KNOT_ENOENT, "unset bad value");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_EOK, "check entry");
+
+	ok(conf_io_unset("server", "version", NULL, "text") ==
+	   KNOT_EOK, "unset explicit value");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	ok(conf_io_unset("server", "version", NULL, NULL) ==
+	   KNOT_EOK, "unset value");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+
+	// Single group, multi value.
+	ok(conf_io_unset("server", "listen", NULL, "9.9.9.9") ==
+	   KNOT_ENOENT, "unset bad value");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_LISTEN);
+	ok(val.code == KNOT_EOK, "check entry");
+
+	ok(conf_io_unset("server", "listen", NULL, "1.1.1.1") ==
+	   KNOT_EOK, "unset explicit value");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_LISTEN);
+	ok(val.code == KNOT_EOK, "check entry");
+	ok(conf_val_count(&val) == 1, "check entry value count");
+
+	ok(conf_io_unset("server", "listen", NULL, NULL) ==
+	   KNOT_EOK, "unset value");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_LISTEN);
+	ok(val.code == KNOT_ENOENT, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// Whole section items.
+	ok(conf_io_unset("server", NULL, NULL, NULL) ==
+	   KNOT_EOK, "unset section");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_LISTEN);
+	ok(val.code == KNOT_ENOENT, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// Prepare dnames.
+	knot_dname_t *zone1 = knot_dname_from_str_alloc(ZONE1);
+	ok(zone1 != NULL, "create dname "ZONE1);
+	knot_dname_t *zone2 = knot_dname_from_str_alloc(ZONE2);
+	ok(zone2 != NULL, "create dname "ZONE2);
+	knot_dname_t *zone3 = knot_dname_from_str_alloc(ZONE3);
+	ok(zone3 != NULL, "create dname "ZONE3);
+
+	// Multi group, single value.
+	ok(conf_io_unset("zone", "file", ZONE1, "name") ==
+	   KNOT_EOK, "unset zone file");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_FILE, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+
+	// Multi group, single bad value, all ids.
+	ok(conf_io_unset("zone", "comment", NULL, "other") ==
+	   KNOT_EOK, "unset zones comment");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_EOK, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_EOK, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone3);
+	ok(val.code == KNOT_EOK, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// Multi group, single value (not all match), all ids.
+	ok(conf_io_unset("zone", "comment", NULL, "abc") ==
+	   KNOT_EOK, "unset some zones comment");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone3);
+	ok(val.code == KNOT_EOK, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// Multi group, single value (all match), all ids.
+	ok(conf_io_unset("zone", "comment", NULL, NULL) ==
+	   KNOT_EOK, "unset all zones comment");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone3);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// Multi group, all items, specific id.
+	ok(conf_io_unset("zone", NULL, ZONE1, NULL) ==
+	   KNOT_EOK, "unset zone items");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_FILE, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_EOK, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// Multi group, all items, all ids.
+	ok(conf_io_unset("zone", NULL, NULL, NULL) ==
+	   KNOT_EOK, "unset zone items");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_FILE, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+
+	// Restart transaction.
+	conf_io_abort(false);
+	ok(conf_io_begin(false) == KNOT_EOK, "restart txn");
+
+	// All groups.
+	ok(conf_io_unset(NULL, NULL, NULL, NULL) ==
+	   KNOT_EOK, "unset all");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_VERSION);
+	ok(val.code == KNOT_ENOENT, "check entry");
+	val = conf_get_txn(conf(), conf()->io.txn, C_SERVER, C_LISTEN);
+	ok(val.code == KNOT_ENOENT, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_FILE, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone1);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+	val = conf_zone_get_txn(conf(), conf()->io.txn, C_COMMENT, zone2);
+	ok(val.code == KNOT_YP_EINVAL_ID, "check entry");
+
+	knot_dname_free(zone1, NULL);
+	knot_dname_free(zone2, NULL);
+	knot_dname_free(zone3, NULL);
+
+	conf_io_abort(false);
+}
+
+static void test_conf_io_get(void)
+{
+	const char *ref;
+	char out[OUT_LEN];
+
+	conf_io_t io = {
+		.fcn = format_item,
+		.misc = out
+	};
+
+	// ERR no txn.
+	ok(conf_io_get("server", "version", NULL, false, &io) ==
+	   KNOT_TXN_ENOTEXISTS, "get without active txn");
+
+	// Get current, no active txn.
+	*out = '\0';
+	ok(conf_io_get("server", "version", NULL, true, &io) ==
+	   KNOT_EOK, "get current without active txn");
+	ref = "server.version = \"text\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	ok(conf_io_begin(false) == KNOT_EOK, "begin txn");
+
+	// ERR.
+	ok(conf_io_get("", NULL, NULL, true, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "get empty key0");
+	ok(conf_io_get("unknown", NULL, NULL, true, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "get unknown key0");
+	ok(conf_io_get("server", "unknown", NULL, true, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "get unknown key1");
+	ok(conf_io_get("include", NULL, NULL, true, &io) ==
+	   KNOT_ENOTSUP, "get non-group item");
+
+	// Update item in the active txn.
+	ok(conf_io_set("server", "version", NULL, "new text") ==
+	   KNOT_EOK, "set single value");
+
+	// Get new, active txn.
+	*out = '\0';
+	ok(conf_io_get("server", "version", NULL, false, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "server.version = \"new text\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Get current, active txn.
+	*out = '\0';
+	ok(conf_io_get("server", "version", NULL, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "server.version = \"text\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Multi value.
+	*out = '\0';
+	ok(conf_io_get("server", "listen", NULL, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "server.listen = \"1.1.1.1\" \"1.1.1.2\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Single group.
+	*out = '\0';
+	ok(conf_io_get("server", NULL, NULL, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "server.version = \"text\"\n"
+	      "server.listen = \"1.1.1.1\" \"1.1.1.2\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Prepare dnames.
+	knot_dname_t *zone1 = knot_dname_from_str_alloc(ZONE1);
+	ok(zone1 != NULL, "create dname "ZONE1);
+
+	// Multi group, all values, all ids.
+	*out = '\0';
+	ok(conf_io_get("zone", NULL, NULL, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "zone.domain = \"zone1.\"\n"
+	      "zone[zone1.].file = \"name\"\n"
+	      "zone[zone1.].comment = \"abc\"\n"
+	      "zone.domain = \"zone2.\"\n"
+	      "zone[zone2.].comment = \"abc\"\n"
+	      "zone.domain = \"zone3.\"\n"
+	      "zone[zone3.].comment = \"xyz\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Multi group ids.
+	*out = '\0';
+	ok(conf_io_get("zone", "domain", NULL, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "zone.domain = \"zone1.\"\n"
+	      "zone.domain = \"zone2.\"\n"
+	      "zone.domain = \"zone3.\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Multi group, all values, single id.
+	*out = '\0';
+	ok(conf_io_get("zone", NULL, ZONE1, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "zone.domain = \"zone1.\"\n"
+	      "zone[zone1.].file = \"name\"\n"
+	      "zone[zone1.].comment = \"abc\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Multi group, single value, single id.
+	*out = '\0';
+	ok(conf_io_get("zone", "file", ZONE1, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "zone[zone1.].file = \"name\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// All groups.
+	*out = '\0';
+	ok(conf_io_get(NULL, NULL, NULL, true, &io) ==
+	   KNOT_EOK, "get with active txn");
+	ref = "server.version = \"text\"\n"
+	      "server.listen = \"1.1.1.1\" \"1.1.1.2\"\n"
+	      "zone.domain = \"zone1.\"\n"
+	      "zone[zone1.].file = \"name\"\n"
+	      "zone[zone1.].comment = \"abc\"\n"
+	      "zone.domain = \"zone2.\"\n"
+	      "zone[zone2.].comment = \"abc\"\n"
+	      "zone.domain = \"zone3.\"\n"
+	      "zone[zone3.].comment = \"xyz\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	knot_dname_free(zone1, NULL);
+
+	conf_io_abort(false);
+}
+
+static void test_conf_io_diff(void)
+{
+	const char *ref;
+	char out[OUT_LEN];
+
+	conf_io_t io = {
+		.fcn = format_item,
+		.misc = out
+	};
+
+	// ERR no txn.
+	ok(conf_io_diff("server", "version", NULL, &io) ==
+	   KNOT_TXN_ENOTEXISTS, "diff without active txn");
+
+	ok(conf_io_begin(false) == KNOT_EOK, "begin txn");
+
+	// ERR.
+	ok(conf_io_diff("", NULL, NULL, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "diff empty key0");
+	ok(conf_io_diff("unknown", NULL, NULL, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "diff unknown key0");
+	ok(conf_io_diff("server", "unknown", NULL, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "diff unknown key1");
+	ok(conf_io_diff("include", NULL, NULL, &io) ==
+	   KNOT_ENOTSUP, "diff non-group item");
+
+	*out = '\0';
+	ok(conf_io_diff(NULL, NULL, NULL, &io) == KNOT_EOK, "diff no change");
+	ref = "";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Update singlevalued item.
+	ok(conf_io_set("server", "version", NULL, "new text") ==
+	   KNOT_EOK, "set single value");
+
+	*out = '\0';
+	ok(conf_io_diff("server", "version", NULL, &io) == KNOT_EOK, "diff single item");
+	ref = "-server.version = \"text\"\n"
+	      "+server.version = \"new text\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Update multivalued item.
+	ok(conf_io_unset("server", "listen", NULL, "1.1.1.1") ==
+	   KNOT_EOK, "unset multivalue");
+	ok(conf_io_set("server", "listen", NULL, "1.1.1.3") ==
+	   KNOT_EOK, "set multivalue");
+
+	*out = '\0';
+	ok(conf_io_diff("server", "listen", NULL, &io) == KNOT_EOK, "diff multi item");
+	ref = "-server.listen = \"1.1.1.1\" \"1.1.1.2\"\n"
+	      "+server.listen = \"1.1.1.2\" \"1.1.1.3\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Unset single item.
+	ok(conf_io_unset("zone", "comment", ZONE3, NULL) ==
+	   KNOT_EOK, "unset multivalue");
+
+	*out = '\0';
+	ok(conf_io_diff("zone", NULL, ZONE3, &io) == KNOT_EOK, "diff section");
+	ref = "-zone[zone3.].comment = \"xyz\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Unset id.
+	ok(conf_io_unset("zone", NULL, ZONE1, NULL) ==
+	   KNOT_EOK, "unset id");
+	ok(conf_io_unset("zone", NULL, ZONE2, NULL) ==
+	   KNOT_EOK, "unset id");
+
+	*out = '\0';
+	ok(conf_io_diff("zone", NULL, ZONE2, &io) == KNOT_EOK, "diff id section");
+	ref = "-zone.domain = \"zone2.\"\n"
+	      "-zone[zone2.].comment = \"abc\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	*out = '\0';
+	ok(conf_io_diff("zone", "domain", NULL, &io) == KNOT_EOK, "diff id");
+	ref = "-zone.domain = \"zone1.\"\n"
+	      "-zone.domain = \"zone2.\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	*out = '\0';
+	ok(conf_io_diff(NULL, NULL, NULL, &io) == KNOT_EOK, "diff whole change");
+	ref = "-server.version = \"text\"\n"
+	      "+server.version = \"new text\"\n"
+	      "-server.listen = \"1.1.1.1\" \"1.1.1.2\"\n"
+	      "+server.listen = \"1.1.1.2\" \"1.1.1.3\"\n"
+	      "-zone.domain = \"zone1.\"\n"
+	      "-zone[zone1.].file = \"name\"\n"
+	      "-zone[zone1.].comment = \"abc\"\n"
+	      "-zone.domain = \"zone2.\"\n"
+	      "-zone[zone2.].comment = \"abc\"\n"
+	      "-zone[zone3.].comment = \"xyz\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	conf_io_abort(false);
+}
+
+static void test_conf_io_list(void)
+{
+	const char *ref;
+	char out[OUT_LEN];
+
+	conf_io_t io = {
+		.fcn = format_item,
+		.misc = out
+	};
+
+	// ERR.
+	ok(conf_io_list("", NULL, NULL, false, true, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "list empty key0");
+	ok(conf_io_list("unknown", NULL, NULL, false, true, &io) ==
+	   KNOT_YP_EINVAL_ITEM, "list unknown key0");
+	ok(conf_io_list("include", NULL, NULL, false, true, &io) ==
+	   KNOT_EOK, "list non-group item");
+	ok(conf_io_list("template", NULL, NULL, false, false, &io) ==
+	   KNOT_TXN_ENOTEXISTS, "no active txn");
+
+	// Desc schema.
+	*out = '\0';
+	ok(conf_io_list(NULL, NULL, NULL, true, true, &io) ==
+	   KNOT_EOK, "list schema");
+	ref = "server\n"
+	      "xdp\n"
+	      "control\n"
+	      "remote\n"
+	      "template\n"
+	      "zone\n"
+	      "include";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// Desc group.
+	*out = '\0';
+	ok(conf_io_list("server", NULL, NULL, true, true, &io) ==
+	   KNOT_EOK, "list group");
+	ref = "server.version\n"
+	      "server.listen\n"
+	      "server.tcp-idle-timeout\n"
+	      "server.tcp-io-timeout\n"
+	      "server.tcp-remote-io-timeout\n"
+	      "server.tcp-max-clients\n"
+	      "server.tcp-reuseport\n"
+	      "server.tcp-fastopen\n"
+	      "server.quic-max-clients\n"
+	      "server.quic-idle-close-timeout\n"
+	      "server.quic-outbuf-max-size\n"
+	      "server.socket-affinity\n"
+	      "server.udp-workers\n"
+	      "server.tcp-workers\n"
+	      "server.background-workers\n"
+	      "server.udp-max-payload\n"
+	      "server.udp-max-payload-ipv4\n"
+	      "server.udp-max-payload-ipv6\n"
+	      "server.edns-client-subnet\n"
+	      "server.answer-rotation\n"
+	      "server.automatic-acl\n"
+	      "server.dbus-event";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// List item options.
+	*out = '\0';
+	ok(conf_io_list("zone", "zonefile-load", NULL, true, true, &io) ==
+	   KNOT_EOK, "list item options");
+	ref = "zone.zonefile-load = \"opt1\"\n"
+	      "zone.zonefile-load = \"opt2\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// List zone identifiers 1.
+	*out = '\0';
+	ok(conf_io_list("zone", NULL, NULL, false, true, &io) ==
+	   KNOT_EOK, "list zone identifiers 1");
+	ref = "zone[zone1.]\n"
+	      "zone[zone2.]\n"
+	      "zone[zone3.]";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// List zone identifiers 2.
+	*out = '\0';
+	ok(conf_io_list("zone", "domain", NULL, false, true, &io) ==
+	   KNOT_EOK, "list zone identifiers 2");
+	ref = "zone = \"zone1.\"\n"
+	      "zone = \"zone2.\"\n"
+	      "zone = \"zone3.\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// List item values.
+	*out = '\0';
+	ok(conf_io_list("server", "listen", NULL, false, true, &io) ==
+	   KNOT_EOK, "list item values");
+	ref = "server.listen = \"1.1.1.1\" \"1.1.1.2\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+
+	// List multi-group item values.
+	*out = '\0';
+	ok(conf_io_list("zone", "file", "zone1", false, true, &io) ==
+	   KNOT_EOK, "list multi-group item values");
+	ref = "zone[zone1.].file = \"name\"";
+	ok(strcmp(ref, out) == 0, "compare result");
+}
+
+static const yp_item_t desc_server[] = {
+	{ C_VERSION,              YP_TSTR,  YP_VNONE },
+	{ C_LISTEN,               YP_TADDR, YP_VNONE, YP_FMULTI },
+	// Required config cache items - assert fix.
+	{ C_TCP_IDLE_TIMEOUT,	  YP_TINT,  YP_VNONE },
+	{ C_TCP_IO_TIMEOUT,	  YP_TINT,  YP_VNONE },
+	{ C_TCP_RMT_IO_TIMEOUT,	  YP_TINT,  YP_VNONE },
+	{ C_TCP_MAX_CLIENTS,	  YP_TINT,  YP_VNONE },
+	{ C_TCP_REUSEPORT,	  YP_TBOOL, YP_VNONE },
+	{ C_TCP_FASTOPEN,	  YP_TBOOL, YP_VNONE },
+	{ C_QUIC_MAX_CLIENTS,	  YP_TINT,  YP_VNONE },
+	{ C_QUIC_IDLE_CLOSE,	  YP_TINT,  YP_VNONE },
+	{ C_QUIC_OUTBUF_MAX_SIZE, YP_TINT,  YP_VNONE },
+	{ C_SOCKET_AFFINITY,	  YP_TBOOL, YP_VNONE },
+	{ C_UDP_WORKERS,	  YP_TINT,  YP_VNONE },
+	{ C_TCP_WORKERS,	  YP_TINT,  YP_VNONE },
+	{ C_BG_WORKERS,		  YP_TINT,  YP_VNONE },
+	{ C_UDP_MAX_PAYLOAD,      YP_TINT,  YP_VNONE },
+	{ C_UDP_MAX_PAYLOAD_IPV4, YP_TINT,  YP_VNONE },
+	{ C_UDP_MAX_PAYLOAD_IPV6, YP_TINT,  YP_VNONE },
+	{ C_ECS,                  YP_TBOOL, YP_VNONE },
+	{ C_ANS_ROTATION,         YP_TBOOL, YP_VNONE },
+	{ C_AUTO_ACL,             YP_TBOOL, YP_VNONE },
+	{ C_DBUS_EVENT,           YP_TOPT,  YP_VNONE },
+	{ NULL }
+};
+
+static const yp_item_t desc_xdp[] = {
+	{ C_UDP,                YP_TBOOL, YP_VNONE },
+	{ C_TCP,                YP_TBOOL, YP_VNONE },
+	{ C_QUIC,               YP_TBOOL,  YP_VNONE },
+	{ C_TCP_MAX_CLIENTS,    YP_TINT,  YP_VNONE },
+	{ C_TCP_INBUF_MAX_SIZE, YP_TINT,  YP_VNONE },
+	{ C_TCP_OUTBUF_MAX_SIZE,YP_TINT,  YP_VNONE },
+	{ C_TCP_IDLE_CLOSE,     YP_TINT,  YP_VNONE },
+	{ C_TCP_IDLE_RESET,     YP_TINT,  YP_VNONE },
+	{ C_TCP_RESEND,         YP_TINT,  YP_VNONE },
+	{ C_ROUTE_CHECK,        YP_TBOOL, YP_VNONE },
+	{ NULL }
+};
+
+static const yp_item_t desc_control[] = {
+	{ C_TIMEOUT, YP_TINT, YP_VNONE },
+	{ NULL }
+};
+
+static const yp_item_t desc_remote[] = {
+	{ C_ID,   YP_TSTR,  YP_VNONE },
+	{ C_ADDR, YP_TADDR, YP_VNONE, YP_FMULTI },
+	{ NULL }
+};
+
+static const knot_lookup_t opts[] = {
+	{ 1, "opt1" },
+	{ 2, "opt2" },
+	{ 0, NULL }
+};
+
+#define ZONE_ITEMS \
+	{ C_FILE,              YP_TSTR,  YP_VNONE }, \
+	{ C_MASTER,            YP_TREF,  YP_VREF = { C_RMT }, YP_FMULTI, { check_ref } }, \
+	{ C_ZONEFILE_LOAD,     YP_TOPT,  YP_VOPT = { opts, 0 } }, \
+	{ C_JOURNAL_CONTENT,   YP_TOPT,  YP_VOPT = { opts, 0 } }, \
+	{ C_DNSSEC_SIGNING,    YP_TBOOL, YP_VNONE }, \
+	{ C_DNSSEC_VALIDATION, YP_TBOOL, YP_VNONE }, \
+	{ C_CATALOG_ROLE,      YP_TOPT,  YP_VOPT = { opts, 0 } }, \
+	{ C_CATALOG_TPL,       YP_TREF,  YP_VREF = { C_RMT } }, \
+	{ C_COMMENT,           YP_TSTR,  YP_VNONE },
+
+static const yp_item_t desc_template[] = {
+	{ C_ID, YP_TSTR, YP_VNONE },
+	ZONE_ITEMS
+	{ NULL }
+};
+
+static const yp_item_t desc_zone[] = {
+	{ C_DOMAIN, YP_TDNAME, YP_VNONE },
+	ZONE_ITEMS
+	{ NULL }
+};
+
+const yp_item_t test_schema[] = {
+	{ C_SRV,  YP_TGRP, YP_VGRP = { desc_server } },
+	{ C_XDP,  YP_TGRP, YP_VGRP = { desc_xdp } },
+	{ C_CTL,  YP_TGRP, YP_VGRP = { desc_control } },
+	{ C_RMT,  YP_TGRP, YP_VGRP = { desc_remote }, YP_FMULTI, { check_remote } },
+	{ C_TPL,  YP_TGRP, YP_VGRP = { desc_template }, YP_FMULTI, { check_template } },
+	{ C_ZONE, YP_TGRP, YP_VGRP = { desc_zone }, YP_FMULTI, { check_zone } },
+	{ C_INCL, YP_TSTR, YP_VNONE, YP_FNONE, { include_file } },
+	{ NULL }
+};
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	ok(test_conf("", test_schema) == KNOT_EOK, "Prepare configuration");
+
+	diag("conf_io_begin");
+	test_conf_io_begin();
+
+	diag("conf_io_abort");
+	test_conf_io_abort();
+
+	diag("conf_io_commit");
+	test_conf_io_commit();
+
+	diag("conf_io_check");
+	test_conf_io_check();
+
+	diag("conf_io_set");
+	test_conf_io_set();
+
+	diag("conf_io_unset");
+	test_conf_io_unset();
+
+	diag("conf_io_get");
+	test_conf_io_get();
+
+	diag("conf_io_diff");
+	test_conf_io_diff();
+
+	diag("conf_io_list");
+	test_conf_io_list();
+
+	conf_free(conf());
+
+	return 0;
+}
diff --git a/tests/knot/test_digest.c b/tests/knot/test_digest.c
new file mode 100644
index 0000000..a694e49
--- /dev/null
+++ b/tests/knot/test_digest.c
@@ -0,0 +1,474 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include "knot/zone/digest.h"
+
+#include <string.h>
+#include <tap/basic.h>
+
+#include "knot/zone/zonefile.h"
+#include "libzscanner/scanner.h"
+
+// copy-pasted from knot/zone/zonefile.c
+static void process_data(zs_scanner_t *scanner)
+{
+	zcreator_t *zc = scanner->process.data;
+	if (zc->ret != KNOT_EOK) {
+		scanner->state = ZS_STATE_STOP;
+		return;
+	}
+
+	knot_dname_t *owner = knot_dname_copy(scanner->r_owner, NULL);
+	if (owner == NULL) {
+		zc->ret = KNOT_ENOMEM;
+		return;
+	}
+
+	knot_rrset_t rr;
+	knot_rrset_init(&rr, owner, scanner->r_type, scanner->r_class, scanner->r_ttl);
+
+	int ret = knot_rrset_add_rdata(&rr, scanner->r_data, scanner->r_data_length, NULL);
+	if (ret != KNOT_EOK) {
+		knot_rrset_clear(&rr, NULL);
+		zc->ret = ret;
+		return;
+	}
+
+	ret = knot_rrset_rr_to_canonical(&rr);
+	if (ret != KNOT_EOK) {
+		knot_rrset_clear(&rr, NULL);
+		zc->ret = ret;
+		return;
+	}
+
+	zc->ret = zcreator_step(zc, &rr);
+	knot_rrset_clear(&rr, NULL);
+}
+
+static void process_error(zs_scanner_t *s)
+{
+	(void)s;
+	assert(0);
+}
+
+static zone_contents_t *str2contents(const char *zone_str)
+{
+	knot_dname_txt_storage_t origin_str;
+	sscanf(zone_str, "%s", origin_str); // NOTE assuming that first token in zone_str is origin name!
+
+	knot_dname_t *origin = knot_dname_from_str_alloc(origin_str);
+	assert(origin != NULL);
+
+	zone_contents_t *cont = zone_contents_new(origin, false);
+	assert(cont != NULL);
+	knot_dname_free(origin, NULL);
+
+	zcreator_t zc = { cont, true, KNOT_EOK };
+
+	zs_scanner_t sc;
+	ok(zs_init(&sc, origin_str, KNOT_CLASS_IN, 3600) == 0 &&
+	   zs_set_input_string(&sc, zone_str, strlen(zone_str)) == 0 &&
+	   zs_set_processing(&sc, process_data, process_error, &zc) == 0 &&
+	   zs_parse_all(&sc) == 0, "zscanner initialization");
+	zs_deinit(&sc);
+
+	return cont;
+}
+
+static int check_contents(const char *zone_str)
+{
+	zone_contents_t *cont = str2contents(zone_str);
+	int ret = zone_contents_digest_verify(cont);
+	zone_contents_deep_free(cont);
+	return ret;
+}
+
+const char *simple_zone = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (  \n\
+                                 1800 900 604800 86400 ) \n\
+              86400  IN  NS      ns1                     \n\
+              86400  IN  NS      ns2                     \n\
+              86400  IN  ZONEMD  2018031900 1 1 (        \n\
+                                 c68090d90a7aed71        \n\
+                                 6bc459f9340e3d7c        \n\
+                                 1370d4d24b7e2fc3        \n\
+                                 a1ddc0b9a87153b9        \n\
+                                 a9713b3c9ae5cc27        \n\
+                                 777f98b8e730044c )      \n\
+ns1           3600   IN  A       203.0.113.63            \n\
+ns2           3600   IN  AAAA    2001:db8::63";
+
+const char *complex_zone = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (                 \n\
+                                 1800 900 604800 86400 )                \n\
+              86400  IN  NS      ns1                                    \n\
+              86400  IN  NS      ns2                                    \n\
+              86400  IN  ZONEMD  2018031900 1 1 (                       \n\
+                                 a3b69bad980a3504                       \n\
+                                 e1cffcb0fd6397f9                       \n\
+                                 3848071c93151f55                       \n\
+                                 2ae2f6b1711d4bd2                       \n\
+                                 d8b39808226d7b9d                       \n\
+                                 b71e34b72077f8fe )                     \n\
+ns1           3600   IN  A       203.0.113.63                           \n\
+NS2           3600   IN  AAAA    2001:db8::63                           \n\
+occluded.sub  7200   IN  TXT     \"I'm occluded but must be digested\"  \n\
+sub           7200   IN  NS      ns1                                    \n\
+duplicate     300    IN  TXT     \"I must be digested just once\"       \n\
+duplicate     300    IN  TXT     \"I must be digested just once\"       \n\
+foo.test.     555    IN  TXT     \"out-of-zone data must be excluded\"  \n\
+UPPERCASE     3600   IN  TXT     \"canonicalize uppercase owner names\" \n\
+*             777    IN  PTR     dont-forget-about-wildcards            \n\
+mail          3600   IN  MX      20 MAIL1                               \n\
+mail          3600   IN  MX      10 Mail2.Example.                      \n\
+sortme        3600   IN  AAAA    2001:db8::5:61                         \n\
+sortme        3600   IN  AAAA    2001:db8::3:62                         \n\
+sortme        3600   IN  AAAA    2001:db8::4:63                         \n\
+sortme        3600   IN  AAAA    2001:db8::1:65                         \n\
+sortme        3600   IN  AAAA    2001:db8::2:64                         \n\
+non-apex      900    IN  ZONEMD  2018031900 1 1 (                       \n\
+                                 616c6c6f77656420                       \n\
+                                 6275742069676e6f                       \n\
+                                 7265642e20616c6c                       \n\
+                                 6f77656420627574                       \n\
+                                 2069676e6f726564                       \n\
+                                 2e20616c6c6f7765 )";
+
+const char *multiple_digests = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (                \n\
+                                 1800 900 604800 86400 )               \n\
+example.      86400  IN  NS      ns1.example.                          \n\
+example.      86400  IN  NS      ns2.example.                          \n\
+example.      86400  IN  ZONEMD  2018031900 1 1 (                      \n\
+                                 62e6cf51b02e54b9                      \n\
+                                 b5f967d547ce4313                      \n\
+                                 6792901f9f88e637                      \n\
+                                 493daaf401c92c27                      \n\
+                                 9dd10f0edb1c56f8                      \n\
+                                 080211f8480ee306 )                    \n\
+example.      86400  IN  ZONEMD  2018031900 1 2 (                      \n\
+                                 08cfa1115c7b948c                      \n\
+                                 4163a901270395ea                      \n\
+                                 226a930cd2cbcf2f                      \n\
+                                 a9a5e6eb85f37c8a                      \n\
+                                 4e114d884e66f176                      \n\
+                                 eab121cb02db7d65                      \n\
+                                 2e0cc4827e7a3204                      \n\
+                                 f166b47e5613fd27 )                    \n\
+example.      86400  IN  ZONEMD  2018031900 1 240 (                    \n\
+                                 e2d523f654b9422a                      \n\
+                                 96c5a8f44607bbee )                    \n\
+example.      86400  IN  ZONEMD  2018031900 241 1 (                    \n\
+                                 e1846540e33a9e41                      \n\
+                                 89792d18d5d131f6                      \n\
+                                 05fc283e )                            \n\
+ns1.example.  3600   IN  A       203.0.113.63                          \n\
+ns2.example.  86400  IN  TXT     \"This example has multiple digests\" \n\
+NS2.EXAMPLE.  3600   IN  AAAA    2001:db8::63";
+
+const char *signed_zone = "\
+uri.arpa.	3600 IN SOA	sns.dns.icann.org. noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 \n\
+uri.arpa.	3600 IN RRSIG	SOA 8 2 3600 20210217232440 20210120232440 37444 uri.arpa. GzQw+QzwLDJr13REPGVmpEChjD1D2XlX0ie1DnWHpgaEw1E/dhs3lCN3 +BmHd4Kx3tffTRgiyq65HxR6feQ5v7VmAifjyXUYB1DZur1eP5q0Ms2y gCB3byoeMgCNsFS1oKZ2LdzNBRpy3oace8xQn1SpmHGfyrsgg+WbHKCT 1dY= \n\
+uri.arpa.	86400 IN NS	a.iana-servers.net. \n\
+uri.arpa.	86400 IN NS	b.iana-servers.net. \n\
+uri.arpa.	86400 IN NS	c.iana-servers.net. \n\
+uri.arpa.	86400 IN NS	ns2.lacnic.net. \n\
+uri.arpa.	86400 IN NS	sec3.apnic.net. \n\
+uri.arpa.	86400 IN RRSIG	NS 8 2 86400 20210217232440 20210120232440 37444 uri.arpa. M+Iei2lcewWGaMtkPlrhM9FpUAHXFkCHTVpeyrjxjEONeNgKtHZor5e4 V4qJBOzNqo8go/qJpWlFBm+T5Hn3asaBZVstFIYky38/C8UeRLPKq1hT THARYUlFrexr5fMtSUAVOgOQPSBfH3xBq/BgSccTdRb9clD+HE7djpqr LS4= \n\
+uri.arpa.	600 IN MX	10 pechora.icann.org. \n\
+uri.arpa.	600 IN RRSIG	MX 8 2 600 20210217232440 20210120232440 37444 uri.arpa. kQAJQivmv6A5hqYBK8h6Z13ESY69gmosXwKI6WE09I8RFetfrxr24ecd nYd0lpnDtgNNSoHkYRSOoB+C4+zuJsoyAAzGo9uoWMWj97/2xeGhf3PT C9meQ9Ohi6hul9By7OR76XYmGhdWX8PBi60RUmZ1guslFBfQ8izwPqzu phs= \n\
+uri.arpa.	3600 IN NSEC	ftp.uri.arpa. NS SOA MX RRSIG NSEC DNSKEY ZONEMD \n\
+uri.arpa.	3600 IN RRSIG	NSEC 8 2 3600 20210217232440 20210120232440 37444 uri.arpa. dU/rXLM/naWd1+1PiWiYVaNJyCkiuyZJSccr91pJI673T8r3685B4ODM YFafZRboVgwnl3ZrXddY6xOhZL3n9V9nxXZwjLJ2HJUojFoKcXTlpnUy YUYvVQ2kj4GHAo6fcGCEp5QFJ2KbCpeJoS+PhKGRRx28icCiNT4/uXQv O2E= \n\
+uri.arpa.	3600 IN DNSKEY	256 3 8 AwEAAbMxuFuLeVDuOwIMzYOTD/bTREjLflo7wOi6ieIJhqltEzgjNzmW Jf9kGwwDmzxU7kbthMEhBNBZNn84zmcyRSCMzuStWveL7xmqqUlE3swL 8kLOvdZvc75XnmpHrk3ndTyEb6eZM7slh2C63Oh6K8VR5VkiZAkEGg0u ZIT3NjsF \n\
+uri.arpa.	3600 IN DNSKEY	257 3 8 AwEAAdkTaWkZtZuRh7/OobBUFxM+ytTst+bCu0r9w+rEwXD7GbDs0pIM hMenrZzoAvmv1fQxw2MGs6Ri6yPKfNULcFOSt9l8i6BVBLI+SKTY6XXe DUQpSEmSaxohHeRPMQFzpysfjxINp/L2rGtZ7yPmxY/XRiFPSO0myqwG Ja9r06Zw9CHM5UDHKWV/E+zxPFq/I7CfPbrrzbUotBX7Z6Vh3Sarllbe 8cGUB2UFNaTRgwB0TwDBPRD5ER3w2Dzbry9NhbElTr7vVfhaGWeOGuqA UXwlXEg6CrNkmJXJ2F1Rzr9WHUzhp7uWxhAbmJREGfi2dEyPAbUAyCjB qhFaqglknvc= \n\
+uri.arpa.	3600 IN DNSKEY	257 3 8 AwEAAenQaBoFmDmvRT+/H5oNbm0Tr5FmNRNDEun0Jpj/ELkzeUrTWhNp QmZeIMC8I0kZ185tEvOnRvn8OvV39B17QIdrvvKGIh2HlgeDRCLolhao jfn2QM0DStjF/WWHpxJOmE6CIuvhqYEU37yoJscGAPpPVPzNvnL1HhYT aao1VRYWQ/maMrJ+bfHg+YX1N6M/8MnRjIKBif1FWjbCKvsn6dnuGGL9 oCWYUFJ3DwofXuhgPyZMkzPc88YkJj5EMvbMH4wtelbCwC+ivx732l0w /rXJn0ciQSOgoeVvDio8dIJmWQITWQAuP+q/ZHFEFHPlrP3gvQh5mcVS 48eLX71Bq7c= \n\
+uri.arpa.	3600 IN RRSIG	DNSKEY 8 2 3600 20210217232440 20210120232440 12670 uri.arpa. DBE2gkKAoxJCfz47KKxzoImN/0AKArhIVHE7TyTwy0DdRPo44V5R+vL6 thUxlQ1CJi2Rw0jwAXymx5Y3Q873pOEllH+4bJoIT4dmoBmPXfYWW7Cl vw9UPKHRP0igKHmCVwIeBYDTU3gfLcMTbR4nEWPDN0GxlL1Mf7ITaC2I oabo79Ip3M/MR8I3Vx/xZ4ZKKPHtLn3xUuJluPNanqJrED2gTslL2xWZ 1tqjsAjJv7JnJo2HJ8XVRB5zBto0IaJ2oBlqcjdcQ/0VlyoM8uOy1pDw HQ2BJl7322gNMHBP9HSiUPIOaIDNUCwW8eUcW6DIUk+s9u3GN1uTqwWz sYB/rA== \n\
+uri.arpa.	3600 IN RRSIG	DNSKEY 8 2 3600 20210217232440 20210120232440 30577 uri.arpa. Kx6HwP4UlkGc1UZ7SERXtQjPajOF4iUvkwDj7MEG1xbQFB1KoJiEb/ei W0qmSWdIhMDv8myhgauejRLyJxwxz8HDRV4xOeHWnRGfWBk4XGYwkejV zOHzoIArVdUVRbr2JKigcTOoyFN+uu52cNB7hRYu7dH5y1hlc6UbOnzR pMtGxcgVyKQ+/ARbIqGG3pegdEOvV49wTPWEiyY65P2urqhvnRg5ok/j zwAdMx4XGshiib7Ojq0sRVl2ZIzj4rFgY/qsSO8SEXEhMo2VuSkoJNio fVzYoqpxEeGnANkIT7Tx2xJL1BWyJxyc7E8Wr2QSgCcc+rYL6IkHDtJG Hy7TaQ== \n\
+uri.arpa.	3600 IN ZONEMD	2018100702 1 1 0DBC3C4DBFD75777C12CA19C337854B1577799901307C482E9D91D5D 15CD934D16319D98E30C4201CF25A1D5A0254960 \n\
+uri.arpa.	3600 IN RRSIG	ZONEMD 8 2 3600 20210217232440 20210120232440 37444 uri.arpa. QDo4XZcL3HMyn8aAHyCUsu/Tqj4Gkth8xY1EqByOb8XOTwVtA4ZNQORE 1siqNqjtJUbeJPtJSbLNqCL7rCq0CzNNnBscv6IIf4gnqJZjlGtHO30o hXtKvEc4z7SU3IASsi6bB3nLmEAyERdYSeU6UBfx8vatQDIRhkgEnnWU Th4= \n\
+ftp.uri.arpa.	604800 IN	NAPTR	0 0 \"\" \"\" \"!^ftp://([^:/?#]*).*$!\\\\1!i\" . \n\
+ftp.uri.arpa.	604800 IN	RRSIG	NAPTR 8 3 604800 20210217232440 20210120232440 37444 uri.arpa. EygekDgl+Lyyq4NMSEpPyOrOywYf9Y3FAB4v1DT44J3R5QGidaH8l7ZF jHoYFI8sY64iYOCV4sBnX/dh6C1L5NgpY+8l5065Xu3vvjyzbtuJ2k6Y YwJrrCbvl5DDn53zAhhO2hL9uLgyLraZGi9i7TFGd0sm3zNyUF/EVL0C cxU= \n\
+ftp.uri.arpa.	3600 IN NSEC	http.uri.arpa. NAPTR RRSIG NSEC \n\
+ftp.uri.arpa.	3600 IN RRSIG	NSEC 8 3 3600 20210217232440 20210120232440 37444 uri.arpa. pbP4KxevPXCu/bDqcvXiuBppXyFEmtHyiy0eAN5gS7mi6mp9Z9bWFjx/ LdH9+6oFGYa5vGmJ5itu/4EDMe8iQeZbI8yrpM4TquB7RR/MGfBnTd8S +sjyQtlRYG7yqEu77Vd78Fme22BKPJ+MVqjS0JHMUE/YUGomPkAjLJJw wGw= \n\
+http.uri.arpa.	604800 IN	NAPTR	0 0 \"\" \"\" \"!^http://([^:/?#]*).*$!\\\\1!i\" . \n\
+http.uri.arpa.	604800 IN	RRSIG	NAPTR 8 3 604800 20210217232440 20210120232440 37444 uri.arpa. eTqbWvt1GvTeXozuvm4ebaAfkXFQKrtdu0cEiExto80sHIiCbO0WL8UD a/J3cDivtQca7LgUbOb6c17NESsrsVkc6zNPx5RK2tG7ZQYmhYmtqtfg 1oU5BRdHZ5TyqIXcHlw9Blo2pir1Y9IQgshhD7UOGkbkEmvB1Lrd0aHh AAg= \n\
+http.uri.arpa.	3600 IN NSEC	mailto.uri.arpa. NAPTR RRSIG NSEC \n\
+http.uri.arpa.	3600 IN RRSIG	NSEC 8 3 3600 20210217232440 20210120232440 37444 uri.arpa. R9rlNzw1CVz2N08q6DhULzcsuUm0UKcPaGAWEU40tr81jEDHsFHNM+kh CdOI8nDstzA42aee4rwCEgijxJpRCcY9hrO1Ysrrr2fdqNz60JikMdar vU5O0p0VXeaaJDfJQT44+o+YXaBwI7Qod3FTMx7aRib8i7istvPm1Rr7 ixA= \n\
+mailto.uri.arpa. 604800 IN	NAPTR	0 0 \"\" \"\" \"!^mailto:(.*)@(.*)$!\\\\2!i\" . \n\
+mailto.uri.arpa. 604800 IN	RRSIG	NAPTR 8 3 604800 20210217232440 20210120232440 37444 uri.arpa. Ch2zTG2F1plEvQPyIH4Yd80XXLjXOPvMbiqDjpJBcnCJsV8QF7kr0wTL nUT3dB+asQudOjPyzaHGwFlMzmrrAsszN4XAMJ6htDtFJdsgTMP/NkHh YRSmVv6rLeAhd+mVfObY12M//b/GGVTjeUI/gJaLW0fLVZxr1Fp5U5CR jyw= \n\
+mailto.uri.arpa. 3600 IN NSEC	urn.uri.arpa. NAPTR RRSIG NSEC \n\
+mailto.uri.arpa. 3600 IN RRSIG	NSEC 8 3 3600 20210217232440 20210120232440 37444 uri.arpa. fQUbSIE6E7JDi2rosah4SpCOTrKufeszFyj5YEavbQuYlQ5cNFvtm8Ku E2xXMRgRI4RGvM2leVqcoDw5hS3m2pOJLxH8l2WE72YjYvWhvnwc5Rof e/8yB/vaSK9WCnqN8y2q6Vmy73AGP0fuiwmuBra7LlkOiqmyx3amSFiz wms= \n\
+urn.uri.arpa.	604800 IN	NAPTR	0 0 \"\" \"\" \"/urn:([^:]+)/\\\\1/i\" . \n\
+urn.uri.arpa.	604800 IN	RRSIG	NAPTR 8 3 604800 20210217232440 20210120232440 37444 uri.arpa. CVt2Tgz0e5ZmaSXqRfNys/8OtVCk9nfP0zhezhN8Bo6MDt6yyKZ2kEEW JPjkN7PCYHjO8fGjnUn0AHZI2qBNv7PKHcpR42VY03q927q85a65weOO 1YE0vPYMzACpua9TOtfNnynM2Ws0uN9URxUyvYkXBdqOC81N3sx1dVEL cwc= \n\
+urn.uri.arpa.	3600 IN NSEC	uri.arpa. NAPTR RRSIG NSEC \n\
+urn.uri.arpa.	3600 IN RRSIG	NSEC 8 3 3600 20210217232440 20210120232440 37444 uri.arpa. JuKkMiC3/j9iM3V8/izcouXWAVGnSZjkOgEgFPhutMqoylQNRcSkbEZQ zFK8B/PIVdzZF0Y5xkO6zaKQjOzz6OkSaNPIo1a7Vyyl3wDY/uLCRRAH RJfpknuY7O+AUNXvVVIEYJqZggd4kl/Rjh1GTzPYZTRrVi5eQidI1LqC Oeg=";
+
+const char *nsec3_zone = "\
+arpa.	86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2021051902 1800 900 604800 86400		\n\
+arpa.	518400	IN	NS	a.root-servers.net.		\n\
+arpa.	518400	IN	NS	b.root-servers.net.		\n\
+arpa.	518400	IN	NS	c.root-servers.net.		\n\
+arpa.	518400	IN	NS	d.root-servers.net.		\n\
+arpa.	518400	IN	NS	e.root-servers.net.		\n\
+arpa.	518400	IN	NS	f.root-servers.net.		\n\
+arpa.	518400	IN	NS	g.root-servers.net.		\n\
+arpa.	518400	IN	NS	h.root-servers.net.		\n\
+arpa.	518400	IN	NS	i.root-servers.net.		\n\
+arpa.	518400	IN	NS	k.root-servers.net.		\n\
+arpa.	518400	IN	NS	l.root-servers.net.		\n\
+arpa.	518400	IN	NS	m.root-servers.net.		\n\
+arpa.	518400	IN	RRSIG	NS 8 1 518400 20210616170429 20210519170429 29094 arpa. gyq/RdMYEGuTElq9QCbqmZSEUAF3aeBc+MGOMVK0hgmYKfVr8DDrh9UZJy4Ht+24+FHXGgAh8OkW4UbnmiIHQnsSflbQiyHljNYZGX3/H2fUs2FFWAjjAww2iPKuuPUkHgjZZQk0683FQuI9Ium0VK7dXGAvNKFh4Ay4LMjkQ6Y=		\n\
+arpa.	86400	IN	RRSIG	SOA 8 1 86400 20210616170429 20210519170429 29094 arpa. BnSptCxxljkkYItDfsphqUzCz4fALNhOqWrLtYx5aDRWAydcG0N7owhGTqy56VBop+lTzYKmlHfO5/bb/fRCYAXkDhsmVEqS00cDYTqpygTJbVB8Xd+ia1tBeF8cqsbngRhigF4y0cts+bkn7Wrvw21j7nhs01KROimudGH08hs=		\n\
+arpa.	86400	IN	RRSIG	DNSKEY 8 1 86400 20210616170429 20210519170429 18949 arpa. be6sPsu3+7kzDMkAHDsUM0FSoUhULtajWemX95PIVS4wpiEpVMsvF71YLIGRTzw+GfFI2NgsL/idFbUW2Fo7bZIBhbj8JXyZwvsoxt+cLfSfZtVGllKO1XQn5u7/PGU6U8YRSyzRA+ocpdjKqyohkMmOqiqkM7mOSvchDkcZDiw=		\n\
+arpa.	3600	IN	RRSIG	NSEC3PARAM 8 1 3600 20210616170429 20210519170429 29094 arpa. CHmmYN1DJGWraPdMPurcXadDO7ODWoz6gv0B7ln0Gwz5L4Mwb5SEtGAinO5R0T2M4OxQEkN0xhy73VERrZb5FvsxyEGJu0M5S6icvyKkJ1Zq+US5b3FX6MI/bIKu2pI5x7/ubpzWKZJ9itNWBRONBiuBsGT9c3Tb2IreuQWziH0=	\n\
+arpa.	86400	IN	RRSIG	TYPE63 8 1 86400 20210616170429 20210519170429 29094 arpa. Aqb9IQoNaga9euw67potZbiQYeyEAqd/zVYhDFxfLNfC4Qf6v7aPxW8Tyl+foNob91/KX5JGcS5tD4pq+G+IV+heLRH57s+moF3C0lsid8oZLqCbctmR/hr0YUQc5+dGQ/iy2erEPZq1W4eLsWX+YlUsQfajb5y4ggp7OMTmRuY=		\n\
+arpa.	86400	IN	DNSKEY	256 3 8 AwEAAdMaRW2okM0GrfInisiH9HWsqokdnmeXnJjKUwVQ8dy5sxm0DyCtzNapj54SF4ofgJxYufQCzYoe3Y3WsB6dKW15pTvu6ggqwuTTxvAnkMSHAlMGBE0sybRBIM38WswPcjAXmpITj7Zvgm8qh80dcusK5vwqJhb2CDWHRezUwiIB ;{id = 29094 (zsk), size = 1024b}			\n\
+arpa.	86400	IN	DNSKEY	257 3 8 AwEAAdQP1t2ookuQYFNUNGDmLHcoA6LFSImvULaUgChKiIO6Vv5yDyHB0Ng6ZkfHM0586cLcbXNBLj/9u5A4vqzOFj8phzW4WLZREZBLYMcuHhvQdqzuDJ0J5mxmLLis5eNaCwukVm6Zpf/otzCJsx9LyrhQBTyx6FF+h7dbSCvjh7tD ;{id = 18949 (ksk), size = 1024b}			\n\
+arpa.	3600	IN	NSEC3PARAM	1 0 1 - 		\n\
+arpa.	86400	IN	TYPE63	\\# 54 7876cdfe01019a84145013e13e3de2328868888c65aa46b7381213990f83d496c642d2324029cc852e09bffa38afd8e9197977776591		\n\
+0js82oec35lbbc4hl35476cm5icacksf.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. PRVkH4+Nm17QlFgwFLnoqwaiIwWZ4pvscanHdMb6HOKkSxwtDoWAGhZubvYGt/Je735nQkGQPPXW2tkMkJa3D7e6RkX/8AoxcqqXOimC6BlG6LuSL4rSousDlbrulyh87qgIHXkUtrHyYUNAMZMKOjMHo7t5IxwjBO0SGADoglk=	\n\
+0js82oec35lbbc4hl35476cm5icacksf.arpa. 86400 IN NSEC3 1 0 1 - 2UB8EN7BK0T6DENIGO3I729IVQVME3VE NS			\n\
+2ub8en7bk0t6denigo3i729ivqvme3ve.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. JsSiqDiPs0juQxKEcCKTFvKXzUdvIvCILEzcN79+qAxaiQuulHUxTSMDvrsxm83m9juvoOUYtBlPyZdI9erAfiEkpF71ZIl8iP7AKGgqTeV1C4SHnf2KsFi69qimdLbWeIfFGYEq+54Vj5vF1SrRounvj63avhI/Zf0tTWz11+4=	\n\
+2ub8en7bk0t6denigo3i729ivqvme3ve.arpa. 86400 IN NSEC3 1 0 1 - 3MKQ4F9MV3H6JSJNUJ6G31KRJLHKN9KJ NS DS RRSIG		\n\
+3mkq4f9mv3h6jsjnuj6g31krjlhkn9kj.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. NAt7ul6uWzK19LyTcxbtfIt0SppVHyVjj4S/j0zxqcOH7gkJwf36+uIsb0lP7QzdYoB7dDeMFKnZfOCjBu+OkXTnOmfdwS5XA5OTM3dpi6g8plVRkcBDoWqz+UtQljD66A2XyuVl5vBmhP3OWe8TnlnA3jrHYO5zneEM/MdsoEE=	\n\
+3mkq4f9mv3h6jsjnuj6g31krjlhkn9kj.arpa. 86400 IN NSEC3 1 0 1 - BA4462JFP3IQK2KT4COIMT6532KSV55K NS DS RRSIG		\n\
+as112.arpa.	172800	IN	NS	a.iana-servers.net.	\n\
+as112.arpa.	172800	IN	NS	b.iana-servers.net.	\n\
+as112.arpa.	172800	IN	NS	c.iana-servers.net.	\n\
+as112.arpa.	86400	IN	DS	20236 8 1 1307e5595598b25fe2eb07bcef767c9d96c3ecdc				\n\
+as112.arpa.	86400	IN	DS	20236 8 2 72c9e5d15accc54a32c8c76fe5944bcbf3aabc2b13dc417609763e57bd89d515	\n\
+as112.arpa.	86400	IN	DS	49400 8 1 0236339d6c1fb0fdf6069a9babe455b443fe2f95				\n\
+as112.arpa.	86400	IN	DS	49400 8 2 f8e230e43e20e14200e46beb6e0a67ced274790c8c8c169df7fec5fb7dfa321f	\n\
+as112.arpa.	86400	IN	DS	53690 8 1 85d712965f3aa6556f40e11ba29c638565444acf				\n\
+as112.arpa.	86400	IN	DS	53690 8 2 354c6ef7b8b46a4c87ce6a21f3a9043898e68427ad64d029097ce2a38933b82e	\n\
+as112.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. Hs6t8f1s8NCPO1yzQIqCWWpGADwHqTVLCRVJIxMkpiWpDPP8zXxQRFp2BHNQ8jAcsp5w5OwIfIR27+5N7O73/y5qjcjDe6Yyzeh7L/nut0fuOuqne47a6VkuXJHmdilGeNFitAFZ+1iP9KnFVxb3NxNLByemx8mO30jYDw14O4Y=	\n\
+ba4462jfp3iqk2kt4coimt6532ksv55k.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. MrpAQuo8eH4CAA2jjsLHGiMJ8DexXMDI7LHzQbX7k5L4oUTtBNoTnKFdxqKdxZoEXvO39GB5s0nD0qgR8g5xFAFfj+pcF2y4GC+LqXqV5N6gXKa23zEEN5mfxSuwnQ/JXw95ct2IuQkuU80MIU0ZdE/FVhSyHnlJYMGE3uB2DyY=	\n\
+ba4462jfp3iqk2kt4coimt6532ksv55k.arpa. 86400 IN NSEC3 1 0 1 - C26TIAI64HA5JPB4P8KII6P9JHH3TJFH NS DS RRSIG		\n\
+c26tiai64ha5jpb4p8kii6p9jhh3tjfh.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. FSQuCmqKEUtYHqhkXDC8uikAIi5ZpMtS14jeaeWEn6Mip3uP1pFNuSQHgFhX9L20hdbeuOG3ribTqs3d4kz9VQ51g4KqD3uhHMVuQZyzpBJWq4Xwynt9cetvSK0f/kaf/wtAARo9HLkciJTBYiYUmYZVdmknIto4TqDNy2kkMrA=	\n\
+c26tiai64ha5jpb4p8kii6p9jhh3tjfh.arpa. 86400 IN NSEC3 1 0 1 - DKAS8UE0E261D6338P2GMF52ALH64LA6 NS DS RRSIG		\n\
+dkas8ue0e261d6338p2gmf52alh64la6.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. pPD9lqm6kAoLwagCrQwBWBq4McfrHywg4RkQ20ZjuVcnmopggO6UkjlmYUnBn53Si5eqRY9CwtSEvYjKztXcyXnkwbD1xWExAsYucRYVbUPZmOllulYezphTHi1Qp7fRrhEjb/TCYcBUXvLJfU+S9OeVqefruYnIw3VevMPp518=	\n\
+dkas8ue0e261d6338p2gmf52alh64la6.arpa. 86400 IN NSEC3 1 0 1 - EARMJ48JEL1C2RDHIGD36N68U3V8Q1KV NS DS RRSIG		\n\
+e164.arpa.	172800	IN	NS	ns3.lacnic.net.			\n\
+e164.arpa.	172800	IN	NS	ns3.afrinic.net.		\n\
+e164.arpa.	172800	IN	NS	ns4.apnic.net.			\n\
+e164.arpa.	172800	IN	NS	pri.authdns.ripe.net.		\n\
+e164.arpa.	172800	IN	NS	rirns.arin.net.			\n\
+e164.arpa.	86400	IN	DS	46334 8 2 550664875d1121c6edd01f9602577640fed5ad19a749ae1e3fd68476af454578		\n\
+e164.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. A07roaG8r7ns0YydNMhaURb741akipIL8UCgRRMAs3BzzneUtXW3EmS50C7vxb5ikH84a39FerXHOetifGTKETjVMtuQmdPw1F8ClHMkWfdRyR5a+lWwosV3fgnSItoekfbggUZop1dZxzie93pv4RM89Jf/SMlOW/3bYJ1p7Hk=	\n\
+earmj48jel1c2rdhigd36n68u3v8q1kv.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. yNYXtZ4dGDdJW3VNoLRtktV93mZmQsQv3Tvy6+iBTGx+W7T0ipSCZq+l5yvblfqGKXXnWWzYf/xKktaLmXnAzvdsacWaKGtudvvtSwLkhlxNWlL018Eoe2md0tsSLd5tSiTbufahrd4p1lv09ne//sGoSw/amfvY5hsRvmnhNhA=	\n\
+earmj48jel1c2rdhigd36n68u3v8q1kv.arpa. 86400 IN NSEC3 1 0 1 - H2D0RTQ108UOOUB5UDNN9D2PGQBVABC9 NS DS RRSIG			\n\
+h2d0rtq108uooub5udnn9d2pgqbvabc9.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. isNpvWJ3TpDmEl66a9J9Q2GdlNqh9HculGjNFVIbiSfTb5aNgCITkgrKSoxjfZ8go3pDSeqwo5fhaBlbZQ4xGNGlc/T5U2qh2hJPGZpBwHYkR9a1YzMhzMx33oRXfMzsuC+6sasS8BLRHPmS4X89jPeA+lItEJPd1rQlHb1wt1I=	\n\
+h2d0rtq108uooub5udnn9d2pgqbvabc9.arpa. 86400 IN NSEC3 1 0 1 - KSH70CK6POGI86ENT4ONT3I9UJ71QE8K NS SOA RRSIG DNSKEY NSEC3PARAM TYPE63		\n\
+home.arpa.	172800	IN	NS	blackhole-1.iana.org.		\n\
+home.arpa.	172800	IN	NS	blackhole-2.iana.org.		\n\
+in-addr.arpa.	172800	IN	NS	a.in-addr-servers.arpa.		\n\
+in-addr.arpa.	172800	IN	NS	b.in-addr-servers.arpa.		\n\
+in-addr.arpa.	172800	IN	NS	c.in-addr-servers.arpa.		\n\
+in-addr.arpa.	172800	IN	NS	d.in-addr-servers.arpa.		\n\
+in-addr.arpa.	172800	IN	NS	e.in-addr-servers.arpa.		\n\
+in-addr.arpa.	172800	IN	NS	f.in-addr-servers.arpa.		\n\
+in-addr.arpa.	86400	IN	DS	47054 8 2 5cafccec201d1933b4c9f6a9c8f51e51f3b39979058ac21b8df1b1f281cbc6f2		\n\
+in-addr.arpa.	86400	IN	DS	53696 8 2 13e5501c56b20394da921b51412d48b7089c5eb6957a7c58553c4d4d424f04df		\n\
+in-addr.arpa.	86400	IN	DS	63982 8 2 aaf4fb5d213ef25ae44679032ebe3514c487d7abd99d7f5fec3383d030733c73		\n\
+in-addr.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. lr32Q5rTcwVyBASuYq2Mc1t8XPCSSXJDNtK+MzisWifCZ0b0m/GARo34QKR2y3afqeFdqVXWrYrBVjAF2Rg21izsWqpMNyfLloesNNl63A9uQi4dFT3Zfz3OdQOGhWcy51ydn8KVtieIubRTBQAgExgZsDzyRC4PXjzh4Jj872g=				\n\
+in-addr-servers.arpa.	172800	IN	NS	a.in-addr-servers.arpa.	\n\
+in-addr-servers.arpa.	172800	IN	NS	b.in-addr-servers.arpa.	\n\
+in-addr-servers.arpa.	172800	IN	NS	c.in-addr-servers.arpa.	\n\
+in-addr-servers.arpa.	172800	IN	NS	d.in-addr-servers.arpa.	\n\
+in-addr-servers.arpa.	172800	IN	NS	e.in-addr-servers.arpa.	\n\
+in-addr-servers.arpa.	172800	IN	NS	f.in-addr-servers.arpa.	\n\
+in-addr-servers.arpa.	86400	IN	DS	1987 8 2 dacfdeb02a489a514c6408d0d54e0904fe6e09a6e111abc9eacb27f6552805e1	\n\
+in-addr-servers.arpa.	86400	IN	DS	45104 8 2 50136f7a8d3ffe4f9887ad234ff8ce945cabd331feb12569b2f61f99ce40fdbf	\n\
+in-addr-servers.arpa.	86400	IN	DS	62996 8 2 836537710efc1e5570e3aeff7c0c80d3957a16ddf8005034bc9082898968dc81	\n\
+in-addr-servers.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. j+2AVMMc1xfd/ua7lHpNQUr95kUTcr8SIQJk6prTkYnPdDvMNZPIhhdVNw7WzFjIvGLF3iumbYY46I3KN3P1eZUKtn0OFvTZ/UG/tlbWaj473XNxWnbwp8sPuT46nuLH6P14gNEhbPGGrh2VE+hFPkM/4ZdfwlCbDC5vEsQNYko=			\n\
+a.in-addr-servers.arpa.	172800	IN	A	199.180.182.53		\n\
+a.in-addr-servers.arpa.	172800	IN	AAAA	2620:37:e000::53	\n\
+b.in-addr-servers.arpa.	172800	IN	A	199.253.183.183		\n\
+b.in-addr-servers.arpa.	172800	IN	AAAA	2001:500:87::87		\n\
+c.in-addr-servers.arpa.	172800	IN	A	196.216.169.10		\n\
+c.in-addr-servers.arpa.	172800	IN	AAAA	2001:43f8:110::10	\n\
+d.in-addr-servers.arpa.	172800	IN	A	200.10.60.53		\n\
+d.in-addr-servers.arpa.	172800	IN	AAAA	2001:13c7:7010::53	\n\
+e.in-addr-servers.arpa.	172800	IN	A	203.119.86.101		\n\
+e.in-addr-servers.arpa.	172800	IN	AAAA	2001:dd8:6::101		\n\
+f.in-addr-servers.arpa.	172800	IN	A	193.0.9.1		\n\
+f.in-addr-servers.arpa.	172800	IN	AAAA	2001:67c:e0::1		\n\
+ip6.arpa.	172800	IN	NS	a.ip6-servers.arpa.		\n\
+ip6.arpa.	172800	IN	NS	b.ip6-servers.arpa.		\n\
+ip6.arpa.	172800	IN	NS	c.ip6-servers.arpa.		\n\
+ip6.arpa.	172800	IN	NS	d.ip6-servers.arpa.		\n\
+ip6.arpa.	172800	IN	NS	e.ip6-servers.arpa.		\n\
+ip6.arpa.	172800	IN	NS	f.ip6-servers.arpa.		\n\
+ip6.arpa.	86400	IN	DS	13880 8 2 068554efcb5861f42af93ef8e79c442a86c16fc5652e6b6d2419ed527f344d17		\n\
+ip6.arpa.	86400	IN	DS	45094 8 2 e6b54e0a20ce1edbfcb6879c02f5782059cecb043a31d804a04afa51af01d5fb		\n\
+ip6.arpa.	86400	IN	DS	64060 8 2 8a11501086330132be2c23f22dedf0634ad5ff668b4aa1988e172c6a2a4e5f7b		\n\
+ip6.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. aNklM0l2ixPusry6KMt0PYGuKgLXqAJArq3KSZgG0QgMjGC0ChVwAO2+vq4wwR8QuqA6vAWHKKpw79l8MYV9I7+a50WPFyEOugl1s+konVjzkgMboPaOZbg52g47mPdQ7Q0N9MPLA8/FJx13cHauimQjZ+1FOiiWhveqgR2Jg8o=				\n\
+ip6-servers.arpa.	172800	IN	NS	a.ip6-servers.arpa.	\n\
+ip6-servers.arpa.	172800	IN	NS	b.ip6-servers.arpa.	\n\
+ip6-servers.arpa.	172800	IN	NS	c.ip6-servers.arpa.	\n\
+ip6-servers.arpa.	172800	IN	NS	d.ip6-servers.arpa.	\n\
+ip6-servers.arpa.	172800	IN	NS	e.ip6-servers.arpa.	\n\
+ip6-servers.arpa.	172800	IN	NS	f.ip6-servers.arpa.	\n\
+ip6-servers.arpa.	86400	IN	DS	16169 8 2 27fb5354c3c011c2851ee25ba32929b645d63262779ac101a6f28cd631991269	\n\
+ip6-servers.arpa.	86400	IN	DS	19720 8 2 f154d00f5759c274de9cad621910cc0b87d720d35b7de4b0b566e135196c38e2	\n\
+ip6-servers.arpa.	86400	IN	DS	54832 8 2 ff0d5f44a086a7a31b99c81cfd1135524b5896878e6de78f12b3f609bf7279dc	\n\
+ip6-servers.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. fYShlxJWViKV2SbFCqyxUa64AKAedJ2udqcw/VtKNxg2T6i5IQzFc2aPB7V/+MtE64vHWwbrThgOvNC4Xmc7jVqKNsSc1X4Q8ZSQy+/CgmS5pBkI4XpLBb6kTUJMGorgAOI1ek1OMpl25mGmeJ6lE8e5PTNUisz/7ybIx5pBTz0=			\n\
+a.ip6-servers.arpa.	172800	IN	A	199.180.182.53		\n\
+a.ip6-servers.arpa.	172800	IN	AAAA	2620:37:e000::53	\n\
+b.ip6-servers.arpa.	172800	IN	A	199.253.182.182		\n\
+b.ip6-servers.arpa.	172800	IN	AAAA	2001:500:86::86		\n\
+c.ip6-servers.arpa.	172800	IN	A	196.216.169.11		\n\
+c.ip6-servers.arpa.	172800	IN	AAAA	2001:43f8:110::11	\n\
+d.ip6-servers.arpa.	172800	IN	A	200.7.86.53		\n\
+d.ip6-servers.arpa.	172800	IN	AAAA	2001:13c7:7012::53	\n\
+e.ip6-servers.arpa.	172800	IN	A	203.119.86.101		\n\
+e.ip6-servers.arpa.	172800	IN	AAAA	2001:dd8:6::101		\n\
+f.ip6-servers.arpa.	172800	IN	A	193.0.9.2		\n\
+f.ip6-servers.arpa.	172800	IN	AAAA	2001:67c:e0::2		\n\
+ipv4only.arpa.	172800	IN	NS	a.iana-servers.net.		\n\
+ipv4only.arpa.	172800	IN	NS	b.iana-servers.net.		\n\
+ipv4only.arpa.	172800	IN	NS	c.iana-servers.net.		\n\
+ipv4only.arpa.	172800	IN	NS	ns.icann.org.			\n\
+iris.arpa.	172800	IN	NS	a.iana-servers.net.		\n\
+iris.arpa.	172800	IN	NS	b.iana-servers.net.		\n\
+iris.arpa.	172800	IN	NS	c.iana-servers.net.		\n\
+iris.arpa.	172800	IN	NS	ns3.lacnic.net.			\n\
+iris.arpa.	172800	IN	NS	ns4.apnic.net.			\n\
+iris.arpa.	86400	IN	DS	38534 8 2 163416c9dcaf8d1babfec16552ed109029607907ab80b195e1dab40f1792a59c		\n\
+iris.arpa.	86400	IN	DS	39464 8 2 1e09a2d6374800d54cfd0e52293906ccf7db7e923dcab7015e4bb697d76d9846		\n\
+iris.arpa.	86400	IN	DS	44285 8 2 05cbf77375a8bf5702cf8e261ff947be8c8ab7a0b9485a0241edcfe2f155c7f3		\n\
+iris.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. oikOvs9AfaPv1Po/E76SZ7VBoYjqHqzZEzrA0N4gWXlemmsUKyXh9fiXqtusFIZD7QUBJMvOYkIpWnAOliWnk/oj4lmmwnYMqqLWDMWVoXiUAUtmwQHm89cAjyWc9nRuDVBweKtqH5GQKtEWxu4nkKPIbuUVNHBgxtKZP7Jbzic=				\n\
+ksh70ck6pogi86ent4ont3i9uj71qe8k.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. YPnC0imYz+x2dNwUQwvp2CB1Ini1dEcn9Vur9T4KwzAMqVr+PPkheMRiIQcAbmkSLG1D1p/qVzaFEC7ixlaxuEFlvGwM+c5OvukbWek1QtdCDJpgtse3HBajoRTgBDGRwvj+DFej9ppygZpe+vlgSDmiC2fgPMhcG4Z6jMmVAec=	\n\
+ksh70ck6pogi86ent4ont3i9uj71qe8k.arpa. 86400 IN NSEC3 1 0 1 - MKQDDR5C3MPRP6DRU5TO19BB27TDVCVT NS DS RRSIG			\n\
+mkqddr5c3mprp6dru5to19bb27tdvcvt.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. sUTu2ijBQlhCmn/fNl8O+UofW4ERQ0tgmK0LY8ggHCnvY26k4RCrGieZ6YXl8lCereSyx1DEPuScBA7YRCUEw/FtrW8rCKMo+wQhb4Uon2UUZRl/mrjNNsYxtYwjIN7u/BzfDhBHq2/8vVCybAS8GhqqJhOYpEcDgsITuDKVFOE=	\n\
+mkqddr5c3mprp6dru5to19bb27tdvcvt.arpa. 86400 IN NSEC3 1 0 1 - SRGGVLP1DI07IJT2IA31AGJRPFCNC616 NS DS RRSIG			\n\
+srggvlp1di07ijt2ia31agjrpfcnc616.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. ep49bJfQ1c1dNMIlFO+EgeG4iW7pHyJvKbK6MJBBj/LJwVfhzwTa8ellqgHp3AH63j8tNPutowc1shlQwE7G/f3KfiVBUwPtAZHtqNYBFdNm0WdxoqRueJmyVR0h+vUfY+r1F4IYzwfjn+ldfj5lhKqQ+gX2HFR3M/FI6H97nHQ=	\n\
+srggvlp1di07ijt2ia31agjrpfcnc616.arpa. 86400 IN NSEC3 1 0 1 - SSTSS4TF3ICJ43RCMUQTSJORRDDSRSRL NS				\n\
+sstss4tf3icj43rcmuqtsjorrddsrsrl.arpa.	86400	IN	RRSIG	NSEC3 8 2 86400 20210616170429 20210519170429 29094 arpa. 0GVjQFd8YAYSXMh526fZ5Rx4WDHIf84MTzIsAYuLwM00H6uagrFxQv8mrGExWPummQ+Q+nHDuCBC5lEXjTF4/1qAu7MI627/mKtpcQevTvF3iE2ocf1/vfAFWVCzyLQ3AuFbGGuYQ6nlZzbOu2oRtma6/m4WpDhNszOhuONNlbY=	\n\
+sstss4tf3icj43rcmuqtsjorrddsrsrl.arpa. 86400 IN NSEC3 1 0 1 - 0JS82OEC35LBBC4HL35476CM5ICACKSF NS DS RRSIG			\n\
+uri.arpa.	172800	IN	NS	a.iana-servers.net.		\n\
+uri.arpa.	172800	IN	NS	b.iana-servers.net.		\n\
+uri.arpa.	172800	IN	NS	c.iana-servers.net.		\n\
+uri.arpa.	172800	IN	NS	ns3.lacnic.net.			\n\
+uri.arpa.	172800	IN	NS	ns4.apnic.net.			\n\
+uri.arpa.	86400	IN	DS	15796 8 2 7f8fa18fdd9a826eb08a4d4e9ce94dbba7a5b7b2b3ce1d74afd150242e9f572f		\n\
+uri.arpa.	86400	IN	DS	28547 8 2 deaefd0c163175350152da7b127dc7c4f9ec8bdf04ccc02829455df86c5ca035		\n\
+uri.arpa.	86400	IN	DS	57851 8 2 8feda13f642ed9be2e4aaa3d50099dd422ca6081b6bf8188f804343b58d39cb7		\n\
+uri.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. jwQhmqBE2EWCE2yi14CqgjMfYWq4/W//IuL/EHSRZPJjyP7R7cnUgh/7rDO4JUcYebviO4s9hidjfpnLQWxpR2Jy2SH6aeNERLo76O28UW2Y28eused7aWMDWAnWW4HxURsQSBy2cyQbNwPCLGVLeQZaeZbKRBJUbWJ4MT4UpDE=				\n\
+urn.arpa.	172800	IN	NS	a.iana-servers.net.		\n\
+urn.arpa.	172800	IN	NS	b.iana-servers.net.		\n\
+urn.arpa.	172800	IN	NS	c.iana-servers.net.		\n\
+urn.arpa.	172800	IN	NS	ns3.lacnic.net.			\n\
+urn.arpa.	172800	IN	NS	ns4.apnic.net.			\n\
+urn.arpa.	86400	IN	DS	28996 8 2 8e66d01a1e5864bcdb8e1f85579aec7c8c536c9d6fc7032ee708e869fd27f3d3		\n\
+urn.arpa.	86400	IN	DS	34555 8 2 bd743967def1caf0812fe9eff2371d3adf29e27251db272145a5d523c92f7101		\n\
+urn.arpa.	86400	IN	DS	45052 8 2 7685b675f93ada412cfe534820c8dcc55654b1711f677ba83a8564c12943f695		\n\
+urn.arpa.	86400	IN	RRSIG	DS 8 2 86400 20210616170429 20210519170429 29094 arpa. BHHa1YLYUOABgiloeQQRIMXRKxXNIwRken6E6ETFAWw3Js1ocu6H/X3bcPvBTjID/B+GRGgIyCnDnZ9iWeU41Tw1GnMNT9EM35DmnUgfzUU79shVzRtiYDV6JHF9Kidc90IxNrQOGAcUy0J9jhMa4KYEjfQab8sJSo0M+uJkNMw=";
+
+const char *no_zonemd = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (  \n\
+                                 1800 900 604800 86400 ) \n\
+              86400  IN  NS      ns1                     \n\
+              86400  IN  NS      ns2                     \n\
+ns1           3600   IN  A       203.0.113.63            \n\
+ns2           3600   IN  AAAA    2001:db8::63";
+
+const char *wrong_soa = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (  \n\
+                                 1800 900 604800 86400 ) \n\
+              86400  IN  NS      ns1                     \n\
+              86400  IN  NS      ns2                     \n\
+              86400  IN  ZONEMD  2018031901 1 1 (        \n\
+                                 c68090d90a7aed71        \n\
+                                 6bc459f9340e3d7c        \n\
+                                 1370d4d24b7e2fc3        \n\
+                                 a1ddc0b9a87153b9        \n\
+                                 a9713b3c9ae5cc27        \n\
+                                 777f98b8e730044c )      \n\
+ns1           3600   IN  A       203.0.113.63            \n\
+ns2           3600   IN  AAAA    2001:db8::63";
+
+const char *duplicate_schemalg = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (  \n\
+                                 1800 900 604800 86400 ) \n\
+              86400  IN  NS      ns1                     \n\
+              86400  IN  NS      ns2                     \n\
+              86400  IN  ZONEMD  2018031900 1 1 (        \n\
+                                 c68090d90a7aed71        \n\
+                                 6bc459f9340e3d7c        \n\
+                                 1370d4d24b7e2fc3        \n\
+                                 a1ddc0b9a87153b9        \n\
+                                 a9713b3c9ae5cc27        \n\
+                                 777f98b8e730044c )      \n\
+              86400  IN  ZONEMD  2018031901 1 1 (        \n\
+                                 c68090d90a7aed71        \n\
+                                 6bc459f9340e3d7c        \n\
+                                 1370d4d24b7e2fc3        \n\
+                                 a1ddc0b9a87153b9        \n\
+                                 a9713b3c9ae5cc27        \n\
+                                 777f98b8e730044c )      \n\
+ns1           3600   IN  A       203.0.113.63            \n\
+ns2           3600   IN  AAAA    2001:db8::63";
+
+const char *wrong_hash = "\
+example.      86400  IN  SOA     ns1 admin 2018031900 (  \n\
+                                 1800 900 604800 86400 ) \n\
+              86400  IN  NS      ns1                     \n\
+              86400  IN  NS      ns2                     \n\
+              86400  IN  ZONEMD  2018031900 1 1 (        \n\
+                                 c68090d90a7aed71        \n\
+                                 6bc459f9340e3d7c        \n\
+                                 1370d4d24b7e2fc3        \n\
+                                 a1ddc0b9a87153b9        \n\
+                                 a9713b3c9ae5cc27        \n\
+                                 777f98b8e730044d )      \n\
+ns1           3600   IN  A       203.0.113.63            \n\
+ns2           3600   IN  AAAA    2001:db8::63";
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	int ret = check_contents(simple_zone);
+	is_int(KNOT_EOK, ret, "simple zone");
+
+	ret = check_contents(complex_zone);
+	is_int(KNOT_EOK, ret, "complex zone");
+
+	ret = check_contents(multiple_digests);
+	is_int(KNOT_EOK, ret, "multiple digests");
+
+	ret = check_contents(signed_zone);
+	is_int(KNOT_EOK, ret, "signed zone");
+
+	ret = check_contents(nsec3_zone);
+	is_int(KNOT_EOK, ret, "nsec3 zone");
+
+	ret = check_contents(no_zonemd);
+	is_int(KNOT_ENOENT, ret, "no zonemd");
+
+	ret = check_contents(wrong_soa);
+	is_int(KNOT_ENOTSUP, ret, "wrong SOA serial");
+	// TODO tests for different scheme / algorithm ?
+
+	ret = check_contents(duplicate_schemalg);
+	is_int(KNOT_ESEMCHECK, ret, "duplicate scheme+algorithm pair");
+
+	ret = check_contents(wrong_hash);
+	is_int(KNOT_EMALF, ret, "wrong hash");
+
+	return 0;
+}
diff --git a/tests/knot/test_dthreads.c b/tests/knot/test_dthreads.c
new file mode 100644
index 0000000..3bdfa3a
--- /dev/null
+++ b/tests/knot/test_dthreads.c
@@ -0,0 +1,148 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <tap/basic.h>
+
+#include "knot/server/dthreads.h"
+
+/* Unit runnable data. */
+static pthread_mutex_t _runnable_mx;
+static volatile int _runnable_i = 0;
+static const int _runnable_cycles = 10000;
+
+/*! \brief Unit runnable. */
+int runnable(struct dthread *thread)
+{
+	for (int i = 0; i < _runnable_cycles; ++i) {
+
+		// Increase counter
+		pthread_mutex_lock(&_runnable_mx);
+		++_runnable_i;
+		pthread_mutex_unlock(&_runnable_mx);
+
+		// Cancellation point
+		if (dt_is_cancelled(thread)) {
+			break;
+		}
+
+		// Yield
+		sched_yield();
+	}
+
+	return 0;
+}
+
+/* Destructor data. */
+static volatile int _destructor_data = 0;
+static pthread_mutex_t _destructor_mx;
+
+/*! \brief Thread destructor. */
+int destruct(struct dthread *thread)
+{
+	pthread_mutex_lock(&_destructor_mx);
+	_destructor_data += 1;
+	pthread_mutex_unlock(&_destructor_mx);
+
+	return 0;
+}
+
+// Signal handler
+static void interrupt_handle(int s)
+{
+}
+
+/*! API: run tests. */
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	int cpus = dt_online_cpus();
+	ok(cpus > 0, "dthread: online cpus is positive value");
+
+	// Register service and signal handler
+	struct sigaction sa;
+	sa.sa_handler = interrupt_handle;
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;
+	sigaction(SIGALRM, &sa, NULL); // Interrupt
+
+	/* Initialize */
+	srand(time(NULL));
+	pthread_mutex_init(&_runnable_mx, NULL);
+	pthread_mutex_init(&_destructor_mx, NULL);
+
+	/* Test 1: Create unit */
+	int size = 2;
+	dt_unit_t *unit = dt_create(size, &runnable, NULL, NULL);
+	ok(unit != NULL, "dthreads: create unit (size %d)", size);
+	if (unit == NULL) {
+		skip_block(7, "No dthreads unit");
+		goto skip_all;
+	}
+
+	/* Test 2: Start tasks. */
+	_runnable_i = 0;
+	ok(dt_start(unit) == 0, "dthreads: start single task");
+
+	/* Test 3: Wait for tasks. */
+	ok(dt_join(unit) == 0, "dthreads: join threads");
+
+	/* Test 4: Compare counter. */
+	int expected = _runnable_cycles * 2;
+	is_int(expected, _runnable_i, "dthreads: result ok");
+
+	/* Test 5: Deinitialize */
+	dt_delete(&unit);
+	ok(unit == NULL, "dthreads: delete unit");
+
+	/* Test 6: Wrong values. */
+	unit = dt_create(-1, NULL, NULL, NULL);
+	ok(unit == NULL, "dthreads: create with negative count");
+
+	/* Test 7: NULL operations crashing. */
+	int ret = 0;
+	ret += dt_activate(0);
+	ret += dt_cancel(0);
+	ret += dt_compact(0);
+	dt_delete(0);
+	ret += dt_is_cancelled(0);
+	ret += dt_join(0);
+	ret += dt_signalize(0, SIGALRM);
+	ret += dt_start(0);
+	ret += dt_stop(0);
+	ret += dt_unit_lock(0);
+	ret += dt_unit_unlock(0);
+	is_int(-198, ret, "dthreads: correct values when passed NULL context");
+
+	/* Test 8: Thread destructor. */
+	_destructor_data = 0;
+	unit = dt_create(2, 0, destruct, 0);
+	dt_start(unit);
+	dt_stop(unit);
+	dt_join(unit);
+	is_int(2, _destructor_data, "dthreads: destructor with dt_create_coherent()");
+	dt_delete(&unit);
+
+skip_all:
+
+	pthread_mutex_destroy(&_runnable_mx);
+	pthread_mutex_destroy(&_destructor_mx);
+	return 0;
+}
diff --git a/tests/knot/test_fdset.c b/tests/knot/test_fdset.c
new file mode 100644
index 0000000..d0282f0
--- /dev/null
+++ b/tests/knot/test_fdset.c
@@ -0,0 +1,150 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <pthread.h>
+#include <tap/basic.h>
+#include <unistd.h>
+
+#include "knot/common/fdset.h"
+#include "libknot/attribute.h"
+#include "contrib/time.h"
+
+#define PATTERN1		"0x45"
+#define PATTERN2		"0xED"
+
+#define TIMEOUT0		2000
+#define TIMEOUT1		10
+#define TIMEOUT2		400
+#define JITTER			(TIMEOUT2 - TIMEOUT1 - 10)
+
+void *thr_action1(void *arg)
+{
+	usleep(1000 * TIMEOUT1);
+	_unused_ int ret = write(*((int *)arg), &PATTERN1, 1);
+	return NULL;
+}
+
+void *thr_action2(void *arg)
+{
+	usleep(1000 * TIMEOUT2);
+	_unused_ int ret = write(*((int *)arg), &PATTERN2, 1);
+	return NULL;
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	fdset_t fdset;
+	int ret = fdset_init(&fdset, 32);
+	ok(ret == KNOT_EOK, "fdset_init");
+
+	int fds0[2], fds1[2], fds2[2];
+
+	ret = pipe(fds0);
+	ok(ret >= 0, "create pipe 0");
+	ret = fdset_add(&fdset, fds0[0], FDSET_POLLIN, NULL);
+	ok(ret >= 0, "add pipe 0 to fdset");
+
+	ret = pipe(fds1);
+	ok(ret >= 0, "create pipe 1");
+	ret = fdset_add(&fdset, fds1[0], FDSET_POLLIN, NULL);
+	ok(ret >= 0, "add pipe 1 to fdset");
+
+	ret = pipe(fds2);
+	ok(ret >= 0, "create pipe 2");
+	ret = fdset_add(&fdset, fds2[0], FDSET_POLLIN, NULL);
+	ok(ret >= 0, "add pipe 2 to fdset");
+
+	ok(fdset_get_length(&fdset) == 3, "fdset size full");
+
+	struct timespec time0 = time_now();
+
+	pthread_t t1, t2;
+	ret = pthread_create(&t1, 0, thr_action1, &fds1[1]);
+	ok(ret == 0, "create thread 1");
+	ret = pthread_create(&t2, 0, thr_action2, &fds2[1]);
+	ok(ret == 0, "create thread 2");
+
+	fdset_it_t it;
+	ret = fdset_poll(&fdset, &it, 0, TIMEOUT0);
+	struct timespec time1 = time_now();
+	double diff1 = time_diff_ms(&time0, &time1);
+	ok(ret == 1, "fdset_poll return 1");
+	ok(diff1 >= TIMEOUT1 && diff1 < TIMEOUT1 + JITTER, "fdset_poll timeout 1 (%f)", diff1);
+	for(; !fdset_it_is_done(&it); fdset_it_next(&it)) {
+		ok(!fdset_it_is_error(&it), "fdset no error");
+		ok(fdset_it_is_pollin(&it), "fdset can read");
+
+		int fd = fdset_it_get_fd(&it);
+		ok(fd == fds1[0], "fdset_it fd check");
+
+		char buf = 0x00;
+		ret = read(fd, &buf, sizeof(buf));
+		ok(ret == 1 && buf == PATTERN1[0], "fdset_it value check");
+
+		fdset_it_remove(&it);
+	}
+	fdset_it_commit(&it);
+	ok(fdset_get_length(&fdset) == 2, "fdset size 2");
+	close(fds1[1]);
+
+	int fd2_dup = dup(fds2[0]);
+	ok(fd2_dup >= 0, "duplicate fd");
+
+	ret = fdset_poll(&fdset, &it, 0, TIMEOUT0);
+	struct timespec time2 = time_now();
+	double diff2 = time_diff_ms(&time0, &time2);
+	ok(ret == 1, "fdset_poll return 2");
+	ok(diff2 >= TIMEOUT2 && diff2 < TIMEOUT2 + JITTER, "fdset_poll timeout 2 (%f)", diff2);
+	for(; !fdset_it_is_done(&it); fdset_it_next(&it)) {
+		ok(!fdset_it_is_error(&it), "fdset no error");
+		ok(fdset_it_is_pollin(&it), "fdset can read");
+
+		int fd = fdset_it_get_fd(&it);
+		ok(fd == fds2[0], "fdset_it fd check");
+
+		char buf = 0x00;
+		ret = read(fd, &buf, sizeof(buf));
+		ok(ret == 1 && buf == PATTERN2[0], "fdset_it value check");
+
+		fdset_it_remove(&it);
+	}
+	fdset_it_commit(&it);
+	ok(fdset_get_length(&fdset) == 1, "fdset size 1");
+
+	pthread_join(t1, 0);
+	pthread_join(t2, 0);
+
+	ret = fdset_remove(&fdset, 0);
+	ok(ret == KNOT_EOK, "fdset remove");
+	close(fds0[1]);
+	ok(fdset_get_length(&fdset) == 0, "fdset size 0");
+
+	ret = write(fds2[1], &PATTERN2, 1);
+	ok(ret == 1, "write to removed fd");
+	ret = fdset_poll(&fdset, &it, 0, 100);
+	ok(ret == 0, "fdset_poll return 3");
+
+
+	close(fds2[1]);
+	if (fd2_dup >= 0) {
+		close(fd2_dup);
+	}
+	fdset_clear(&fdset);
+
+	return 0;
+}
diff --git a/tests/knot/test_journal.c b/tests/knot/test_journal.c
new file mode 100644
index 0000000..748ab02
--- /dev/null
+++ b/tests/knot/test_journal.c
@@ -0,0 +1,880 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <limits.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <tap/basic.h>
+#include <tap/files.h>
+
+#include "knot/journal/journal_read.h"
+#include "knot/journal/journal_write.h"
+
+#include "libknot/attribute.h"
+#include "libknot/libknot.h"
+#include "knot/zone/zone.h"
+#include "knot/zone/zone-diff.h"
+#include "test_conf.h"
+
+#define RAND_RR_LABEL 16
+#define RAND_RR_PAYLOAD 64
+#define MIN_SOA_SIZE 22
+
+char *test_dir_name;
+
+knot_lmdb_db_t jdb;
+zone_journal_t jj;
+
+unsigned env_flag;
+
+static unsigned lmdb_page_size(knot_lmdb_db_t *db)
+{
+	knot_lmdb_txn_t txn = { 0 };
+	knot_lmdb_begin(db, &txn, false);
+	MDB_stat st = { 0 };
+	mdb_stat(txn.txn, txn.db->dbi, &st);
+	knot_lmdb_abort(&txn);
+	return st.ms_psize;
+}
+
+static void set_conf(int zonefile_sync, size_t journal_usage, const knot_dname_t *apex)
+{
+	(void)apex;
+	char conf_str[512];
+	snprintf(conf_str, sizeof(conf_str),
+	         "template:\n"
+	         " - id: default\n"
+	         "   zonefile-sync: %d\n"
+	         "   journal-max-usage: %zu\n"
+	         "   journal-max-depth: 1000\n",
+	         zonefile_sync, journal_usage);
+	_unused_ int ret = test_conf(conf_str, NULL);
+	assert(ret == KNOT_EOK);
+	jj.conf = conf();
+}
+
+static void unset_conf(void)
+{
+	conf_update(NULL, CONF_UPD_FNONE);
+}
+
+/*! \brief Generate random string with given length. */
+static int randstr(char* dst, size_t len)
+{
+	for (int i = 0; i < len - 1; ++i) {
+		dst[i] = '0' + (int) (('Z'-'0') * (rand() / (RAND_MAX + 1.0)));
+	}
+	dst[len - 1] = '\0';
+
+	return 0;
+}
+
+/*! \brief Init RRSet with type SOA and given serial. */
+static void init_soa(knot_rrset_t *rr, const uint32_t serial, const knot_dname_t *apex)
+{
+	knot_rrset_init(rr, knot_dname_copy(apex, NULL), KNOT_RRTYPE_SOA, KNOT_CLASS_IN, 3600);
+
+	uint8_t soa_data[MIN_SOA_SIZE] = { 0 };
+	_unused_ int ret = knot_rrset_add_rdata(rr, soa_data, sizeof(soa_data), NULL);
+	knot_soa_serial_set(rr->rrs.rdata, serial);
+	assert(ret == KNOT_EOK);
+}
+
+/*! \brief Init RRSet with type TXT, random owner and random payload. */
+static void init_random_rr(knot_rrset_t *rr , const knot_dname_t *apex)
+{
+	/* Create random label. */
+	char owner[RAND_RR_LABEL + knot_dname_size(apex)];
+	owner[0] = RAND_RR_LABEL - 1;
+	randstr(owner + 1, RAND_RR_LABEL);
+
+	/* Append zone apex. */
+	memcpy(owner + RAND_RR_LABEL, apex, knot_dname_size(apex));
+	knot_rrset_init(rr, knot_dname_copy((knot_dname_t *)owner, NULL),
+			KNOT_RRTYPE_TXT, KNOT_CLASS_IN, 3600);
+
+	/* Create random RDATA. */
+	uint8_t txt[RAND_RR_PAYLOAD + 1];
+	txt[0] = RAND_RR_PAYLOAD - 1;
+	randstr((char *)(txt + 1), RAND_RR_PAYLOAD);
+
+	_unused_ int ret = knot_rrset_add_rdata(rr, txt, RAND_RR_PAYLOAD, NULL);
+	assert(ret == KNOT_EOK);
+}
+
+/*! \brief Init changeset with random changes. */
+static void init_random_changeset(changeset_t *ch, const uint32_t from, const uint32_t to,
+                                  const size_t size, const knot_dname_t *apex, bool is_bootstrap)
+{
+	// Add SOAs
+	knot_rrset_t soa;
+
+	if (is_bootstrap) {
+		ch->soa_from = NULL;
+		zone_contents_deep_free(ch->remove);
+		ch->remove = NULL;
+	} else {
+		init_soa(&soa, from, apex);
+		ch->soa_from = knot_rrset_copy(&soa, NULL);
+		assert(ch->soa_from);
+		knot_rrset_clear(&soa, NULL);
+	}
+
+	init_soa(&soa, to, apex);
+	ch->soa_to = knot_rrset_copy(&soa, NULL);
+	assert(ch->soa_to);
+	knot_rrset_clear(&soa, NULL);
+
+	// Add RRs to add section
+	for (size_t i = 0; i < size / 2; ++i) {
+		knot_rrset_t rr;
+		init_random_rr(&rr, apex);
+		_unused_ int ret = changeset_add_addition(ch, &rr, 0);
+		assert(ret == KNOT_EOK);
+		knot_rrset_clear(&rr, NULL);
+	}
+
+	// Add RRs to remove section
+	for (size_t i = 0; i < size / 2 && !is_bootstrap; ++i) {
+		knot_rrset_t rr;
+		init_random_rr(&rr, apex);
+		_unused_ int ret = changeset_add_removal(ch, &rr, 0);
+		assert(ret == KNOT_EOK);
+		knot_rrset_clear(&rr, NULL);
+	}
+}
+
+static void changeset_set_soa_serials(changeset_t *ch, uint32_t from, uint32_t to,
+				      const knot_dname_t *apex)
+{
+	knot_rrset_t soa;
+
+	init_soa(&soa, from, apex);
+	knot_rrset_free(ch->soa_from, NULL);
+	ch->soa_from = knot_rrset_copy(&soa, NULL);
+	assert(ch->soa_from);
+	knot_rrset_clear(&soa, NULL);
+
+	init_soa(&soa, to, apex);
+	knot_rrset_free(ch->soa_to, NULL);
+	ch->soa_to = knot_rrset_copy(&soa, NULL);
+	assert(ch->soa_to);
+	knot_rrset_clear(&soa, NULL);
+}
+
+/*! \brief Compare two changesets for equality. */
+static bool changesets_eq(const changeset_t *ch1, changeset_t *ch2)
+{
+	bool bootstrap = (ch1->remove == NULL);
+
+	if (!bootstrap && changeset_size(ch1) != changeset_size(ch2)) {
+		return false;
+	}
+
+	if ((bootstrap && ch2->remove != NULL) ||
+	    (!bootstrap && ch2->remove == NULL)) {
+		return false;
+	}
+
+	changeset_iter_t it1;
+	changeset_iter_t it2;
+	if (bootstrap) {
+		changeset_iter_add(&it1, ch1);
+		changeset_iter_add(&it2, ch2);
+	} else {
+		changeset_iter_all(&it1, ch1);
+		changeset_iter_all(&it2, ch2);
+	}
+
+	knot_rrset_t rr1 = changeset_iter_next(&it1);
+	knot_rrset_t rr2 = changeset_iter_next(&it2);
+	bool ret = true;
+	while (!knot_rrset_empty(&rr1)) {
+		if (!knot_rrset_equal(&rr1, &rr2, true)) {
+			ret = false;
+			break;
+		}
+		rr1 = changeset_iter_next(&it1);
+		rr2 = changeset_iter_next(&it2);
+	}
+
+	changeset_iter_clear(&it1);
+	changeset_iter_clear(&it2);
+
+	return ret;
+}
+
+static bool changesets_list_eq(list_t *l1, list_t *l2)
+{
+	node_t *n = NULL;
+	node_t *k = HEAD(*l2);
+	WALK_LIST(n, *l1) {
+		if (k == NULL) {
+			return false;
+		}
+
+		changeset_t *ch1 = (changeset_t *) n;
+		changeset_t *ch2 = (changeset_t *) k;
+		if (!changesets_eq(ch1, ch2)) {
+			return false;
+		}
+
+		k = k->next;
+	}
+
+	if (k->next != NULL) {
+		return false;
+	}
+
+	return true;
+}
+
+/*! \brief Test a list of changesets for continuity. */
+static bool test_continuity(list_t *l)
+{
+	node_t *n = NULL;
+	uint32_t key1, key2;
+	WALK_LIST(n, *l) {
+		if (n == TAIL(*l)) {
+			break;
+		}
+		changeset_t *ch1 = (changeset_t *) n;
+		changeset_t *ch2 = (changeset_t *) n->next;
+		key1 = knot_soa_serial(ch1->soa_to->rrs.rdata);
+		key2 = knot_soa_serial(ch2->soa_from->rrs.rdata);
+		if (key1 != key2) {
+			return KNOT_EINVAL;
+		}
+	}
+
+	return KNOT_EOK;
+}
+
+static void test_journal_db(void)
+{
+	env_flag = journal_env_flags(JOURNAL_MODE_ASYNC, false);
+	knot_lmdb_init(&jdb, test_dir_name, 2048 * 1024, env_flag, NULL);
+
+	int ret = knot_lmdb_open(&jdb);
+	is_int(KNOT_EOK, ret, "journal: open db (%s)", knot_strerror(ret));
+
+	ret = knot_lmdb_reconfigure(&jdb, test_dir_name, 4096 * 1024, env_flag);
+	is_int(KNOT_EOK, ret, "journal: re-open with bigger mapsize (%s)", knot_strerror(ret));
+
+	ret = knot_lmdb_reconfigure(&jdb, test_dir_name, 1024 * 1024, env_flag);
+	is_int(KNOT_EOK, ret, "journal: re-open with smaller mapsize (%s)", knot_strerror(ret));
+
+	knot_lmdb_deinit(&jdb);
+}
+
+static int load_j_list(zone_journal_t *zj, bool zij, uint32_t serial,
+                       journal_read_t **read, list_t *list)
+{
+	changeset_t *ch;
+	init_list(list);
+	int ret = journal_read_begin(*zj, zij, serial, read);
+	if (ret == KNOT_EOK) {
+		while ((ch = calloc(1, sizeof(*ch))) != NULL &&
+		       journal_read_changeset(*read, ch)) {
+			add_tail(list, &ch->n);
+		}
+		free(ch);
+		ret = journal_read_get_error(*read, KNOT_EOK);
+	}
+	return ret;
+}
+
+/*! \brief Test behavior with real changesets. */
+static void test_store_load(const knot_dname_t *apex)
+{
+	set_conf(1000, 512 * 1024, apex);
+
+	knot_lmdb_init(&jdb, test_dir_name, 1536 * 1024, env_flag, NULL);
+	assert(knot_lmdb_open(&jdb) == KNOT_EOK);
+
+	jj.db = &jdb;
+	jj.zone = apex;
+	list_t l, k;
+
+	changeset_t *m_ch = changeset_new(apex), r_ch, e_ch;
+	init_random_changeset(m_ch, 0, 1, 128, apex, false);
+	int ret = journal_insert(jj, m_ch, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: store changeset (%s)", knot_strerror(ret));
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal: check after store changeset (%s)", knot_strerror(ret));
+	journal_read_t *read = NULL;
+
+	ret = load_j_list(&jj, false, changeset_from(m_ch), &read, &l);
+	is_int(KNOT_EOK, ret, "journal: read single changeset (%s)", knot_strerror(ret));
+	ok(1 == list_size(&l), "journal: read exactly one changeset");
+	ok(changesets_eq(m_ch, HEAD(l)), "journal: changeset equal after read");
+	changesets_free(&l);
+
+	journal_read_end(read);
+	ret = journal_set_flushed(jj);
+	is_int(KNOT_EOK, ret, "journal: first simple flush (%s)", knot_strerror(ret));
+
+	init_list(&k);
+	uint32_t serial = 1;
+	for (; ret == KNOT_EOK && serial < 40000; ++serial) {
+		changeset_t *m_ch2 = changeset_new(apex);
+		init_random_changeset(m_ch2, serial, serial + 1, 128, apex, false);
+		ret = journal_insert(jj, m_ch2, NULL, NULL);
+		if (ret != KNOT_EOK) {
+			changeset_free(m_ch2);
+			break;
+		}
+		add_tail(&k, &m_ch2->n);
+	}
+	is_int(KNOT_EBUSY, ret, "journal: overfill with changesets (%d inserted) (%d should= %d)",
+	       serial, ret, KNOT_EBUSY);
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal check (%s)", knot_strerror(ret));
+
+	ret = load_j_list(&jj, false, 1, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load list (%s)", knot_strerror(ret));
+	ok(changesets_list_eq(&l, &k), "journal: changeset lists equal after read");
+	ok(test_continuity(&l) == KNOT_EOK, "journal: changesets are in order");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	ret = load_j_list(&jj, false, 1, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load list 2nd (%s)", knot_strerror(ret));
+	ok(changesets_list_eq(&l, &k), "journal: changeset lists equal after 2nd read");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	ret = journal_set_flushed(jj);
+	is_int(KNOT_EOK, ret, "journal: flush after overfill (%s)", knot_strerror(ret));
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal check (%s)", knot_strerror(ret));
+
+	ret = load_j_list(&jj, false, 1, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load list (%s)", knot_strerror(ret));
+	ok(changesets_list_eq(&l, &k), "journal: changeset lists equal after flush");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	changesets_free(&k);
+
+	changeset_t ch;
+	ret = changeset_init(&ch, apex);
+	ok(ret == KNOT_EOK, "journal: changeset init (%d)", ret);
+	init_random_changeset(&ch, serial, serial + 1, 555, apex, false);
+	ret = journal_insert(jj, &ch, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: store after flush (%d)", ret);
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal check (%s)", knot_strerror(ret));
+	ret = load_j_list(&jj, false, serial, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load after store after flush after overfill (%s)", knot_strerror(ret));
+	is_int(1, list_size(&l), "journal: single changeset in list");
+	ok(changesets_eq(&ch, HEAD(l)), "journal: changeset not malformed after overfill");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	changeset_clear(&ch);
+
+	changeset_init(&ch, apex);
+	init_random_changeset(&ch, 2, 3, 100, apex, false);
+	ret = journal_insert(jj, &ch, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: insert discontinuous changeset (%s)", knot_strerror(ret));
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal check (%s)", knot_strerror(ret));
+	ret = load_j_list(&jj, false, 2, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: read after discontinuity (%s)", knot_strerror(ret));
+	is_int(1, list_size(&l), "journal: discontinuity caused journal to drop");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	// Test for serial number collision handling. We insert changesets
+	// with valid serial sequence that overflows and then collides with itself.
+	// The sequence is 0 -> 1 -> 2 -> 2147483647 -> 4294967294 -> 1 which should
+	// remove changesets 0->1 and 1->2. *
+	uint32_t serials[6] = { 0, 1, 2, 2147483647, 4294967294, 1 };
+	for (int i = 0; i < 5; i++) {
+		changeset_clear(&ch);
+		changeset_init(&ch, apex);
+		init_random_changeset(&ch, serials[i], serials[i + 1], 100, apex, false);
+		ret = journal_insert(jj, &ch, NULL, NULL);
+		is_int(i == 4 ? KNOT_EBUSY : KNOT_EOK, ret, "journal: inserting cycle (%s)", knot_strerror(ret));
+		ret = journal_sem_check(jj);
+		is_int(KNOT_EOK, ret, "journal check (%s)", knot_strerror(ret));
+	}
+	ret = journal_set_flushed(jj);
+	is_int(KNOT_EOK, ret, "journal: flush in cycle (%s)", knot_strerror(ret));
+	ret = journal_insert(jj, &ch, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: inserted cycle (%s)", knot_strerror(ret));
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal check (%s)", knot_strerror(ret));
+	ret = journal_read_begin(jj, false, 0, &read);
+	is_int(KNOT_ENOENT, ret, "journal: cycle removed first changeset (%d should= %d)", ret, KNOT_ENOENT);
+	ret = journal_read_begin(jj, false, 1, &read);
+	is_int(KNOT_ENOENT, ret, "journal: cycle removed second changeset (%d should= %d)", ret, KNOT_ENOENT);
+	ret = load_j_list(&jj, false, 4294967294, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: read after cycle (%s)", knot_strerror(ret));
+	ok(3 >= list_size(&l), "journal: cycle caused journal to partly drop");
+	ok(changesets_eq(&ch, HEAD(l)), "journal: changeset not malformed after cycle");
+	changesets_free(&l);
+	journal_read_end(read);
+	changeset_clear(&ch);
+	changeset_free(m_ch);
+
+	changeset_init(&e_ch, apex);
+	init_random_changeset(&e_ch, 0, 1, 200, apex, true);
+	zone_node_t *n = NULL;
+	zone_contents_add_rr(e_ch.add, e_ch.soa_to, &n);
+	ret = journal_insert_zone(jj, e_ch.add);
+	zone_contents_remove_rr(e_ch.add, e_ch.soa_to, &n);
+	is_int(KNOT_EOK, ret, "journal: insert zone-in-journal (%s)", knot_strerror(ret));
+	changeset_init(&r_ch, apex);
+	init_random_changeset(&r_ch, 1, 2, 200, apex, false);
+	ret = journal_insert(jj, &r_ch, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: insert after zone-in-journal (%s)", knot_strerror(ret));
+	ret = load_j_list(&jj, true, 0, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load zone-in-journal (%s)", knot_strerror(ret));
+	is_int(2, list_size(&l), "journal: read two changesets from zone-in-journal");
+	ok(changesets_eq(&e_ch, HEAD(l)), "journal: zone-in-journal not malformed");
+	ok(changesets_eq(&r_ch, TAIL(l)), "journal: after zone-in-journal not malformed");
+	changesets_free(&l);
+	journal_read_end(read);
+	changeset_clear(&e_ch);
+	changeset_clear(&r_ch);
+
+	ret = journal_scrape_with_md(jj, true);
+	is_int(KNOT_EOK, ret, "journal: scrape with md (%s)", knot_strerror(ret));
+
+	unset_conf();
+}
+
+static void test_size_control(const knot_dname_t *zone1, const knot_dname_t *zone2)
+{
+	set_conf(-1, 100 * 1024, zone1);
+
+	zone_journal_t jj2 = { &jdb, zone2, conf() };
+	changeset_t *small_ch2 = changeset_new(zone2);
+	init_random_changeset(small_ch2, 1, 2, 100, zone2, false);
+	int ret = journal_insert(jj2, small_ch2, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: storing small changeset must be ok");
+
+	changeset_t *big_zij = changeset_new(zone1);
+	init_random_changeset(big_zij, 0, 1, 1200, zone1, true);
+	zone_node_t *n = NULL;
+	zone_contents_add_rr(big_zij->add, big_zij->soa_to, &n);
+	ret = journal_insert_zone(jj, big_zij->add);
+	is_int(KNOT_EOK, ret, "journal: store big zone-in-journal");
+
+	changeset_t *big_ch2 = changeset_new(zone2);
+	init_random_changeset(big_ch2, 2, 3, 750, zone2, false);
+	ret = journal_insert(jj2, big_ch2, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: second zone is not affected by storing big zij of other zone");
+
+	journal_read_t *read = NULL;
+	list_t l;
+	init_list(&l);
+	changeset_t *medium_ch1 = changeset_new(zone1);
+	init_random_changeset(medium_ch1, 1, 2, 300, zone1, false);
+	ret = journal_insert(jj, medium_ch1, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: storing medium changeset must be ok");
+	ret = load_j_list(&jj, true, 0, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load zone-in-journal (%s)", knot_strerror(ret));
+	is_int(2, list_size(&l), "journal: read two changesets from journal");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	changeset_t *small_ch1 = changeset_new(zone1);
+	init_random_changeset(small_ch1, 2, 3, 100, zone1, false);
+	ret = journal_insert(jj, small_ch1, NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: storing small changeset must be ok");
+	ret = load_j_list(&jj, true, 0, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: load zone-in-journal (%s)", knot_strerror(ret));
+	is_int(2, list_size(&l), "journal: previous chs merged into zone-in-journal due to size limits");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	changeset_t *medium_ch1b = changeset_new(zone1);
+	init_random_changeset(medium_ch1b, 3, 4, 300, zone1, false);
+	ret = journal_insert(jj, medium_ch1b, NULL, NULL);
+	is_int(KNOT_ESPACE, ret, "journal: not able to free space for changeset by merging");
+
+	changeset_t *too_big_zij = changeset_new(zone1);
+	init_random_changeset(too_big_zij, 0, 1, 2200, zone1, true);
+	zone_contents_add_rr(too_big_zij->add, too_big_zij->soa_to, &n);
+	ret = journal_insert_zone(jj, too_big_zij->add);
+	is_int(KNOT_ESPACE, ret, "journal: store too big zone-in-journal");
+
+	changeset_free(big_ch2);
+	changeset_free(big_zij);
+	changeset_free(too_big_zij);
+	changeset_free(small_ch2);
+	changeset_free(small_ch1);
+	changeset_free(medium_ch1);
+	changeset_free(medium_ch1b);
+
+	unset_conf();
+}
+
+const uint8_t *rdA = (const uint8_t *) "\x01\x02\x03\x04";
+const uint8_t *rdB = (const uint8_t *) "\x01\x02\x03\x05";
+const uint8_t *rdC = (const uint8_t *) "\x01\x02\x03\x06";
+
+// frees owner
+static knot_rrset_t * tm_rrset(knot_dname_t * owner, const uint8_t * rdata)
+{
+	knot_rrset_t * rrs = knot_rrset_new(owner, KNOT_RRTYPE_A, KNOT_CLASS_IN, 3600, NULL);
+	knot_rrset_add_rdata(rrs, rdata, 4, NULL);
+	free(owner);
+	return rrs;
+}
+
+static knot_dname_t *tm_owner(const char *prefix, const knot_dname_t *apex)
+{
+	size_t prefix_len = strlen(prefix);
+	size_t apex_len = knot_dname_size(apex);
+
+	knot_dname_t *out = malloc(prefix_len + apex_len + 2);
+	out[0] = prefix_len;
+	memcpy(out + 1, prefix, prefix_len);
+	memcpy(out + 1 + prefix_len, apex, apex_len);
+	return out;
+}
+
+static knot_dname_t *tm_owner_int(int x, const knot_dname_t *apex)
+{
+	char buf[12] = { 0 };
+	(void)snprintf(buf, sizeof(buf), "i%d", x);
+	return tm_owner(buf, apex);
+}
+
+static knot_rrset_t * tm_rrs(const knot_dname_t * apex, int x)
+{
+	static knot_rrset_t * rrsA = NULL;
+	static knot_rrset_t * rrsB = NULL;
+	static knot_rrset_t * rrsC = NULL;
+
+	if (apex == NULL) {
+		knot_rrset_free(rrsA, NULL);
+		knot_rrset_free(rrsB, NULL);
+		knot_rrset_free(rrsC, NULL);
+		rrsA = rrsB = rrsC = NULL;
+		return NULL;
+	}
+
+	if (rrsA == NULL) rrsA = tm_rrset(tm_owner("aaaaaaaaaaaaaaaaa", apex), rdA);
+	if (rrsB == NULL) rrsB = tm_rrset(tm_owner("bbbbbbbbbbbbbbbbb", apex), rdB);
+	if (rrsC == NULL) rrsC = tm_rrset(tm_owner("ccccccccccccccccc", apex), rdC);
+	switch ((x % 3 + 3) % 3) {
+	case 0: return rrsA;
+	case 1: return rrsB;
+	case 2: return rrsC;
+	}
+	assert(0); return NULL;
+}
+
+#define TM_RRS_INT_MAX 1000
+
+static knot_rrset_t *tm_rrs_int(const knot_dname_t *apex, int x)
+{
+	assert(x < TM_RRS_INT_MAX);
+	static knot_rrset_t *stat_rrs[TM_RRS_INT_MAX] = { 0 };
+
+	if (apex == NULL) {
+		for (int i = 0; i < TM_RRS_INT_MAX; i++) {
+			knot_rrset_free(stat_rrs[i], NULL);
+			stat_rrs[i] = NULL;
+		}
+		return NULL;
+	}
+
+	if (stat_rrs[x] == NULL) {
+		stat_rrs[x] = tm_rrset(tm_owner_int(x, apex), rdA);
+	}
+	return stat_rrs[x];
+}
+
+int tm_rrcnt(const changeset_t * ch, int flg)
+{
+	changeset_iter_t it;
+	int i = 0;
+	if (flg >= 0) changeset_iter_add(&it, ch);
+	else changeset_iter_rem(&it, ch);
+
+	knot_rrset_t rri;
+	while (rri = changeset_iter_next(&it), !knot_rrset_empty(&rri)) i++;
+
+	changeset_iter_clear(&it);
+	return i;
+}
+
+static changeset_t * tm_chs(const knot_dname_t * apex, int x)
+{
+	static changeset_t * chsI = NULL, * chsX = NULL, * chsY = NULL;
+	static uint32_t serial = 0;
+	if (x < 0) {
+		serial = 0;
+		return NULL;
+	}
+
+	if (apex == NULL) {
+		changeset_free(chsI);
+		changeset_free(chsX);
+		changeset_free(chsY);
+		chsI = chsX = chsY = NULL;
+		return NULL;
+	}
+
+	if (chsI == NULL) {
+		chsI = changeset_new(apex);
+		assert(chsI != NULL);
+		changeset_add_addition(chsI, tm_rrs(apex, 0), 0);
+		changeset_add_addition(chsI, tm_rrs(apex, 1), 0);
+	}
+	if (chsX == NULL) {
+		chsX = changeset_new(apex);
+		assert(chsX != NULL);
+		changeset_add_removal(chsX, tm_rrs(apex, 1), 0);
+		changeset_add_addition(chsX, tm_rrs(apex, 2), 0);
+	}
+	if (chsY == NULL) {
+		chsY = changeset_new(apex);
+		assert(chsY != NULL);
+		changeset_add_removal(chsY, tm_rrs(apex, 2), 0);
+		changeset_add_addition(chsY, tm_rrs(apex, 1), 0);
+	}
+	assert(x >= 0);
+	changeset_t * ret;
+	if (x == 0) ret = chsI;
+	else if (x % 2 == 1) ret = chsX;
+	else ret = chsY;
+
+	changeset_set_soa_serials(ret, serial, serial + 1, apex);
+	serial++;
+
+	return ret;
+}
+
+static void tm2_add_all(zone_contents_t *toadd)
+{
+	assert(toadd != NULL);
+	for (int i = 1; i < TM_RRS_INT_MAX; i++) {
+		zone_node_t *unused = NULL;
+		_unused_ int ret = zone_contents_add_rr(toadd, tm_rrs_int(toadd->apex->owner, i), &unused);
+		assert(ret == KNOT_EOK);
+	}
+}
+
+static zone_contents_t *tm2_zone(const knot_dname_t *apex)
+{
+	zone_contents_t *z = zone_contents_new(apex, false);
+	if (z != NULL) {
+		knot_rrset_t soa;
+		zone_node_t *unused = NULL;
+		init_soa(&soa, 1, apex);
+		_unused_ int ret = zone_contents_add_rr(z, &soa, &unused);
+		knot_rrset_clear(&soa, NULL);
+		assert(ret == KNOT_EOK);
+		tm2_add_all(z);
+	}
+	return z;
+}
+
+static changeset_t *tm2_chs_unzone(const knot_dname_t *apex)
+{
+	changeset_t *ch = changeset_new(apex);
+	if (ch != NULL) {
+		changeset_set_soa_serials(ch, 1, 2, apex);
+		tm2_add_all(ch->remove);
+		_unused_ int ret = changeset_add_addition(ch, tm_rrs_int(apex, 0), 0);
+		assert(ret == KNOT_EOK);
+	}
+	return ch;
+}
+
+static int merged_present(void)
+{
+	bool exists, has_merged;
+	return journal_info(jj, &exists, NULL, NULL, NULL, &has_merged, NULL, NULL, NULL) == KNOT_EOK && exists && has_merged;
+}
+
+static void test_merge(const knot_dname_t *apex)
+{
+	int i, ret;
+	list_t l;
+
+	// allow merge
+	set_conf(-1, 400 * 1024, apex);
+	ok(!journal_allow_flush(jj), "journal: merge allowed");
+
+	ret = journal_scrape_with_md(jj, false);
+	is_int(KNOT_EOK, ret, "journal: journal_drop_changesets must be ok");
+
+	// insert stuff and check the merge
+	for (i = 0; !merged_present() && i < 40000; i++) {
+		ret = journal_insert(jj, tm_chs(apex, i), NULL, NULL);
+		assert(ret == KNOT_EOK);
+	}
+	ret = journal_sem_check(jj);
+	is_int(KNOT_EOK, ret, "journal: sem check (%s)", knot_strerror(ret));
+	journal_read_t *read = NULL;
+	ret = load_j_list(&jj, false, 0, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: journal_load_changesets must be ok");
+	assert(ret == KNOT_EOK);
+	ok(list_size(&l) == 2, "journal: read the merged and one following");
+	changeset_t * mch = (changeset_t *)HEAD(l);
+	ok(list_size(&l) >= 1 && tm_rrcnt(mch, 1) == 2, "journal: merged additions # = 2");
+	ok(list_size(&l) >= 1 && tm_rrcnt(mch, -1) == 0, "journal: merged removals # = 0");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	// insert one more and check the #s of results
+	ret = journal_insert(jj, tm_chs(apex, i), NULL, NULL);
+	is_int(KNOT_EOK, ret, "journal: insert one more (%s)", knot_strerror(ret));
+	ret = load_j_list(&jj, false, 0, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: journal_load_changesets2 must be ok");
+	ok(list_size(&l) == 3, "journal: read merged together with new changeset");
+	changesets_free(&l);
+	journal_read_end(read);
+	ret = load_j_list(&jj, false, i - 3, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: journal_load_changesets3 must be ok");
+	ok(list_size(&l) == 4, "journal: read short history of merged/unmerged changesets");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	// insert large zone-in-journal taking more than one chunk
+	zone_contents_t *bigz = tm2_zone(apex);
+	ret = journal_insert_zone(jj, bigz);
+	zone_contents_deep_free(bigz);
+	is_int(KNOT_EOK, ret, "journal: insert large zone-in-journal");
+
+	// insert changeset that will cancel it mostly out
+	changeset_t *bigz_cancelout = tm2_chs_unzone(apex);
+	ret = journal_insert(jj, bigz_cancelout, NULL, NULL);
+	changeset_free(bigz_cancelout);
+	is_int(KNOT_EOK, ret, "journal: insert cancel-out changeset");
+
+	// now fill up with dumy changesets to enforce merge
+	tm_chs(apex, -1);
+	while (changeset_to(tm_chs(apex, 0)) != 2) {  }
+	for (i = 0; i < 1600; i++) {
+		ret = journal_insert(jj, tm_chs(apex, i), NULL, NULL);
+		assert(ret == KNOT_EOK);
+	}
+
+	// finally: the test case. Reading the journal now must be no EMALF and
+	// the zone-in-journal must be little
+	ret = load_j_list(&jj, true, 0, &read, &l);
+	is_int(KNOT_EOK, ret, "journal: read chunks-shrinked zone-in-journal");
+	is_int(4, trie_weight(((changeset_t *)HEAD(l))->add->nodes->trie), "journal: small merged zone-in-journal");
+	changesets_free(&l);
+	journal_read_end(read);
+
+	ret = journal_scrape_with_md(jj, false);
+	assert(ret == KNOT_EOK);
+
+	// disallow merge
+	unset_conf();
+	set_conf(1000, 512 * 1024, apex);
+	ok(journal_allow_flush(jj), "journal: merge disallowed");
+
+	tm_rrs(NULL, 0);
+	tm_chs(NULL, 0);
+	tm_rrs_int(NULL, 0);
+	unset_conf();
+}
+
+static void test_stress_base(const knot_dname_t *apex,
+                             size_t update_size, size_t file_size)
+{
+	uint32_t serial = 0;
+
+	int ret = knot_lmdb_reconfigure(&jdb, test_dir_name, file_size, journal_env_flags(JOURNAL_MODE_ASYNC, false));
+	is_int(KNOT_EOK, ret, "journal: reconfigure to mapsize %zu (%s)", file_size, knot_strerror(ret));
+
+	set_conf(1000, file_size / 2, apex);
+
+	changeset_t ch;
+	ret = changeset_init(&ch, apex);
+	ok(ret == KNOT_EOK, "journal: changeset init (%d)", ret);
+	init_random_changeset(&ch, serial, serial + 1, update_size, apex, false);
+
+	for (int i = 1; i <= 6; ++i) {
+		serial = 0;
+		while (true) {
+			changeset_set_soa_serials(&ch, serial, serial + 1, apex);
+			ret = journal_insert(jj, &ch, NULL, NULL);
+			if (ret == KNOT_EOK) {
+				serial++;
+			} else {
+				break;
+			}
+		}
+
+		ret = journal_set_flushed(jj);
+		if (ret == KNOT_EOK) {
+			ret = journal_sem_check(jj);
+		}
+		ok(serial > 0 && ret == KNOT_EOK, "journal: pass #%d fillup run (%d inserts) (%s)", i, serial, knot_strerror(ret));
+	}
+
+	changeset_clear(&ch);
+
+	unset_conf();
+}
+
+/*! \brief Test behavior when writing to the journal and flushing it. */
+static void test_stress(const knot_dname_t *apex)
+{
+	diag("stress test: small data");
+	test_stress_base(apex, 40, (1024 + 512) * 1024);
+
+	diag("stress test: medium data");
+	test_stress_base(apex, 400, 3 * 1024 * 1024);
+
+	diag("stress test: large data");
+	test_stress_base(apex, 4000, 10 * 1024 * 1024);
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	const knot_dname_t *apex = (const uint8_t *)"\4test";
+	const knot_dname_t *apex2 = (const uint8_t *)"\4ufoo";
+
+	test_dir_name = test_mkdtemp();
+
+	test_journal_db();
+
+	test_store_load(apex);
+
+	if (lmdb_page_size(&jdb) == 4096) {
+		test_size_control(apex, apex2);
+	} // else it is not manually optimized enough to test correctly
+
+	test_merge(apex);
+
+	test_stress(apex);
+
+	knot_lmdb_deinit(&jdb);
+
+	test_rm_rf(test_dir_name);
+	free(test_dir_name);
+
+	return 0;
+}
diff --git a/tests/knot/test_kasp_db.c b/tests/knot/test_kasp_db.c
new file mode 100644
index 0000000..e4f9766
--- /dev/null
+++ b/tests/knot/test_kasp_db.c
@@ -0,0 +1,233 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <limits.h>
+
+#include <tap/basic.h>
+#include <tap/files.h>
+
+#include "libknot/libknot.h"
+#include "test_conf.h"
+#include "knot/dnssec/kasp/kasp_db.c"
+
+#define CHARS500_1 "kTZgFfrHPP2EOSK24zRjY9GlgCUEkZNBF5UwqsTWisCxGQT4ieinitjXWT1c" \
+                   "pj+OR8UX/httSugee+MFsm5yOU/4/211BpLKwwOIAt4Yf8K7Bc+oXTdk15cH" \
+                   "TRZtshM1AtfjRsX9rsLDsnaFCyMXzty9AQoRxSphjxnUUC6fszfrSsRx7htl" \
+                   "/Xn1PAuwp9Bfn+FxAws98LYVuwiDqUgn4BR5lELdGd16zNOZnN7v023pmPDM" \
+                   "nGyvIATuqTCPbFeXTfw7aIDyx2DF+y95/kSnPtY3c1b0Yf+oCv4t3Hx2jjWT" \
+                   "9zuC6H+d+PL6HWqilJBs7ysn2FVpnE/Yo44VrQ8orw8QFZr1kR6z7AOVAcMk" \
+                   "ac+44swsc8orGCyJx6OlUfN5oU3YahUfLqg9ewl13+P2chmeI6wUyttKsq/4" \
+                   "Ud0YQAozBabiAKr1O/Eg7sZR6bV1YkCydQyYgmR/+VOu9D8Ld6uO4DcvhiE/" \
+                   "2AmTkLsKLxtpMnQqsTnx"
+#define CHARS500_2 "pzqkMLvpxUYYg0KuMCcBsk9aMm4b5Ny+vJ5UnTq8DVC0jHJJyyGcljKqfpi3" \
+                   "MkjfrWY0rbzXFZbZZ6i8bmhhRBcSxE+tK/3AU1LR7ZJsTuITuoJo5LKRH7Uu" \
+                   "MU7RBAzFuk3o+Pcyk+9UdbiRn9p4QqPTvb+2xfYn1pJvGHofJcQsSsPEe9Hw" \
+                   "ycVW+kdImvWiidn0/e1G6B2xibovnPKDUBFmTbdZIBKHb/eUUoUCNA9CWt5N" \
+                   "g8MutK2ixlBJlOvA6CA1V/VW56EJpLqvMxLaoRks5VY5Ls7zWAy97GEFH0Pl" \
+                   "uO/Rba1du5tsC0MAC08hljlmu9uoPhsvHdBYHUnQ7jDuYnu9GN3DN0Z6oVbV" \
+                   "N01JQZYhKQK/Bl61oM5JubLydtAypryDoG3IH75LhoVC8iGxDoDkxt3zoi/Q" \
+                   "PVfPZZsm5j5UOs3wrQL0KWylm2IDK42mrHK8F/XebnOYLNLQaan2a90C+fhH" \
+                   "a6hvu0RorkZzGNAZkq/D"
+
+const knot_dname_t *zone1 = (const knot_dname_t *)"\x05""zonea";
+const knot_dname_t *zone2 = (const knot_dname_t *)"\x05""zoneb";
+
+knot_lmdb_db_t _db, *db = &_db;
+
+const key_params_t params1 = { .id = "key id 1", .keytag = 1, .timing = { 1, 11, 111, 1111, 11111 },
+                               .public_key = { 520, (uint8_t *)"pk1 plus 500 chars: " CHARS500_1 } };
+const key_params_t params2 = { .id = "key id 2", .keytag = 2, .timing = { 2, 22, 222, 2222, 22222 },
+                               .public_key = { 520, (uint8_t *)"pk2 plus 500 chars: " CHARS500_2 } };
+
+bool params_eq(const key_params_t *a, const key_params_t *b)
+{
+	return ((a->keytag == b->keytag) && (a->public_key.size == b->public_key.size) &&
+	        (a->timing.retire == b->timing.retire) && (strcmp(a->id, b->id) == 0) &&
+	        (memcmp(a->public_key.data, b->public_key.data, b->public_key.size) == 0));
+}
+
+static void init_key_records(key_records_t *r)
+{
+	knot_rrset_init(&r->dnskey, knot_dname_copy(zone1, NULL),
+	                KNOT_RRTYPE_DNSKEY, KNOT_CLASS_IN, 3600);
+	knot_rrset_init(&r->cdnskey, knot_dname_copy(zone1, NULL),
+	                KNOT_RRTYPE_CDNSKEY, KNOT_CLASS_IN, 0);
+	knot_rrset_init(&r->cds, knot_dname_copy(zone1, NULL),
+	                KNOT_RRTYPE_CDS, KNOT_CLASS_IN, 0);
+	knot_rrset_init(&r->rrsig, knot_dname_copy(zone1, NULL),
+	                KNOT_RRTYPE_RRSIG, KNOT_CLASS_IN, 3600);
+	knot_rrset_add_rdata(&r->rrsig, (uint8_t *)CHARS500_1, 500, NULL);
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	char *test_dir_name = test_mkdtemp();
+	bool ignore = false;
+
+	list_t l;
+	key_params_t *params;
+#define free_params free(params->id); free(params->public_key.data); params->id = NULL; params->public_key.data = NULL;
+
+	knot_lmdb_init(db, test_dir_name, 500*1024*1024, 0, "keys_db");
+	int ret = knot_lmdb_open(db);
+	is_int(KNOT_EOK, ret, "kasp_db: open eok");
+	ok(db->env != NULL, "kasp_db: lmdb env notnull");
+
+	ret = kasp_db_add_key(db, zone1, &params1);
+	is_int(KNOT_EOK, ret, "kasp_db: add key 1 eok");
+
+	ret = kasp_db_list_keys(db, zone1, &l);
+	is_int(KNOT_EOK, ret, "kasp_db: list keys 1 eok");
+	is_int(1, list_size(&l), "kasp_db: list keys reports one key 1");
+	params = ((ptrnode_t *)HEAD(l))->d;
+	ok(params_eq(params, &params1), "kasp_db: key params equal 1");
+	free_params
+	ptrlist_deep_free(&l, NULL);
+
+	ret = kasp_db_list_keys(db, zone2, &l);
+	is_int(KNOT_ENOENT, ret, "kasp_db: list keys 1 enoent");
+	is_int(0, list_size(&l), "kasp_db: list keys reports no keys 1");
+	ptrlist_deep_free(&l, NULL);
+
+	ret = kasp_db_share_key(db, zone1, zone2, params1.id);
+	is_int(KNOT_EOK, ret, "kasp_db: share key eok");
+
+	ret = kasp_db_list_keys(db, zone2, &l);
+	is_int(KNOT_EOK, ret, "kasp_db: list keys 3 eok");
+	is_int(1, list_size(&l), "kasp_db: list keys reports one key 2");
+	params = ((ptrnode_t *)HEAD(l))->d;
+	free_params
+	ptrlist_deep_free(&l, NULL);
+
+	ret = kasp_db_add_key(db, zone2, &params2);
+	is_int(KNOT_EOK, ret, "kasp_db: add key 2 eok");
+
+	ret = kasp_db_list_keys(db, zone2, &l);
+	is_int(KNOT_EOK, ret, "kasp_db: list keys 4 eok");
+	is_int(2, list_size(&l), "kasp_db: list keys reports two keys 1");
+	params = ((ptrnode_t *)TAIL(l))->d;
+	ok(params_eq(params, &params2), "kasp_db: key params equal 2");
+	free_params
+	params = ((ptrnode_t *)HEAD(l))->d;
+	free_params
+	ptrlist_deep_free(&l, NULL);
+
+	ret = kasp_db_delete_key(db, zone1, params1.id, &ignore);
+	is_int(KNOT_EOK, ret, "kasp_db: delete key 1 eok");
+
+	ret = kasp_db_list_keys(db, zone1, &l);
+	is_int(KNOT_ENOENT, ret, "kasp_db: list keys 2 enoent");
+	is_int(list_size(&l), 0, "kasp_db: list keys reports no keys 2");
+	ptrlist_deep_free(&l, NULL);
+
+	dnssec_binary_t salt1 = { 500, (uint8_t *)CHARS500_1 }, salt2 = { 0 };
+	knot_time_t time = 0;
+	ret = kasp_db_store_nsec3salt(db, zone1, &salt1, 1234);
+	is_int(KNOT_EOK, ret, "kasp_db: store nsec3salt");
+	ret = kasp_db_load_nsec3salt(db, zone1, &salt2, &time);
+	is_int(KNOT_EOK, ret, "kasp_db: load nsec3salt");
+	is_int(1234, time, "kasp_db: salt_created preserved");
+	is_int(0, dnssec_binary_cmp(&salt1, &salt2), "kasp_db: salt preserved");
+	dnssec_binary_free(&salt2);
+	salt1.size = 0;
+	ret = kasp_db_store_nsec3salt(db, zone2, &salt1, 0);
+	is_int(KNOT_EOK, ret, "kasp_db: store empty nsec3salt");
+	ret = kasp_db_load_nsec3salt(db, zone2, &salt2, &time);
+	is_int(KNOT_EOK, ret, "kasp_db: load empty nsec3salt");
+	is_int(0, time, "kasp_db: empty salt_created preserved");
+	is_int(0, salt2.size, "kasp_db: empty salt preserved");
+	dnssec_binary_free(&salt2);
+
+	ret = kasp_db_delete_all(db, zone2);
+	is_int(KNOT_EOK, ret, "kasp_db: delete all");
+	ret = kasp_db_list_keys(db, zone2, &l);
+	is_int(KNOT_ENOENT, ret, "kasp_db: delete all deleted keys");
+	ret = kasp_db_load_nsec3salt(db, zone2, &salt2, &time);
+	is_int(KNOT_ENOENT, ret, "kasp_db: delete all removed nsec3salt");
+	dnssec_binary_free(&salt2);
+
+	ret = kasp_db_store_serial(db, zone2, KASPDB_SERIAL_MASTER, 1);
+	is_int(KNOT_EOK, ret, "kasp_db: store master_serial");
+	ret = kasp_db_store_serial(db, zone2, KASPDB_SERIAL_LASTSIGNED, 2);
+	is_int(KNOT_EOK, ret, "kasp_db: store lastsigned_serial");
+	uint32_t serial = 0;
+	ret = kasp_db_load_serial(db, zone2, KASPDB_SERIAL_MASTER, &serial);
+	is_int(KNOT_EOK, ret, "kasp_db: load master_serial");
+	is_int(1, serial, "kasp_db: master_serial preserved");
+	ret = kasp_db_load_serial(db, zone2, KASPDB_SERIAL_LASTSIGNED, &serial);
+	is_int(KNOT_EOK, ret, "kasp_db: load lastsigned_serial");
+	is_int(2, serial, "kasp_db: lastsigned_serial preserved");
+
+	ret = kasp_db_add_key(db, zone1, &params1);
+	ok(ret == KNOT_EOK, "kasp_db: add key1");
+	ret = kasp_db_add_key(db, zone2, &params2);
+	ok(ret == KNOT_EOK, "kasp_db: add key2");
+
+	ret = kasp_db_set_policy_last(db, "policy1", NULL, zone1, params1.id);
+	is_int(KNOT_EOK, ret, "kasp_db: set policylast");
+	knot_dname_t *zoneX;
+	char *keyidX;
+	ret = kasp_db_get_policy_last(db, "policy1", &zoneX, &keyidX);
+	is_int(KNOT_EOK, ret, "kasp_db: get policylast");
+	ok(knot_dname_cmp(zoneX, zone1) == 0 && keyidX != NULL &&
+	   strcmp(keyidX, params1.id) == 0, "kasp_db: policy last preserved");
+	free(zoneX);
+	free(keyidX);
+	ret = kasp_db_set_policy_last(db, "policy1", params1.id, zone2, params2.id);
+	is_int(KNOT_EOK, ret, "kasp_db: reset policylast");
+	ret = kasp_db_get_policy_last(db, "policy1", &zoneX, &keyidX);
+	is_int(KNOT_EOK, ret, "kasp_db: reget policylast");
+	ok(knot_dname_cmp(zoneX, zone2) == 0 && keyidX != NULL &&
+	   strcmp(keyidX, params2.id) == 0, "kasp_db: policy last represerved");
+	free(zoneX);
+	free(keyidX);
+	ret = kasp_db_set_policy_last(db, "policy1", params1.id, zone1, params1.id);
+	is_int(KNOT_ESEMCHECK, ret, "kasp_db: refused policylast with wrong keyid");
+	ret = kasp_db_get_policy_last(db, "policy1", &zoneX, &keyidX);
+	is_int(KNOT_EOK, ret, "kasp_db: reget policylast2");
+	ok(knot_dname_cmp(zoneX, zone2) == 0 && keyidX != NULL &&
+	   strcmp(keyidX, params2.id) == 0, "kasp_db: policy last represerved2");
+	free(zoneX);
+	free(keyidX);
+
+	knot_time_t two = 2;
+	key_records_t kr;
+	init_key_records(&kr);
+	ret = kasp_db_store_offline_records(db, 1, &kr);
+	is_int(KNOT_EOK, ret, "kasp_db: store key records");
+	//key_records_clear_rdatasets(&kr);
+	ret = kasp_db_load_offline_records(db, zone1, &two, &time, &kr);
+	is_int(KNOT_EOK, ret, "kasp_db: load key records");
+	ok(kr.cds.type == KNOT_RRTYPE_CDS && kr.rrsig.rrs.count == 1, "kasp_db: key records ok");
+	is_int(0, time, "kasp_db: no next key records");
+	key_records_clear(&kr);
+	ret = kasp_db_delete_offline_records(db, zone1, 1, 3);
+	is_int(KNOT_EOK, ret, "kasp_db: delete key records");
+	ret = kasp_db_load_offline_records(db, zone1, &two, &time, &kr);
+	is_int(KNOT_ENOENT, ret, "kasp_db: no more key records");
+
+	knot_lmdb_deinit(db);
+
+	test_rm_rf(test_dir_name);
+	free(test_dir_name);
+
+	return 0;
+}
diff --git a/tests/knot/test_node.c b/tests/knot/test_node.c
new file mode 100644
index 0000000..e8c6cdb
--- /dev/null
+++ b/tests/knot/test_node.c
@@ -0,0 +1,128 @@
+/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <tap/basic.h>
+
+#include "knot/zone/node.h"
+#include "libknot/libknot.h"
+
+static knot_rrset_t *create_dummy_rrset(const knot_dname_t *owner, uint16_t type)
+{
+	knot_rrset_t *r = knot_rrset_new(owner, type, KNOT_CLASS_IN, 3600, NULL);
+	assert(r);
+	uint8_t wire[16] = { 0 };
+	memcpy(wire, "testtest", strlen("testtest"));
+	int ret = knot_rrset_add_rdata(r, wire, strlen("testtest"), NULL);
+	assert(ret == KNOT_EOK);
+	(void)ret;
+	return r;
+}
+
+static knot_rrset_t *create_dummy_rrsig(const knot_dname_t *owner, uint16_t type)
+{
+	knot_rrset_t *r = knot_rrset_new(owner, KNOT_RRTYPE_RRSIG, KNOT_CLASS_IN,
+	                                 3600, NULL);
+	assert(r);
+	uint8_t wire[sizeof(uint16_t)];
+	knot_wire_write_u16(wire, type);
+	int ret = knot_rrset_add_rdata(r, wire, sizeof(uint16_t), NULL);
+	assert(ret == KNOT_EOK);
+	(void)ret;
+	return r;
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	knot_dname_t *dummy_owner = knot_dname_from_str_alloc("test.");
+	// Test new
+	zone_node_t *node = node_new(dummy_owner, false, false, NULL);
+	ok(node != NULL, "Node: new");
+	assert(node);
+	ok(knot_dname_is_equal(node->owner, dummy_owner), "Node: new - set fields");
+
+	// Test RRSet addition
+	knot_rrset_t *dummy_rrset = create_dummy_rrset(dummy_owner, KNOT_RRTYPE_TXT);
+	int ret = node_add_rrset(node, dummy_rrset, NULL);
+	ok(ret == KNOT_EOK && node->rrset_count == 1 &&
+	   knot_rdataset_eq(&dummy_rrset->rrs, &node->rrs[0].rrs), "Node: add RRSet.");
+
+	// Test RRSet getters
+	knot_rrset_t *n_rrset = node_create_rrset(node, KNOT_RRTYPE_TXT);
+	ok(n_rrset && knot_rrset_equal(n_rrset, dummy_rrset, true),
+	   "Node: create existing RRSet.");
+
+	knot_rrset_free(n_rrset, NULL);
+
+	n_rrset = node_create_rrset(node, KNOT_RRTYPE_SOA);
+	ok(n_rrset == NULL, "Node: create non-existing RRSet.");
+
+	knot_rrset_t stack_rrset = node_rrset(node, KNOT_RRTYPE_TXT);
+	ok(knot_rrset_equal(&stack_rrset, dummy_rrset, true), "Node: get existing RRSet.");
+	stack_rrset = node_rrset(node, KNOT_RRTYPE_SOA);
+	ok(knot_rrset_empty(&stack_rrset), "Node: get non-existent RRSet.");
+
+	knot_rdataset_t *n_rdataset = node_rdataset(node, KNOT_RRTYPE_TXT);
+	ok(n_rdataset && knot_rdataset_eq(n_rdataset, &dummy_rrset->rrs),
+	   "Node: get existing rdataset.");
+	n_rdataset = node_rdataset(node, KNOT_RRTYPE_SOA);
+	ok(n_rdataset == NULL, "Node: get non-existing rdataset.");
+
+	stack_rrset = node_rrset_at(node, 0);
+	ok(knot_rrset_equal(&stack_rrset, dummy_rrset, true),
+	   "Node: get existing position.");
+	stack_rrset = node_rrset_at(node, 1);
+	ok(knot_rrset_empty(&stack_rrset), "Node: get non-existent position.");
+
+	// Test TTL mismatch
+	dummy_rrset->ttl = 1800;
+	ret = node_add_rrset(node, dummy_rrset, NULL);
+	ok(ret == KNOT_ETTL && node->rrset_count == 1,
+	   "Node: add RRSet, TTL mismatch.");
+
+	knot_rrset_free(dummy_rrset, NULL);
+
+	// Test bool functions
+	ok(node_rrtype_exists(node, KNOT_RRTYPE_TXT), "Node: type exists.");
+	ok(!node_rrtype_exists(node, KNOT_RRTYPE_AAAA), "Node: type does not exist.");
+	ok(!node_rrtype_is_signed(node, KNOT_RRTYPE_TXT), "Node: type is not signed.");
+
+	dummy_rrset = create_dummy_rrsig(dummy_owner, KNOT_RRTYPE_TXT);
+	ret = node_add_rrset(node, dummy_rrset, NULL);
+	assert(ret == KNOT_EOK);
+
+	ok(node_rrtype_is_signed(node, KNOT_RRTYPE_TXT), "Node: type is signed.");
+
+	knot_rrset_free(dummy_rrset, NULL);
+
+	// Test remove RRset
+	node_remove_rdataset(node, KNOT_RRTYPE_AAAA);
+	ok(node->rrset_count == 2, "Node: remove non-existent rdataset.");
+	node_remove_rdataset(node, KNOT_RRTYPE_TXT);
+	ok(node->rrset_count == 1, "Node: remove existing rdataset.");
+
+	// "Test" freeing
+	node_free_rrsets(node, NULL);
+	ok(node->rrset_count == 0, "Node: free RRSets.");
+
+	node_free(node, NULL);
+
+	knot_dname_free(dummy_owner, NULL);
+
+	return 0;
+}
diff --git a/tests/knot/test_process_query.c b/tests/knot/test_process_query.c
new file mode 100644
index 0000000..83f62d8
--- /dev/null
+++ b/tests/knot/test_process_query.c
@@ -0,0 +1,201 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <tap/basic.h>
+#include <tap/files.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "libknot/descriptor.h"
+#include "libknot/packet/wire.h"
+#include "knot/nameserver/process_query.h"
+#include "test_server.h"
+#include "contrib/sockaddr.h"
+#include "contrib/ucw/mempool.h"
+
+/* Basic response check (4 TAP tests). */
+static void answer_sanity_check(const uint8_t *query,
+                                const uint8_t *answer, uint16_t answer_len,
+                                uint8_t expected_rcode, const char *name)
+{
+	ok(answer_len >= KNOT_WIRE_HEADER_SIZE, "ns: len(%s answer) >= DNS header", name);
+	if (answer_len >= KNOT_WIRE_HEADER_SIZE) {
+		ok(knot_wire_get_qr(answer), "ns: %s answer has QR=1", name);
+		is_int(expected_rcode, knot_wire_get_rcode(answer), "ns: %s answer RCODE=%d", name, expected_rcode);
+		is_int(knot_wire_get_id(query), knot_wire_get_id(answer), "ns: %s MSGID match", name);
+	} else {
+		skip_block(3, "ns: can't check DNS header");
+	}
+}
+
+/* Resolve query and check answer for sanity (2 TAP tests). */
+static void exec_query(knot_layer_t *layer, const char *name,
+                       knot_pkt_t *query,
+                       uint8_t expected_rcode)
+{
+	knot_pkt_t *answer = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, NULL);
+	assert(answer);
+
+	/* Input packet. */
+	knot_pkt_parse(query, 0);
+	knot_layer_consume(layer, query);
+
+	ok(layer->state == KNOT_STATE_PRODUCE ||
+	   layer->state == KNOT_STATE_FAIL, "ns: process %s query", name);
+
+	/* Create answer. */
+	knot_layer_produce(layer, answer);
+	if (layer->state == KNOT_STATE_FAIL) {
+		/* Allow 1 generic error response. */
+		knot_layer_produce(layer, answer);
+	}
+
+	ok(layer->state == KNOT_STATE_DONE, "ns: answer %s query", name);
+
+	/* Check answer. */
+	answer_sanity_check(query->wire, answer->wire, answer->size, expected_rcode, name);
+
+	knot_pkt_free(answer);
+}
+
+/* \internal Helpers */
+#define WIRE_COPY(dst, dst_len, src, src_len) \
+	memcpy(dst, src, src_len); \
+	dst_len = src_len;
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	knot_mm_t mm;
+	mm_ctx_mempool(&mm, MM_DEFAULT_BLKSIZE);
+
+	/* Create processing context. */
+	knot_layer_t proc;
+	memset(&proc, 0, sizeof(knot_layer_t));
+	knot_layer_init(&proc, &mm, process_query_layer());
+
+	/* Create temporary storage directory. */
+	char *temp_dir = test_mkdtemp();
+	ok(temp_dir != NULL, "make temporary directory");
+
+	/* Create fake server environment. */
+	server_t server;
+	int ret = create_fake_server(&server, proc.mm, temp_dir);
+	is_int(KNOT_EOK, ret, "ns: fake server initialization");
+	if (ret != KNOT_EOK) {
+		goto fatal;
+	}
+
+	zone_t *zone = knot_zonedb_find(server.zone_db, ROOT_DNAME);
+
+	/* Prepare. */
+	knot_pkt_t *query = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, proc.mm);
+
+	/* Create query processing parameter. */
+	struct sockaddr_storage ss;
+	memset(&ss, 0, sizeof(struct sockaddr_storage));
+	sockaddr_set(&ss, AF_INET, "127.0.0.1", 53);
+	knotd_qdata_params_t params = {
+		.proto = KNOTD_QUERY_PROTO_TCP,
+		.remote = &ss,
+		.server = &server
+	};
+
+	/* Query processor (CH zone) */
+	knot_layer_begin(&proc, &params);
+	knot_pkt_clear(query);
+	knot_pkt_put_question(query, IDSERVER_DNAME, KNOT_CLASS_CH, KNOT_RRTYPE_TXT);
+	exec_query(&proc, "CH TXT", query, KNOT_RCODE_NOERROR);
+
+	/* Query processor (valid input). */
+	knot_layer_reset(&proc);
+	knot_pkt_clear(query);
+	knot_pkt_put_question(query, ROOT_DNAME, KNOT_CLASS_IN, KNOT_RRTYPE_SOA);
+	exec_query(&proc, "IN/root", query, KNOT_RCODE_NOERROR);
+
+	/* Query processor (-1 bytes, not enough data). */
+	knot_layer_reset(&proc);
+	query->size -= 1;
+	exec_query(&proc, "IN/few-data", query, KNOT_RCODE_FORMERR);
+	query->size += 1;
+
+	/* Query processor (+1 bytes trailing). */
+	knot_layer_reset(&proc);
+	query->wire[query->size] = '\1'; /* Initialize the "garbage" value. */
+	query->size += 1;
+	exec_query(&proc, "IN/trail-garbage", query, KNOT_RCODE_FORMERR);
+	query->size -= 1;
+
+	/* Forge NOTIFY query from SOA query. */
+	knot_layer_reset(&proc);
+	knot_wire_set_opcode(query->wire, KNOT_OPCODE_NOTIFY);
+	exec_query(&proc, "IN/notify", query, KNOT_RCODE_NOTAUTH);
+
+	/* Forge AXFR query. */
+	knot_layer_reset(&proc);
+	knot_pkt_clear(query);
+	knot_pkt_put_question(query, ROOT_DNAME, KNOT_CLASS_IN, KNOT_RRTYPE_AXFR);
+	exec_query(&proc, "IN/axfr", query, KNOT_RCODE_NOTAUTH);
+
+	/* Forge IXFR query (well formed). */
+	knot_layer_reset(&proc);
+	knot_pkt_clear(query);
+	knot_pkt_put_question(query, ROOT_DNAME, KNOT_CLASS_IN, KNOT_RRTYPE_IXFR);
+	/* Append SOA RR. */
+	knot_rrset_t soa_rr = node_rrset(zone->contents->apex, KNOT_RRTYPE_SOA);
+	knot_pkt_begin(query, KNOT_AUTHORITY);
+	knot_pkt_put(query, KNOT_COMPR_HINT_NONE, &soa_rr, 0);
+	exec_query(&proc, "IN/ixfr", query, KNOT_RCODE_NOTAUTH);
+
+	/* \note Tests below are not possible without proper zone and zone data. */
+	/* #189 Process UPDATE query. */
+	/* #189 Process AXFR client. */
+	/* #189 Process IXFR client. */
+
+	/* Query processor (smaller than DNS header, ignore). */
+	knot_layer_reset(&proc);
+	knot_pkt_clear(query);
+	knot_pkt_put_question(query, ROOT_DNAME, KNOT_CLASS_IN, KNOT_RRTYPE_SOA);
+	size_t orig_query_size = query->size;
+	query->size = KNOT_WIRE_HEADER_SIZE - 1;
+	knot_layer_consume(&proc, query);
+	ok(proc.state == KNOT_STATE_NOOP, "ns: IN/less-than-header query ignored");
+	query->size = orig_query_size;
+
+	/* Query processor (response, ignore). */
+	knot_layer_reset(&proc);
+	knot_wire_set_qr(query->wire);
+	knot_layer_consume(&proc, query);
+	ok(proc.state == KNOT_STATE_NOOP, "ns: IN/less-than-header query ignored");
+
+	/* Finish. */
+	knot_layer_finish(&proc);
+	ok(proc.state == KNOT_STATE_NOOP, "ns: processing end" );
+
+fatal:
+	/* Cleanup. */
+	mp_delete((struct mempool *)mm.ctx);
+	server_deinit(&server);
+	conf_free(conf());
+	test_rm_rf(temp_dir);
+	free(temp_dir);
+
+	return 0;
+}
+
+#undef WIRE_COPY
diff --git a/tests/knot/test_query_module.c b/tests/knot/test_query_module.c
new file mode 100644
index 0000000..4ab14d2
--- /dev/null
+++ b/tests/knot/test_query_module.c
@@ -0,0 +1,87 @@
+/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "libknot/libknot.h"
+#include "knot/nameserver/query_module.h"
+#include "libknot/packet/pkt.h"
+
+/* Universal processing stage. */
+unsigned state_visit(unsigned state, knot_pkt_t *pkt, knotd_qdata_t *qdata,
+                     knotd_mod_t *mod)
+{
+	/* Visit current state */
+	bool *state_map = (bool *)mod;
+	state_map[state] = true;
+
+	return state + 1;
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	/* Create a map of expected steps. */
+	bool state_map[KNOTD_STAGES] = { false };
+
+	/* Prepare query plan. */
+	struct query_plan *plan = query_plan_create();
+	ok(plan != NULL, "query_plan: create");
+	if (plan == NULL) {
+		goto fatal;
+	}
+
+	/* Register all stage visits. */
+	int ret = KNOT_EOK;
+	for (unsigned stage = KNOTD_STAGE_BEGIN; stage < KNOTD_STAGES; ++stage) {
+		ret = query_plan_step(plan, stage, state_visit, state_map);
+		if (ret != KNOT_EOK) {
+			break;
+		}
+	}
+	is_int(KNOT_EOK, ret, "query_plan: planned all steps");
+
+	/* Execute the plan. */
+	int state = 0, next_state = 0;
+	for (unsigned stage = KNOTD_STAGE_BEGIN; stage < KNOTD_STAGES; ++stage) {
+		struct query_step *step = NULL;
+		WALK_LIST(step, plan->stage[stage]) {
+			next_state = step->process(state, NULL, NULL, step->ctx);
+			if (next_state != state + 1) {
+				break;
+			}
+			state = next_state;
+		}
+	}
+	ok(state == KNOTD_STAGES, "query_plan: executed all steps");
+
+	/* Verify if all steps executed their callback. */
+	for (state = 0; state < KNOTD_STAGES; ++state) {
+		if (state_map[state] == false) {
+			break;
+		}
+	}
+	ok(state == KNOTD_STAGES, "query_plan: executed all callbacks");
+
+fatal:
+	/* Free the query plan. */
+	query_plan_free(plan);
+
+	return 0;
+}
diff --git a/tests/knot/test_requestor.c b/tests/knot/test_requestor.c
new file mode 100644
index 0000000..e0bd360
--- /dev/null
+++ b/tests/knot/test_requestor.c
@@ -0,0 +1,188 @@
+/*  Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <tap/basic.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+
+#include "libknot/descriptor.h"
+#include "libknot/errcode.h"
+#include "knot/query/layer.h"
+#include "knot/query/requestor.h"
+#include "contrib/mempattern.h"
+#include "contrib/net.h"
+#include "contrib/sockaddr.h"
+#include "contrib/ucw/mempool.h"
+
+bool TFO = false;
+
+/* @note Purpose of this test is not to verify process_answer functionality,
+ *       but simply if the requesting/receiving works, so mirror is okay. */
+static int reset(knot_layer_t *ctx) { return KNOT_STATE_PRODUCE; }
+static int begin(knot_layer_t *ctx, void *module_param) { return reset(ctx); }
+static int finish(knot_layer_t *ctx) { return reset(ctx); }
+static int in(knot_layer_t *ctx, knot_pkt_t *pkt) { return KNOT_STATE_DONE; }
+static int out(knot_layer_t *ctx, knot_pkt_t *pkt) { return KNOT_STATE_CONSUME; }
+
+static const int TIMEOUT = 2000;
+
+/*! \brief Dummy answer processing module. */
+const knot_layer_api_t dummy_module = {
+        &begin, &reset, &finish, &in, &out
+};
+
+static void set_blocking_mode(int sock)
+{
+	int flags = fcntl(sock, F_GETFL);
+	flags &= ~O_NONBLOCK;
+	fcntl(sock, F_SETFL, flags);
+}
+
+static void *responder_thread(void *arg)
+{
+	int fd = *(int *)arg;
+
+	set_blocking_mode(fd);
+	uint8_t buf[KNOT_WIRE_MAX_PKTSIZE] = { 0 };
+	while (true) {
+		int client = accept(fd, NULL, NULL);
+		if (client < 0) {
+			break;
+		}
+		int len = net_dns_tcp_recv(client, buf, sizeof(buf), -1);
+		if (len < KNOT_WIRE_HEADER_SIZE) {
+			close(client);
+			break;
+		}
+		knot_wire_set_qr(buf);
+		net_dns_tcp_send(client, buf, len, -1, NULL);
+		close(client);
+	}
+
+	return NULL;
+}
+
+/* Test implementations. */
+
+static knot_request_t *make_query(knot_requestor_t *requestor,
+                                  const struct sockaddr_storage *dst,
+                                  const struct sockaddr_storage *src)
+{
+	knot_pkt_t *pkt = knot_pkt_new(NULL, KNOT_WIRE_MAX_PKTSIZE, requestor->mm);
+	assert(pkt);
+	static const knot_dname_t *root = (uint8_t *)"";
+	knot_pkt_put_question(pkt, root, KNOT_CLASS_IN, KNOT_RRTYPE_SOA);
+
+	knot_request_flag_t flags = TFO ? KNOT_REQUEST_TFO: KNOT_REQUEST_NONE;
+
+	return knot_request_make(requestor->mm, dst, src, pkt, NULL, flags);
+}
+
+static void test_disconnected(knot_requestor_t *requestor,
+                              const struct sockaddr_storage *dst,
+                              const struct sockaddr_storage *src)
+{
+	knot_request_t *req = make_query(requestor, dst, src);
+	int ret = knot_requestor_exec(requestor, req, TIMEOUT);
+	/* ECONNREFUSED on FreeBSD, ETIMEOUT on NetBSD/OpenBSD/macOS. */
+	ret = (ret == KNOT_ECONNREFUSED || ret == KNOT_ETIMEOUT) ? KNOT_ECONN : ret;
+	is_int(KNOT_ECONN, ret, "requestor: disconnected/exec");
+	knot_request_free(req, requestor->mm);
+
+}
+
+static void test_connected(knot_requestor_t *requestor,
+                           const struct sockaddr_storage *dst,
+                           const struct sockaddr_storage *src)
+{
+	/* Enqueue packet. */
+	knot_request_t *req = make_query(requestor, dst, src);
+	int ret = knot_requestor_exec(requestor, req, TIMEOUT);
+	is_int(KNOT_EOK, ret, "requestor: connected/exec");
+	knot_request_free(req, requestor->mm);
+}
+
+int main(int argc, char *argv[])
+{
+#if defined(__linux__)
+	FILE *fd = fopen("/proc/sys/net/ipv4/tcp_fastopen", "r");
+	if (fd != NULL) {
+		int val = fgetc(fd);
+		fclose(fd);
+		// 0 - disabled, 1 - server TFO (client fallbacks),
+		// 2 - client TFO, 3 - both
+		if (val == '1' || val == '3') {
+			TFO = true;
+		}
+	}
+#endif
+	plan_lazy();
+
+	knot_mm_t mm;
+	mm_ctx_mempool(&mm, MM_DEFAULT_BLKSIZE);
+
+	/* Initialize requestor. */
+	knot_requestor_t requestor;
+	knot_requestor_init(&requestor, &dummy_module, NULL, &mm);
+
+	/* Define endpoints. */
+	struct sockaddr_storage client = { 0 };
+	sockaddr_set(&client, AF_INET, "127.0.0.1", 0);
+	struct sockaddr_storage server = { 0 };
+	sockaddr_set(&server, AF_INET, "127.0.0.1", 0);
+
+	/* Bind to random port. */
+	int responder_fd = net_bound_socket(SOCK_STREAM, &server, 0, 0);
+	assert(responder_fd >= 0);
+	socklen_t addr_len = sockaddr_len(&server);
+	int ret = getsockname(responder_fd, (struct sockaddr *)&server, &addr_len);
+	ok(ret == 0, "check getsockname return");
+
+	/* Test requestor in disconnected environment. */
+	test_disconnected(&requestor, &server, &client);
+
+	/* Start responder. */
+	ret = listen(responder_fd, 10);
+	ok(ret == 0, "check listen return");
+
+	if (TFO) {
+		ret = net_bound_tfo(responder_fd, 10);
+		ok(ret == KNOT_EOK, "check bound TFO return");
+	}
+
+	pthread_t thread;
+	pthread_create(&thread, 0, responder_thread, &responder_fd);
+
+	/* Test requestor in connected environment. */
+	test_connected(&requestor, &server, &client);
+
+	/* Terminate responder. */
+	int conn = net_connected_socket(SOCK_STREAM, &server, NULL, false);
+	assert(conn > 0);
+	conn = net_dns_tcp_send(conn, (uint8_t *)"", 1, TIMEOUT, NULL);
+	assert(conn > 0);
+	pthread_join(thread, NULL);
+	close(responder_fd);
+
+	/* Cleanup. */
+	mp_delete((struct mempool *)mm.ctx);
+
+	return 0;
+}
diff --git a/tests/knot/test_semantic_check.in b/tests/knot/test_semantic_check.in
new file mode 100644
index 0000000..dc29f0a
--- /dev/null
+++ b/tests/knot/test_semantic_check.in
@@ -0,0 +1,169 @@
+#!/bin/sh
+
+KZONECHECK="@top_builddir@/src/kzonecheck"
+DATA="@top_srcdir@/tests/knot/semantic_check_data"
+
+. "@top_srcdir@/tests/tap/libtap.sh"
+
+TMPDIR=$(test_tmpdir)
+LOG="$TMPDIR/log"
+
+# Params: zonefile fatal_error expected_erros_count semcheck_err_msg
+expect_error()
+{
+	if [ ! -r "$DATA/$1" ]; then
+		skip_block 4 "missing zone file for test"
+		return
+	fi
+
+	"$KZONECHECK" -o example.com "$DATA/$1" > "$LOG"
+	ok "$1 - check program return" test $? -eq 1
+
+	fatal=$(grep -E "^Serious semantic error detected" $LOG | wc -l)
+	ok "$1 - check fatal" test $fatal -eq $2
+
+	errors=$(grep -E "^\[.+\] $4" $LOG | wc -l)
+	ok "$1 - check errors" test $errors -eq $3
+	if [ $errors != $3 ]; then
+		diag "expected errors $3 but found $errors"
+	fi
+}
+
+#param zonefile
+test_correct()
+{
+	$KZONECHECK -o example.com "$DATA/$1" > /dev/null
+	ok "$1 - correct zone, without error" test $? -eq 0
+}
+
+#param zonefile
+test_correct_no_dnssec()
+{
+	$KZONECHECK -o example.com -d off "$DATA/$1" > /dev/null
+	ok "$1 - correct zone, without error" test $? -eq 0
+}
+
+if [ ! -x $KZONECHECK ]; then
+	skip_all "kzonecheck is missing or is not executable"
+fi
+
+# error messages exported from knot/src/zone/semantic-check.c
+CDNSKEY_NONE="missing CDNSKEY"
+CDNSKEY_NO_CDS="CDNSKEY without corresponding CDS"
+CDNSKEY_DELETE="invalid CDNSKEY/CDS for DNSSEC delete algorithm"
+CDS_NONE="missing CDS"
+CDS_NOT_MATCH="CDS not match CDNSKEY"
+CNAME_EXTRA_RECORDS="another record exists beside CNAME"
+CNAME_MULTIPLE="multiple CNAME records"
+DNAME_CHILDREN="child record exists under DNAME"
+DNAME_MULTIPLE="multiple DNAME records"
+DNAME_EXTRA_NS="NS record exists beside DNAME"
+DNSKEY_INVALID="invalid DNSKEY"
+DS_ALG="invalid algorithm in DS"
+NSEC3PARAM_FLAGS="invalid flags in NSEC3PARAM"
+NSEC_NONE="missing NSEC\(3\) record"
+NSEC_RDATA_BITMAP="wrong NSEC\(3\) bitmap"
+NSEC_RDATA_CHAIN="inconsistent NSEC\(3\) chain"
+NSEC3_INSECURE_DELEGATION_OPT="wrong NSEC3 opt-out"
+NS_APEX="missing NS at the zone apex"
+NS_GLUE="missing glue record"
+RRSIG_UNVERIFIABLE="no valid signature for a record"
+
+plan_lazy
+
+expect_error "cname_extra_01.zone"   1 1 "$CNAME_EXTRA_RECORDS"
+expect_error "cname_extra_02.signed" 1 1 "$CNAME_EXTRA_RECORDS"
+expect_error "cname_multiple.zone"   1 1 "$CNAME_MULTIPLE"
+expect_error "dname_children.zone"   1 1 "$DNAME_CHILDREN"
+expect_error "dname_multiple.zone"   1 1 "$DNAME_MULTIPLE"
+expect_error "dname_extra_ns.zone"   1 1 "$DNAME_EXTRA_NS"
+
+expect_error "ns_apex.missing" 0 1 "$NS_APEX"
+expect_error "glue_apex_both.missing" 0 2 "$NS_GLUE"
+expect_error "glue_apex_one.missing" 0 1 "$NS_GLUE"
+expect_error "glue_besides.missing" 0 1 "$NS_GLUE"
+expect_error "glue_deleg.missing" 0 1 "$NS_GLUE"
+expect_error "glue_in_apex.missing" 0 1 "$NS_GLUE"
+expect_error "different_signer_name.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "no_rrsig.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "no_rrsig_with_delegation.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "nsec_broken_chain_01.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec_broken_chain_02.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec_missing.signed" 0 1 "$NSEC_NONE"
+expect_error "nsec_multiple.signed" 0 1 "$NSEC_NONE"
+expect_error "nsec_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_missing.signed" 0 1 "$NSEC_NONE"
+expect_error "nsec3_optout_ent.invalid" 0 1 "$NSEC_NONE"
+expect_error "nsec3_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
+expect_error "nsec3_ds.signed" 0 1 "$NSEC_NONE"
+expect_error "nsec3_optout.signed" 0 1 "$NSEC3_INSECURE_DELEGATION_OPT"
+expect_error "nsec3_chain_01.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec3_chain_02.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec3_chain_03.signed" 0 1 "$NSEC_RDATA_CHAIN"
+expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC_NONE"
+expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3PARAM_FLAGS"
+expect_error "rrsig_signed.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "rrsig_rdata_ttl.signed" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "duplicate.signature" 0 1 "$RRSIG_UNVERIFIABLE"
+expect_error "missing.signed" 0 1 "$NSEC_NONE"
+expect_error "dnskey_param_error.signed" 0 1 "$DNSKEY_INVALID"
+expect_error "invalid_ds.signed" 0 2 "$DS_ALG \(keytag 60485\)"
+expect_error "cdnskey.invalid" 0 1 "$CDS_NOT_MATCH"
+expect_error "cdnskey.invalid.param" 0 1 "$CDS_NOT_MATCH"
+expect_error "cdnskey.nocds" 0 1 "$CDS_NONE"
+expect_error "cdnskey.nocdnskey" 0 1 "$CDNSKEY_NONE"
+expect_error "cdnskey.nodnskey" 0 1 "$CDNSKEY_NOT_MATCH"
+expect_error "cdnskey.orphan.cds" 0 1 "$CDS_NOT_MATCH"
+expect_error "cdnskey.orphan.cdnskey" 0 1 "$CDNSKEY_NO_CDS"
+expect_error "cdnskey.delete.invalid.cds" 0 1 "$CDNSKEY_DELETE"
+expect_error "cdnskey.delete.invalid.cdnskey" 0 1 "$CDNSKEY_DELETE"
+expect_error "delegation.signed" 0 1 "$NSEC_RDATA_BITMAP"
+
+test_correct "rrsig_ttl.signed"
+test_correct "no_error_delegation_bitmap.signed"
+test_correct "no_error_nsec3_optout.signed"
+test_correct "glue_wildcard.valid"
+test_correct "glue_no_foreign.valid"
+test_correct "glue_in_deleg.valid"
+test_correct "cdnskey.cds"
+test_correct "cdnskey.delete.both"
+test_correct "dname_apex_nsec3.signed"
+test_correct "nsec3_optout_ent.valid"
+test_correct "nsec3_optout_ent.all"
+
+test_correct_no_dnssec "no_rrsig.signed"
+test_correct_no_dnssec "no_rrsig_with_delegation.signed"
+test_correct_no_dnssec "nsec_broken_chain_01.signed"
+test_correct_no_dnssec "nsec_broken_chain_02.signed"
+test_correct_no_dnssec "nsec_missing.signed"
+test_correct_no_dnssec "nsec_multiple.signed"
+test_correct_no_dnssec "nsec_wrong_bitmap_01.signed"
+test_correct_no_dnssec "nsec_wrong_bitmap_02.signed"
+test_correct_no_dnssec "nsec3_missing.signed"
+test_correct_no_dnssec "nsec3_wrong_bitmap_01.signed"
+test_correct_no_dnssec "nsec3_wrong_bitmap_02.signed"
+test_correct_no_dnssec "nsec3_ds.signed"
+test_correct_no_dnssec "nsec3_optout.signed"
+test_correct_no_dnssec "nsec3_chain_01.signed"
+test_correct_no_dnssec "nsec3_chain_02.signed"
+test_correct_no_dnssec "nsec3_chain_03.signed"
+test_correct_no_dnssec "nsec3_param_invalid.signed"
+test_correct_no_dnssec "rrsig_signed.signed"
+test_correct_no_dnssec "rrsig_rdata_ttl.signed"
+test_correct_no_dnssec "duplicate.signature"
+test_correct_no_dnssec "missing.signed"
+test_correct_no_dnssec "dnskey_param_error.signed"
+test_correct_no_dnssec "cdnskey.invalid"
+test_correct_no_dnssec "cdnskey.invalid.param"
+test_correct_no_dnssec "cdnskey.nocds"
+test_correct_no_dnssec "cdnskey.nocdnskey"
+test_correct_no_dnssec "cdnskey.nodnskey"
+test_correct_no_dnssec "cdnskey.orphan.cds"
+test_correct_no_dnssec "cdnskey.orphan.cdnskey"
+test_correct_no_dnssec "cdnskey.delete.invalid.cds"
+test_correct_no_dnssec "cdnskey.delete.invalid.cdnskey"
+test_correct_no_dnssec "delegation.signed"
+
+rm $LOG
diff --git a/tests/knot/test_server.c b/tests/knot/test_server.c
new file mode 100644
index 0000000..bde3d10
--- /dev/null
+++ b/tests/knot/test_server.c
@@ -0,0 +1,72 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <signal.h>
+#include <tap/basic.h>
+#include "knot/server/server.h"
+#include "test_conf.h"
+
+// Signal handler
+static void interrupt_handle(int s)
+{
+}
+
+/*! API: run tests. */
+int main(int argc, char *argv[])
+{
+	plan(2);
+
+	server_t server;
+	int ret = 0;
+
+	/* Some random configuration just to apply the default conf schema */
+	ret = test_conf("", NULL);
+	assert(ret == KNOT_EOK);
+
+	/* Register service and signal handler */
+	struct sigaction sa;
+	sa.sa_handler = interrupt_handle;
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;
+	sigaction(SIGALRM, &sa, NULL); // Interrupt
+
+	/* Test server for correct initialization */
+	ret = server_init(&server, 1);
+	is_int(KNOT_EOK, ret, "server: initialized");
+	if (ret != KNOT_EOK) {
+		return 1;
+	}
+
+	/* Test server startup */
+	ret = server_start(&server, false);
+	is_int(KNOT_EOK, ret, "server: started ok");
+	if (ret != KNOT_EOK) {
+	        return 1;
+	}
+
+	server_stop(&server);
+
+	/* Wait for server to finish. */
+	server_wait(&server);
+
+	/* Destroy the server structure. */
+	server_deinit(&server);
+
+	/* Remove the configuration. */
+        conf_free(conf());
+
+	return 0;
+}
diff --git a/tests/knot/test_server.h b/tests/knot/test_server.h
new file mode 100644
index 0000000..d68561d
--- /dev/null
+++ b/tests/knot/test_server.h
@@ -0,0 +1,100 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include "test_conf.h"
+#include "knot/server/server.h"
+#include "knot/zone/adjust.h"
+#include "contrib/mempattern.h"
+
+/* Some domain names. */
+#define ROOT_DNAME ((const uint8_t *)"")
+#define EXAMPLE_DNAME ((const uint8_t *)"\x7""example")
+#define IDSERVER_DNAME ((const uint8_t *)"\2""id""\6""server")
+
+/* Create fake root zone. */
+static inline void create_root_zone(server_t *server, knot_mm_t *mm)
+{
+	/* SOA RDATA. */
+	#define SOA_RDLEN 30
+	static const uint8_t SOA_RDATA[SOA_RDLEN] = {
+	        0x02, 'n', 's', 0x00,          /* ns. */
+	        0x04, 'm', 'a', 'i', 'l', 0x00,/* mail. */
+	        0x77, 0xdf, 0x1e, 0x63,        /* serial */
+	        0x00, 0x01, 0x51, 0x80,        /* refresh */
+	        0x00, 0x00, 0x1c, 0x20,        /* retry */
+	        0x00, 0x0a, 0x8c, 0x00,        /* expire */
+	        0x00, 0x00, 0x0e, 0x10         /* min ttl */
+	};
+
+	/* Insert root zone. */
+	zone_t *root = zone_new(ROOT_DNAME);
+	root->server = server;
+	root->contents = zone_contents_new(root->name, true);
+
+	knot_rrset_t *soa = knot_rrset_new(root->name, KNOT_RRTYPE_SOA, KNOT_CLASS_IN,
+	                                   7200, mm);
+	knot_rrset_add_rdata(soa, SOA_RDATA, SOA_RDLEN, mm);
+	node_add_rrset(root->contents->apex, soa, NULL);
+	knot_rrset_free(soa, mm);
+
+	/* Bake the zone. */
+	(void)zone_adjust_full(root->contents, 1);
+
+	/* Switch zone db. */
+	knot_zonedb_free(&server->zone_db);
+	server->zone_db = knot_zonedb_new();
+	knot_zonedb_insert(server->zone_db, root);
+}
+
+/* Create fake server. */
+static inline int create_fake_server(server_t *server, knot_mm_t *mm, const char *db_storage)
+{
+	int ret;
+
+	/* Create test configuration. */
+	/* String `db_storage' obtained from test_mkdtemp() may be up to 4096 bytes. */
+	char conf_str[4096 + 512];
+	(void)snprintf(conf_str, sizeof(conf_str),
+		"server:\n"
+		"    identity: bogus.ns\n"
+		"    version: 0.11\n"
+		"    nsid: \n"
+		"database:\n"
+		"    storage: %s\n"
+		"zone:\n"
+		"  - domain: .\n"
+		"    zonefile-sync: -1\n",
+		db_storage);
+
+	/* Load test configuration. */
+	ret = test_conf(conf_str, NULL);
+	if (ret != KNOT_EOK) {
+		return ret;
+	}
+
+	/* Create name server. */
+	ret = server_init(server, 1);
+	if (ret != KNOT_EOK) {
+		return ret;
+	}
+
+	/* Insert root zone. */
+	create_root_zone(server, mm);
+
+	return KNOT_EOK;
+}
diff --git a/tests/knot/test_unreachable.c b/tests/knot/test_unreachable.c
new file mode 100644
index 0000000..826544d
--- /dev/null
+++ b/tests/knot/test_unreachable.c
@@ -0,0 +1,59 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include "knot/common/unreachable.h"
+
+#include "contrib/sockaddr.h"
+
+#define UR_TEST_ADDRS 32
+struct sockaddr_storage ur_test_addrs[UR_TEST_ADDRS] = { { 0 } };
+struct sockaddr_storage ur_test_via[2] = { { 0 } };
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	global_unreachables = knot_unreachables_init(10);
+	ok(global_unreachables != NULL, "unreachables: init");
+
+	// ur_test_via[0] left empty - AF_UNSPEC
+	sockaddr_set(&ur_test_via[1], AF_INET6, "::1", 0);
+
+	for (int i = 0; i < UR_TEST_ADDRS; i++) {
+		struct sockaddr_storage *s = &ur_test_addrs[i];
+		sockaddr_set(s, AF_INET6, "::2", i + 1);
+		struct sockaddr_storage *via = &ur_test_via[i % 2];
+		struct sockaddr_storage *not_via = &ur_test_via[1 - i % 2];
+
+		ok(!knot_unreachable_is(global_unreachables, s, via), "unreachables: pre[%d]", i);
+		knot_unreachable_add(global_unreachables, s, via);
+		ok(knot_unreachable_is(global_unreachables, s, via), "unreachables: post[%d]", i);
+		ok(!knot_unreachable_is(global_unreachables, s, not_via), "unreachables: via[%d]", i);
+
+		usleep(1000);
+		if (i >= 10) {
+			ok(!knot_unreachable_is(global_unreachables, &ur_test_addrs[i - 10], via),
+			   "unreachables: expired[%d]", i - 10);
+		}
+	}
+
+	knot_unreachables_deinit(&global_unreachables);
+	ok(global_unreachables == NULL, "unreachables: deinit");
+
+	return 0;
+}
diff --git a/tests/knot/test_worker_pool.c b/tests/knot/test_worker_pool.c
new file mode 100644
index 0000000..59dee36
--- /dev/null
+++ b/tests/knot/test_worker_pool.c
@@ -0,0 +1,152 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include <errno.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <time.h>
+
+#include "knot/worker/pool.h"
+#include "knot/worker/queue.h"
+
+#define THREADS 4
+#define TASKS_BATCH 40
+
+/*!
+ * Task execution log.
+ */
+typedef struct task_log {
+	pthread_mutex_t mx;
+	unsigned executed;
+} task_log_t;
+
+/*!
+ * Get number of executed tasks and clear.
+ */
+static unsigned executed_reset(task_log_t *log)
+{
+	pthread_mutex_lock(&log->mx);
+	unsigned result = log->executed;
+	log->executed = 0;
+	pthread_mutex_unlock(&log->mx);
+
+	return result;
+}
+
+/*!
+ * Simple task, just increases the counter in the log.
+ */
+static void task_counting(worker_task_t *task)
+{
+	task_log_t *log = task->ctx;
+
+	pthread_mutex_lock(&log->mx);
+	log->executed += 1;
+	pthread_mutex_unlock(&log->mx);
+}
+
+static void interrupt_handle(int s)
+{
+}
+
+int main(void)
+{
+	plan_lazy();
+
+	struct sigaction sa;
+	sa.sa_handler = interrupt_handle;
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = 0;
+	sigaction(SIGALRM, &sa, NULL); // Interrupt
+
+	// create pool
+
+	worker_pool_t *pool = worker_pool_create(THREADS);
+	ok(pool != NULL, "create worker pool");
+	if (!pool) {
+		return 1;
+	}
+
+	task_log_t log = {
+		.mx = PTHREAD_MUTEX_INITIALIZER,
+	};
+
+	// schedule jobs while pool is stopped
+
+	worker_task_t task = { .run = task_counting, .ctx = &log };
+	for (int i = 0; i < TASKS_BATCH; i++) {
+		worker_pool_assign(pool, &task);
+	}
+
+	sched_yield();
+	ok(executed_reset(&log) == 0, "executed count before start");
+
+	// start and wait for finish
+
+	worker_pool_start(pool);
+	worker_pool_wait(pool);
+	ok(executed_reset(&log) == TASKS_BATCH, "executed count after start");
+
+	// add additional jobs while pool is running
+
+	for (int i = 0; i < TASKS_BATCH; i++) {
+		worker_pool_assign(pool, &task);
+	}
+
+	worker_pool_wait(pool);
+	ok(executed_reset(&log) == TASKS_BATCH, "executed count after add");
+
+	// temporary suspension
+
+	worker_pool_suspend(pool);
+
+	for (int i = 0; i < TASKS_BATCH; i++) {
+		worker_pool_assign(pool, &task);
+	}
+
+	sched_yield();
+	ok(executed_reset(&log) == 0, "executed count after suspend");
+
+	worker_pool_resume(pool);
+	worker_pool_wait(pool);
+	ok(executed_reset(&log) == TASKS_BATCH, "executed count after resume");
+
+	// try clean
+
+	pthread_mutex_lock(&log.mx);
+	for (int i = 0; i < THREADS + TASKS_BATCH; i++) {
+		worker_pool_assign(pool, &task);
+	}
+	sched_yield();
+	worker_pool_clear(pool);
+	pthread_mutex_unlock(&log.mx);
+
+	worker_pool_wait(pool);
+	ok(executed_reset(&log) <= THREADS, "executed count after clear");
+
+	// cleanup
+
+	worker_pool_stop(pool);
+	worker_pool_join(pool);
+	worker_pool_destroy(pool);
+
+	pthread_mutex_destroy(&log.mx);
+
+	return 0;
+}
diff --git a/tests/knot/test_worker_queue.c b/tests/knot/test_worker_queue.c
new file mode 100644
index 0000000..2d20afd
--- /dev/null
+++ b/tests/knot/test_worker_queue.c
@@ -0,0 +1,57 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include "knot/worker/queue.h"
+
+int main(void)
+{
+	plan_lazy();
+
+	worker_task_t task_one = { 0 };
+	worker_task_t task_two = { 0 };
+	worker_task_t task_three = { 0 };
+
+	// init
+
+	worker_queue_t queue;
+	worker_queue_init(&queue);
+	ok(1, "queue init");
+
+	// enqueue
+
+	worker_queue_enqueue(&queue, &task_one);
+	ok(1, "enqueue first");
+	worker_queue_enqueue(&queue, &task_two);
+	ok(1, "enqueue second");
+
+	// dequeue
+
+	ok(worker_queue_dequeue(&queue) == &task_one, "dequeue first");
+	ok(worker_queue_dequeue(&queue) == &task_two, "dequeue second");
+	ok(worker_queue_dequeue(&queue) == NULL, "dequeue from empty");
+
+	// deinit
+
+	worker_queue_enqueue(&queue, &task_three);
+	ok(1, "enqueue third");
+
+	worker_queue_deinit(&queue);
+	ok(1, "queue deinit");
+
+	return 0;
+}
diff --git a/tests/knot/test_zone-tree.c b/tests/knot/test_zone-tree.c
new file mode 100644
index 0000000..59207ae
--- /dev/null
+++ b/tests/knot/test_zone-tree.c
@@ -0,0 +1,135 @@
+/*  Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <stdlib.h>
+#include <tap/basic.h>
+
+#include "libknot/errcode.h"
+#include "knot/zone/zone-tree.h"
+
+#define NCOUNT 4
+static knot_dname_t* NAME[NCOUNT];
+static zone_node_t NODEE[NCOUNT];
+static knot_dname_t* ORDER[NCOUNT];
+static void ztree_init_data(void)
+{
+	NAME[0] = knot_dname_from_str_alloc(".");
+	NAME[1] = knot_dname_from_str_alloc("master.ac.");
+	NAME[2] = knot_dname_from_str_alloc("ac.");
+	NAME[3] = knot_dname_from_str_alloc("ns.");
+
+	knot_dname_t *order[NCOUNT] = {
+	        NAME[0], NAME[2], NAME[1], NAME[3]
+	};
+	memcpy(ORDER, order, NCOUNT * sizeof(knot_dname_t*));
+
+	for (unsigned i = 0; i < NCOUNT; ++i) {
+		memset(NODEE + i, 0, sizeof(zone_node_t));
+		NODEE[i].owner = NAME[i];
+		NODEE[i].prev = NODEE + ((NCOUNT + i - 1) % NCOUNT);
+		NODEE[i].rrset_count = 1; /* required for ordered search */
+	}
+}
+
+static void ztree_free_data(void)
+{
+	for (unsigned i = 0; i < NCOUNT; ++i) {
+		knot_dname_free(NAME[i], NULL);
+	}
+}
+
+static int ztree_iter_data(zone_node_t *node, void *data)
+{
+	unsigned *i = (unsigned *)data;
+	knot_dname_t *owner = node->owner;
+	int result = KNOT_EOK;
+	if (owner != ORDER[*i]) {
+		result = KNOT_ERROR;
+		char *exp_s = knot_dname_to_str_alloc(ORDER[*i]);
+		char *owner_s = knot_dname_to_str_alloc(owner);
+		diag("ztree: at index: %u expected '%s' got '%s'\n", *i, exp_s, owner_s);
+		free(exp_s);
+		free(owner_s);
+	}
+	++(*i);
+	return result;
+}
+
+static int ztree_node_counter(zone_node_t *node, void *data)
+{
+	(void)node;
+	int *counter = data;
+	(*counter)++;
+	return KNOT_EOK;
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	ztree_init_data();
+
+	/* 1. create test */
+	zone_tree_t* t = zone_tree_create(false);
+	ok(t != NULL, "ztree: created");
+
+	/* 2. insert test */
+	unsigned passed = 1;
+	for (unsigned i = 0; i < NCOUNT; ++i) {
+		zone_node_t *node = NODEE + i;
+		if (zone_tree_insert(t, &node) != KNOT_EOK) {
+			passed = 0;
+			break;
+		}
+	}
+	ok(passed, "ztree: insertion");
+
+	/* 3. check data test */
+	passed = 1;
+	for (unsigned i = 0; i < NCOUNT; ++i) {
+		zone_node_t *node = zone_tree_get(t, NAME[i]);
+		if (node == NULL || node != NODEE + i) {
+			passed = 0;
+			break;
+		}
+	}
+	ok(passed, "ztree: lookup");
+
+	/* 4. ordered lookup */
+	zone_node_t *node = NULL;
+	zone_node_t *prev = NULL;
+	knot_dname_t *tmp_dn = knot_dname_from_str_alloc("z.ac.");
+	zone_tree_get_less_or_equal(t, tmp_dn, &node, &prev);
+	knot_dname_free(tmp_dn, NULL);
+	ok(prev == NODEE + 1, "ztree: ordered lookup");
+
+	/* 5. ordered traversal */
+	unsigned i = 0;
+	int ret = zone_tree_apply(t, ztree_iter_data, &i);
+	ok (ret == KNOT_EOK, "ztree: ordered traversal");
+
+	/* 6. subtree apply */
+	int counter = 0;
+	ret = zone_tree_sub_apply(t, (const knot_dname_t *)"\x02""ac", false, ztree_node_counter, &counter);
+	ok(ret == KNOT_EOK && counter == 2, "ztree: subtree iteration");
+	counter = 0;
+	ret = zone_tree_sub_apply(t, (const knot_dname_t *)"\x02""ac", true, ztree_node_counter, &counter);
+	ok(ret == KNOT_EOK && counter == 1, "ztree: subtree iteration excluding root");
+
+	zone_tree_free(&t);
+	ztree_free_data();
+	return 0;
+}
diff --git a/tests/knot/test_zone-update.c b/tests/knot/test_zone-update.c
new file mode 100644
index 0000000..1346aaf
--- /dev/null
+++ b/tests/knot/test_zone-update.c
@@ -0,0 +1,337 @@
+/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <pthread.h>
+#include <tap/basic.h>
+#include <tap/files.h>
+#include <unistd.h>
+
+#include "test_conf.h"
+#include "contrib/getline.h"
+#include "knot/server/server.h"
+#include "knot/updates/zone-update.h"
+#include "knot/zone/adjust.h"
+#include "knot/zone/node.h"
+#include "libzscanner/scanner.h"
+
+static const char *zone_str1 = "test. 600 IN SOA ns.test. m.test. 1 900 300 4800 900 \n";
+static const char *zone_str2 = "test. 600 IN TXT \"test\"\n";
+static const char *add_str   = "test. 600 IN TXT \"test2\"\n";
+static const char *del_str   = "test. 600 IN TXT \"test\"\n";
+static const char *node_str1 = "node.test. 601 IN TXT \"abc\"\n";
+static const char *node_str2 = "node.test. 601 IN TXT \"def\"\n";
+
+knot_rrset_t rrset;
+
+/*!< \brief Returns true if node contains given RR in its RRSets. */
+static bool node_contains_rr(const zone_node_t *node, const knot_rrset_t *data)
+{
+	const knot_rdataset_t *zone_rrs = node_rdataset(node, data->type);
+	if (zone_rrs != NULL) {
+		knot_rdata_t *rr = data->rrs.rdata;
+		for (size_t i = 0; i < data->rrs.count; ++i) {
+			if (!knot_rdataset_member(zone_rrs, rr)) {
+				return false;
+			}
+			rr = knot_rdataset_next(rr);
+		}
+
+		return true;
+	} else {
+		return false;
+	}
+}
+
+static void process_rr(zs_scanner_t *scanner)
+{
+	knot_rrset_init(&rrset, scanner->r_owner, scanner->r_type, scanner->r_class,
+	                scanner->r_ttl);
+
+	int ret = knot_rrset_add_rdata(&rrset, scanner->r_data,
+	                               scanner->r_data_length, NULL);
+	(void)ret;
+	assert(ret == KNOT_EOK);
+}
+
+static int rr_data_cmp(struct rr_data *a, struct rr_data *b)
+{
+	if (a->type != b->type) {
+		return 1;
+	}
+	if (a->ttl != b->ttl) {
+		return 1;
+	}
+	if (a->rrs.count != b->rrs.count) {
+		return 1;
+	}
+	if (a->rrs.rdata != b->rrs.rdata) {
+		return 1;
+	}
+	if (a->additional != b->additional) {
+		return 1;
+	}
+	return 0;
+}
+
+static int test_node_unified(zone_node_t *n1, _unused_ void *v)
+{
+	zone_node_t *n2 = binode_node(n1, false);
+	if (n2 == n1) {
+		n2 = binode_node(n1, true);
+	}
+	ok(n1->owner == n2->owner, "binode %s has equal %s owner", n1->owner, n2->owner);
+	ok(n1->rrset_count == n2->rrset_count, "binode %s has equal rrset_count", n1->owner);
+	for (uint16_t i = 0; i < n1->rrset_count; i++) {
+		ok(rr_data_cmp(&n1->rrs[i], &n2->rrs[i]) == 0, "binode %s has equal rrs", n1->owner);
+	}
+	if (n1->flags & NODE_FLAGS_BINODE) {
+		ok((n1->flags ^ n2->flags) == NODE_FLAGS_SECOND, "binode %s has correct flags", n1->owner);
+	}
+	ok(n1->children == n2->children, "binode %s has equal children count", n1->owner);
+	return KNOT_EOK;
+}
+
+static void test_zone_unified(zone_t *z)
+{
+	knot_sem_wait(&z->cow_lock);
+	zone_tree_apply(z->contents->nodes, test_node_unified, NULL);
+	knot_sem_post(&z->cow_lock);
+}
+
+void test_full(zone_t *zone, zs_scanner_t *sc)
+{
+	zone_update_t update;
+	/* Init update */
+	int ret = zone_update_init(&update, zone, UPDATE_FULL);
+	is_int(KNOT_EOK, ret, "zone update: init full");
+
+	if (zs_set_input_string(sc, zone_str1, strlen(zone_str1)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+
+	/* First addition */
+	ret = zone_update_add(&update, &rrset);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+	is_int(KNOT_EOK, ret, "full zone update: first addition");
+
+	if (zs_set_input_string(sc, zone_str2, strlen(zone_str2)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+
+	/* Second addition */
+	ret = zone_update_add(&update, &rrset);
+	zone_node_t *node = (zone_node_t *) zone_update_get_node(&update, rrset.owner);
+	bool rrset_present = node_contains_rr(node, &rrset);
+	ok(ret == KNOT_EOK && rrset_present, "full zone update: second addition");
+
+	/* Removal */
+	ret = zone_update_remove(&update, &rrset);
+	node = (zone_node_t *) zone_update_get_node(&update, rrset.owner);
+	rrset_present = node_contains_rr(node, &rrset);
+	ok(ret == KNOT_EOK && !rrset_present, "full zone update: removal");
+
+	/* Last addition */
+	ret = zone_update_add(&update, &rrset);
+	node = (zone_node_t *) zone_update_get_node(&update, rrset.owner);
+	rrset_present = node_contains_rr(node, &rrset);
+	ok(ret == KNOT_EOK && rrset_present, "full zone update: last addition");
+
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	/* Prepare node removal */
+	if (zs_set_input_string(sc, node_str1, strlen(node_str1)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+	ret = zone_update_add(&update, &rrset);
+	assert(ret == KNOT_EOK);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	if (zs_set_input_string(sc, node_str2, strlen(node_str2)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+	ret = zone_update_add(&update, &rrset);
+	assert(ret == KNOT_EOK);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+	knot_dname_t *rem_node_name = knot_dname_from_str_alloc("node.test");
+	node = (zone_node_t *) zone_update_get_node(&update, rem_node_name);
+	assert(node && node_rdataset(node, KNOT_RRTYPE_TXT)->count == 2);
+	/* Node removal */
+	ret = zone_update_remove_node(&update, rem_node_name);
+	node = (zone_node_t *) zone_update_get_node(&update, rem_node_name);
+	ok(ret == KNOT_EOK && !node, "full zone update: node removal");
+	knot_dname_free(rem_node_name, NULL);
+
+	/* Re-add a node for later incremental functionality test */
+	if (zs_set_input_string(sc, node_str1, strlen(node_str1)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+	ret = zone_update_add(&update, &rrset);
+	assert(ret == KNOT_EOK);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	/* Commit */
+	ret = zone_update_commit(conf(), &update);
+	node = zone_contents_find_node_for_rr(zone->contents, &rrset);
+	rrset_present = node_contains_rr(node, &rrset);
+	ok(ret == KNOT_EOK && rrset_present, "full zone update: commit (max TTL: %u)", zone->contents->max_ttl);
+
+	test_zone_unified(zone);
+
+	knot_rdataset_clear(&rrset.rrs, NULL);
+}
+
+void test_incremental(zone_t *zone, zs_scanner_t *sc)
+{
+	int ret = KNOT_EOK;
+
+	/* Init update */
+	zone_update_t update;
+	zone_update_init(&update, zone, UPDATE_INCREMENTAL);
+	ok(update.zone == zone && changeset_empty(&update.change),
+	   "incremental zone update: init");
+
+	if (zs_set_input_string(sc, add_str, strlen(add_str)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+
+	/* Addition */
+	ret = zone_update_add(&update, &rrset);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+	is_int(KNOT_EOK, ret, "incremental zone update: addition");
+
+	const zone_node_t *synth_node = update.new_cont->apex;
+	ok(synth_node && node_rdataset(synth_node, KNOT_RRTYPE_TXT)->count == 2,
+	   "incremental zone update: add change");
+
+	if (zs_set_input_string(sc, del_str, strlen(del_str)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+	/* Removal */
+	ret = zone_update_remove(&update, &rrset);
+	is_int(KNOT_EOK, ret, "incremental zone update: removal");
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	ok(node_rdataset(synth_node, KNOT_RRTYPE_TXT)->count == 1,
+	   "incremental zone update: del change");
+
+	/* Prepare node removal */
+	if (zs_set_input_string(sc, node_str2, strlen(node_str2)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+	ret = zone_update_add(&update, &rrset);
+	assert(ret == KNOT_EOK);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	knot_dname_t *rem_node_name = knot_dname_from_str_alloc("node.test");
+	synth_node = zone_update_get_node(&update, rem_node_name);
+	assert(synth_node && node_rdataset(synth_node, KNOT_RRTYPE_TXT)->count == 2);
+	/* Node Removal */
+	ret = zone_update_remove_node(&update, rem_node_name);
+	synth_node = zone_update_get_node(&update, rem_node_name);
+	ok(ret == KNOT_EOK && !synth_node,
+	   "incremental zone update: node removal");
+	knot_dname_free(rem_node_name, NULL);
+
+	/* Re-add a node for later incremental functionality test */
+	if (zs_set_input_string(sc, node_str1, strlen(node_str1)) != 0 ||
+	    zs_parse_all(sc) != 0) {
+		assert(0);
+	}
+	ret = zone_update_add(&update, &rrset);
+	assert(ret == KNOT_EOK);
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	/* Commit */
+	ret = zone_update_commit(conf(), &update);
+	const zone_node_t *iter_node = zone_contents_find_node_for_rr(zone->contents, &rrset);
+	bool rrset_present = node_contains_rr(iter_node, &rrset);
+	ok(ret == KNOT_EOK && rrset_present, "incremental zone update: commit");
+
+	test_zone_unified(zone);
+
+	knot_rdataset_clear(&rrset.rrs, NULL);
+
+	size_t zone_size1 = zone->contents->size;
+	uint32_t zone_max_ttl1 = zone->contents->max_ttl;
+	ret = zone_adjust_full(zone->contents, 2);
+	ok(ret == KNOT_EOK, "zone adjust full shall work");
+	size_t zone_size2 = zone->contents->size;
+	uint32_t zone_max_ttl2 = zone->contents->max_ttl;
+	ok(zone_size1 == zone_size2, "zone size measured the same incremental vs full (%zu, %zu)", zone_size1, zone_size2);
+	ok(zone_max_ttl1 == zone_max_ttl2, "zone max TTL measured the same incremental vs full (%u, %u)", zone_max_ttl1, zone_max_ttl2);
+	// TODO test more things after re-adjust, search for non-unified bi-nodes
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	char *temp_dir = test_mkdtemp();
+	ok(temp_dir != NULL, "make temporary directory");
+
+	char conf_str[512];
+	snprintf(conf_str, sizeof(conf_str),
+	         "zone:\n"
+	         " - domain: test.\n"
+	         "database:\n"
+	         "   journal-db-max-size: 100M\n"
+	         "   storage: %s\n",
+	         temp_dir);
+
+	/* Load test configuration. */
+	int ret = test_conf(conf_str, NULL);
+	is_int(KNOT_EOK, ret, "load configuration");
+
+	server_t server;
+	ret = server_init(&server, 1);
+	is_int(KNOT_EOK, ret, "server init");
+
+	/* Set up empty zone */
+	knot_dname_t *apex = knot_dname_from_str_alloc("test");
+	assert(apex);
+	zone_t *zone = zone_new(apex);
+	zone->server = &server;
+
+	/* Setup zscanner */
+	zs_scanner_t sc;
+	if (zs_init(&sc, "test.", KNOT_CLASS_IN, 3600) != 0 ||
+	    zs_set_processing(&sc, process_rr, NULL, NULL) != 0) {
+		assert(0);
+	}
+
+	/* Test FULL update, commit it and use the result to test the INCREMENTAL update */
+	test_full(zone, &sc);
+	test_incremental(zone, &sc);
+
+	zs_deinit(&sc);
+	zone_free(&zone);
+	server_deinit(&server);
+	knot_dname_free(apex, NULL);
+	conf_free(conf());
+	test_rm_rf(temp_dir);
+	free(temp_dir);
+
+	return 0;
+}
diff --git a/tests/knot/test_zone_events.c b/tests/knot/test_zone_events.c
new file mode 100644
index 0000000..18df288
--- /dev/null
+++ b/tests/knot/test_zone_events.c
@@ -0,0 +1,99 @@
+/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include "knot/common/evsched.h"
+#include "knot/worker/pool.h"
+#include "knot/events/events.h"
+#include "knot/zone/zone.h"
+
+static void test_scheduling(zone_t *zone)
+{
+	const time_t now = time(NULL);
+	const unsigned offset = 1000;
+
+	time_t timestamp = 0;
+	zone_event_type_t event = 0;
+
+	timestamp = zone_events_get_next(zone, &event);
+	ok(timestamp < 0 && event == ZONE_EVENT_INVALID, "nothing planned");
+
+	// scheduling
+
+	zone_events_schedule_at(zone, ZONE_EVENT_EXPIRE, now + offset);
+	zone_events_schedule_at(zone, ZONE_EVENT_FLUSH,  now + (offset / 2));
+
+	for (int i = 0; i < ZONE_EVENT_COUNT; i++) {
+		time_t t = zone_events_get_time(zone, i);
+		bool scheduled = i == ZONE_EVENT_EXPIRE || i == ZONE_EVENT_FLUSH;
+		const char *name = zone_events_get_name(i);
+
+		ok((t > 0) == scheduled && name, "event %s (%s)", name,
+		   scheduled ? "scheduled" : "not scheduled");
+	}
+
+	// queuing
+
+	timestamp = zone_events_get_next(zone, &event);
+	ok(timestamp >= now + (offset / 2) && event == ZONE_EVENT_FLUSH, "flush is next");
+
+	zone_events_schedule_at(zone, ZONE_EVENT_FLUSH, 0);
+
+	timestamp = zone_events_get_next(zone, &event);
+	ok(timestamp >= now + offset && event == ZONE_EVENT_EXPIRE, "expire is next");
+
+	zone_events_schedule_at(zone, ZONE_EVENT_EXPIRE, 0);
+
+	timestamp = zone_events_get_next(zone, &event);
+	ok(timestamp < 0 && event == ZONE_EVENT_INVALID, "nothing planned");
+
+	// zone_events_enqueue
+
+	// zone_events_freeze
+	// zone_events_start
+}
+
+int main(void)
+{
+	plan_lazy();
+
+	int r;
+
+	evsched_t sched = { 0 };
+	worker_pool_t *pool = NULL;
+	zone_t zone = { 0 };
+
+	r = evsched_init(&sched, NULL);
+	ok(r == KNOT_EOK, "create scheduler");
+
+	pool = worker_pool_create(1);
+	ok(pool != NULL, "create worker pool");
+
+	r = zone_events_init(&zone);
+	ok(r == KNOT_EOK, "zone events init");
+
+	r = zone_events_setup(&zone, pool, &sched);
+	ok(r == KNOT_EOK, "zone events setup");
+
+	test_scheduling(&zone);
+
+	zone_events_deinit(&zone);
+	worker_pool_destroy(pool);
+	evsched_deinit(&sched);
+
+	return 0;
+}
diff --git a/tests/knot/test_zone_serial.c b/tests/knot/test_zone_serial.c
new file mode 100644
index 0000000..2d50720
--- /dev/null
+++ b/tests/knot/test_zone_serial.c
@@ -0,0 +1,159 @@
+/*  Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include "knot/zone/serial.h"
+#include "knot/conf/schema.h"
+#include "contrib/strtonum.h"
+
+enum serials {
+	S_LOWEST = 0,			// lowest value
+	S_2LOWEST = 1,			// second lowest value
+	S_BELOW_MIDDLE = 0x7fffffff,	// one below middle
+	S_ABOVE_MIDDLE = 0x80000000,	// one above middle
+	S_2HIGHEST = 0xffffffff - 1,	// second highest value
+	S_HIGHEST = 0xffffffff		// highest value
+};
+
+static uint32_t random_serial(void)
+{
+	uint32_t s = rand() & 0xff;
+	s |= (rand() & 0xff) << 8;
+	s |= (rand() & 0xff) << 16;
+	s |= (rand() & 0xff) << 24;
+
+	return s;
+}
+
+static void check_unixtime(uint32_t current, uint32_t increment, uint32_t expected, const char *msg)
+{
+	uint32_t next = serial_next(current, SERIAL_POLICY_UNIXTIME, increment);
+	ok(next == expected, "unixtime: %s", msg);
+}
+
+/* Test will wrongly fail if the next second starts while running;
+ * this is unlikely, so not taking any action */
+static void test_unixtime(void)
+{
+	time_t serial0 = time(NULL);
+
+	check_unixtime(1000000000, 1, serial0, "from old second or policy");
+	check_unixtime(serial0, 0, serial0, "reuse current second");
+	check_unixtime(serial0, 1, serial0 + 1, "this second's first increment");
+	check_unixtime(serial0 + 1, 1, serial0 + 2, "this second's second increment");
+	check_unixtime(3000000000, 1, 3000000001, "from future second");
+	check_unixtime(3000000000, 0, 3000000000, "at future second");
+}
+
+static void check_dateserial(uint32_t current, uint32_t increment, uint32_t expected, const char *msg)
+{
+	uint32_t next = serial_next(current, SERIAL_POLICY_DATESERIAL, increment);
+	ok(next == expected, "dateserial: %s", msg);
+}
+
+/* Test will wrongly fail if the next day starts while running;
+ * this is EXTREMELY unlikely, so definitely not taking any action */
+static void test_dateserial(void)
+{
+	time_t now = time(NULL);
+
+	struct tm *gm_ret = gmtime(&now);
+
+	char str[32];
+	int ret1 = strftime(str, sizeof(str), "%Y%m%d00", gm_ret);
+
+	uint32_t serial0 = 0;
+	int ret2 = str_to_u32(str, &serial0);
+
+	ok(gm_ret != NULL && ret1 > 0 && ret2 == KNOT_EOK,
+	   "dateserial: prepare current value");
+
+	check_dateserial(2000010100, 1, serial0, "from old date or policy");
+	check_dateserial(serial0, 1, serial0 + 1, "today's first increment");
+	check_dateserial(serial0 + 98, 1, serial0 + 99, "today's last increment");
+	check_dateserial(serial0 + 99, 1, serial0 + 100, "wrap from today");
+	check_dateserial(2100010100, 1, 2100010101, "from future date");
+	check_dateserial(2100010100, 0, 2100010100, "at future date");
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	/* Serial compare test. */
+	ok(serial_compare(S_LOWEST, S_BELOW_MIDDLE) == SERIAL_LOWER,
+	   "serial compare: lowest < below middle");
+	ok(serial_compare(S_BELOW_MIDDLE, S_LOWEST) == SERIAL_GREATER,
+	   "serial compare: below middle > lowest");
+
+	/* Corner-case: these serials' distance is exactly 2^31. */
+	ok(serial_compare(S_LOWEST, S_ABOVE_MIDDLE) == SERIAL_INCOMPARABLE,
+	   "serial compare: lowest < above_middle");
+	ok(serial_compare(S_ABOVE_MIDDLE, S_LOWEST) == SERIAL_INCOMPARABLE,
+	   "serial compare: above_middle < lowest");
+
+	ok(serial_compare(S_LOWEST, S_HIGHEST) == SERIAL_GREATER,
+	   "serial compare: lowest > highest");
+	ok(serial_compare(S_HIGHEST, S_LOWEST) == SERIAL_LOWER,
+	   "serial compare: highest < lowest");
+
+	ok(serial_compare(S_2LOWEST, S_ABOVE_MIDDLE) == SERIAL_LOWER,
+	   "serial compare: 2nd lowest < above middle");
+	ok(serial_compare(S_ABOVE_MIDDLE, S_2LOWEST) == SERIAL_GREATER,
+	   "serial compare: above middle > 2nd lowest");
+
+	/* Corner-case: these serials' distance is exactly 2^31. */
+	ok(serial_compare(S_BELOW_MIDDLE, S_HIGHEST) == SERIAL_INCOMPARABLE,
+	   "serial compare: below middle < highest");
+	ok(serial_compare(S_HIGHEST, S_BELOW_MIDDLE) == SERIAL_INCOMPARABLE,
+	   "serial compare: highest < below middle");
+
+	ok(serial_compare(S_BELOW_MIDDLE, S_2HIGHEST) == SERIAL_LOWER,
+	   "serial compare: below middle < 2nd highest");
+	ok(serial_compare(S_2HIGHEST, S_BELOW_MIDDLE) == SERIAL_GREATER,
+	   "serial compare: 2nd highest > below middle");
+
+	ok(serial_compare(S_ABOVE_MIDDLE, S_HIGHEST) == SERIAL_LOWER,
+	   "serial compare: above middle < highest");
+	ok(serial_compare(S_HIGHEST, S_ABOVE_MIDDLE) == SERIAL_GREATER,
+	   "serial compare: highest > above middle");
+
+	ok(serial_compare(S_LOWEST, S_LOWEST) == SERIAL_EQUAL,
+	   "serial compare: lowest == lowest");
+	ok(serial_compare(S_HIGHEST, S_HIGHEST) == SERIAL_EQUAL,
+	   "serial compare: highest == highest");
+
+	ok(serial_compare(S_LOWEST - 1, S_HIGHEST) == SERIAL_EQUAL,
+	   "serial compare: lowest - 1 == highest");
+	ok(serial_compare(S_LOWEST, S_HIGHEST + 1) == SERIAL_EQUAL,
+	   "serial compare: lowest== highest + 1");
+
+	/* Corner-case: these serials' distance is exactly 2^31. */
+	uint32_t s1 = random_serial();
+	uint32_t s2 = s1 + S_ABOVE_MIDDLE;  // exactly the 'opposite' number
+	ok(serial_compare(s1, s2) == SERIAL_INCOMPARABLE,
+	   "serial compare: random opposites (s1 < s2)");
+	ok(serial_compare(s2, s1) == SERIAL_INCOMPARABLE,
+	   "serial compare: random opposites (s2 < s1)");
+
+	test_dateserial();
+	test_unixtime();
+
+	return 0;
+}
diff --git a/tests/knot/test_zone_timers.c b/tests/knot/test_zone_timers.c
new file mode 100644
index 0000000..272733c
--- /dev/null
+++ b/tests/knot/test_zone_timers.c
@@ -0,0 +1,110 @@
+/*  Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include <tap/basic.h>
+#include <tap/files.h>
+
+#include "knot/zone/timers.h"
+#include "libknot/db/db_lmdb.h"
+#include "libknot/dname.h"
+#include "libknot/error.h"
+
+static const zone_timers_t MOCK_TIMERS = {
+	.next_refresh = 1474559960,
+	.last_notified_serial = 0,
+	.last_flush = 1,
+	.next_ds_check = 1474559961,
+	.next_ds_push = 1474559962,
+	.catalog_member = 1474559963,
+	.next_expire = 1639727731,
+};
+
+static bool timers_eq(const zone_timers_t *a, const zone_timers_t *b)
+{
+	return a->next_refresh == b->next_refresh &&
+	       a->last_notified_serial == b->last_notified_serial &&
+	       a->last_flush == b->last_flush &&
+	       a->next_ds_check == b->next_ds_check &&
+	       a->next_ds_push == b->next_ds_push &&
+	       a->catalog_member == b->catalog_member &&
+	       a->next_expire == b->next_expire;
+}
+
+static bool keep_all(const knot_dname_t *zone, void *data)
+{
+	return true;
+}
+
+static bool remove_all(const knot_dname_t *zone, void *data)
+{
+	return false;
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+	assert(knot_db_lmdb_api());
+
+	char *dbid = test_mkdtemp();
+	if (!dbid) {
+		return EXIT_FAILURE;
+	}
+
+	const knot_dname_t *zone = (uint8_t *)"\x7""example""\x3""com";
+	struct zone_timers timers = MOCK_TIMERS;
+
+	// Create database
+	knot_lmdb_db_t _db = { 0 }, *db = &_db;
+	knot_lmdb_init(db, dbid, 1024 * 1024, 0, NULL);
+	int ret = knot_lmdb_open(db);
+	ok(ret == KNOT_EOK && db != NULL, "open timers");
+
+	// Lookup nonexistent
+	ret = zone_timers_read(db, zone, &timers);
+	is_int(KNOT_ENOENT, ret, "zone_timer_read() nonexistent");
+
+	// Write timers
+	ret = zone_timers_write(db, zone, &timers);
+	is_int(KNOT_EOK, ret, "zone_timers_write()");
+
+	// Read timers
+	memset(&timers, 0, sizeof(timers));
+	ret = zone_timers_read(db, zone, &timers);
+	ok(ret == KNOT_EOK, "zone_timers_read()");
+	ok(timers_eq(&timers, &MOCK_TIMERS), "inconsistent timers");
+
+	// Sweep none
+	ret = zone_timers_sweep(db, keep_all, NULL);
+	is_int(KNOT_EOK, ret, "zone_timers_sweep() none");
+	ret = zone_timers_read(db, zone, &timers);
+	is_int(KNOT_EOK, ret, "zone_timers_read()");
+
+	// Sweep all
+	ret = zone_timers_sweep(db, remove_all, NULL);
+	is_int(KNOT_EOK, ret, "zone_timers_sweep() all");
+	ret = zone_timers_read(db, zone, &timers);
+	is_int(KNOT_ENOENT, ret, "zone_timers_read() nonexistent");
+
+	// Clean up.
+	knot_lmdb_deinit(db);
+	test_rm_rf(dbid);
+	free(dbid);
+
+	return EXIT_SUCCESS;
+}
diff --git a/tests/knot/test_zonedb.c b/tests/knot/test_zonedb.c
new file mode 100644
index 0000000..3ef7632
--- /dev/null
+++ b/tests/knot/test_zonedb.c
@@ -0,0 +1,115 @@
+/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+
+#include "knot/zone/zone.h"
+#include "knot/zone/zonedb.h"
+#include "contrib/openbsd/strlcat.h"
+#include "contrib/openbsd/strlcpy.h"
+
+#define ZONE_COUNT 10
+static const char *zone_list[ZONE_COUNT] = {
+        ".",
+        "com",
+        "net",
+        "c.com",
+        "a.com",
+        "a.net",
+        "b.net",
+        "c.a.com",
+        "b.b.b.com",
+        "b.b.b.b.net",
+};
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	/* Create database. */
+	knot_dname_txt_storage_t buf;
+	const char *prefix = "zzz.";
+	size_t nr_passed = 0;
+	knot_dname_t *dname = NULL;
+	zone_t *zones[ZONE_COUNT] = {0};
+	knot_zonedb_t *db = knot_zonedb_new();
+	ok(db != NULL, "zonedb: new");
+
+	/* Populate. */
+	for (unsigned i = 0; i < ZONE_COUNT; ++i) {
+		knot_dname_t *zone_name = knot_dname_from_str_alloc(zone_list[i]);
+		zones[i] = zone_new(zone_name);
+		knot_dname_free(zone_name, NULL);
+
+		if (zones[i] == NULL) {
+			goto cleanup;
+		}
+		if (knot_zonedb_insert(db, zones[i]) == KNOT_EOK) {
+			++nr_passed;
+		} else {
+			diag("knot_zonedb_add_zone(%s) failed", zone_list[i]);
+		}
+	}
+	ok(nr_passed == ZONE_COUNT, "zonedb: add zones");
+
+	/* Lookup of exact names. */
+	nr_passed = 0;
+	for (unsigned i = 0; i < ZONE_COUNT; ++i) {
+		dname = knot_dname_from_str_alloc(zone_list[i]);
+		if (knot_zonedb_find(db, dname) == zones[i]) {
+			++nr_passed;
+		} else {
+			diag("knot_zonedb_find(%s) failed", zone_list[i]);
+		}
+		knot_dname_free(dname, NULL);
+	}
+	ok(nr_passed == ZONE_COUNT, "zonedb: find exact zones");
+
+	/* Lookup of sub-names. */
+	nr_passed = 0;
+	for (unsigned i = 0; i < ZONE_COUNT; ++i) {
+		strlcpy(buf, prefix, sizeof(buf));
+		if (strcmp(zone_list[i], ".") != 0) {
+			strlcat(buf, zone_list[i], sizeof(buf));
+		}
+		dname = knot_dname_from_str_alloc(buf);
+		if (knot_zonedb_find_suffix(db, dname) == zones[i]) {
+			++nr_passed;
+		} else {
+			diag("knot_zonedb_find_suffix(%s) failed", buf);
+		}
+		knot_dname_free(dname, NULL);
+	}
+	ok(nr_passed == ZONE_COUNT, "zonedb: find zones for subnames");
+
+	/* Remove all zones. */
+	nr_passed = 0;
+	for (unsigned i = 0; i < ZONE_COUNT; ++i) {
+		dname = knot_dname_from_str_alloc(zone_list[i]);
+		if (knot_zonedb_del(db, dname) == KNOT_EOK) {
+			zone_free(&zones[i]);
+			++nr_passed;
+		} else {
+			diag("knot_zonedb_remove_zone(%s) failed", zone_list[i]);
+		}
+		knot_dname_free(dname, NULL);
+	}
+	ok(nr_passed == ZONE_COUNT, "zonedb: removed all zones");
+
+cleanup:
+	knot_zonedb_deep_free(&db, false);
+	return 0;
+}
-- 
cgit v1.2.3