The test was completely reworked. The old one had many problems:
- MATCH specification was totally ignoring the response so the test did
- Fixing MATCH clauses uncovered that delegations were incorrect.
- Queries for localhost addresses had to be allowed for the test to work.
The new test is using only one DNS zone (the root) but tests more cases:
- valid positive wildcard answer for non-existing owner name
- invalid answer where wildcard data + RRSIG were transplanted to
different owner name
- valid positive answer for explicit owner name (masking the wildcard)
- invalid answer where wildcard data are used to mask explicit data