diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
new file mode 100644
index 0000000..fea6da7
--- /dev/null
+++ b/.github/workflows/build-and-test.yml
@@ -0,0 +1,53 @@
+name: Github Autobuild
+on: [ push, pull_request ]
+jobs:
+  doIt:
+    name: Build and run tests
+    runs-on: ubuntu-latest
+    steps:
+    - name: Prepare environment
+      run: |
+        sudo apt-get install -y cpanminus libcrypt-openssl-rsa-perl ucspi-tcp
+        sudo cpanm -i Digest::SHA1
+    - name: Check out sources
+      uses: actions/checkout@v2
+    - name: Make tinydnssec
+      run: |
+        make
+    - name: Download djbdns and dependencies
+      run: |
+        curl -sSO http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
+        curl -sSO http://www.fefe.de/dns/djbdns-1.05-test28.diff.xz
+        curl -sSO http://www.tinydnssec.org/djbdns-ipv6-make.patch
+    - name: Unpack and patch sources
+      run: |
+        mkdir -p _build
+        cd _build
+        tar xfz ../djbdns-1.05.tar.gz
+        cd djbdns-1.05
+        tar xfj ../../tinydnssec.tar.bz2
+        xzcat ../../djbdns-1.05-test28.diff.xz | patch -p1
+        patch -p0 <../../djbdns-ipv6-make.patch
+        patch -p1 <../../djbdns-1.05-dnssec.patch
+    - name: Configure
+      run: |
+        cd _build/djbdns-1.05
+        echo cc --include /usr/include/errno.h >conf-cc
+    - name: Build
+      run: |
+        cd _build/djbdns-1.05
+        make
+    - name: Run unit-tests
+      run: |
+        cd _build/djbdns-1.05
+        ./run-tests.sh
+    - name: Run UDP tests
+      run: |
+        cd _build/djbdns-1.05
+        sudo IP=127.0.0.3 ROOT="`pwd`" UID=1 GID=1 ./tinydns &
+        SERVER=127.0.0.3 ./run-tests.sh -u
+    - name: Run TCP tests
+      run: |
+        cd _build/djbdns-1.05
+        sudo ROOT="`pwd`" UID=1 GID=1 tcpserver -HRl localhost 127.0.0.3 53 ./axfrdns &
+        SERVER=127.0.0.3 ./run-tests.sh -t
diff --git a/INSTALL.tinydnssec b/INSTALL.tinydnssec
index b9784a7..65b3c0a 100644
--- a/INSTALL.tinydnssec
+++ b/INSTALL.tinydnssec
@@ -11,7 +11,8 @@ to install before the tinydnssec patch applies:
    Unfortunately, fefe refuses to name a license for this patch, which means
    that I cannot redistribute it.
 
-2. My own fixes to the Makefile (IPv6-related): djbdns-ipv6-make.patch
+2. My own fixes to the Makefile (IPv6-related):
+   http://www.tinydnssec.org/djbdns-ipv6-make.patch
 
 Build
 -----
@@ -19,7 +20,7 @@ Build
 1. Download and unpack the original djbdns sources from
    http://cr.yp.to/djbdns/install.html .
 2. Download and apply the patches listed above.
-3. Download and unpack http://tinydnssec.org/tinydnssec-1.05-1.5.tar.bz2 in
+3. Download and unpack http://tinydnssec.org/tinydnssec-1.05-1.7.tar.bz2 in
    the top-level source directory.
 4. Apply djbdns-1.05-dnssec.patch.
 5. Install as per usual instructions (see http://cr.yp.to/djbdns/install.html ).
diff --git a/README.tinydnssec b/README.tinydnssec
index b68a6c8..94b906c 100644
--- a/README.tinydnssec
+++ b/README.tinydnssec
@@ -109,7 +109,7 @@ update:
 LICENSE
 -------
 
-(C) 2012,2015,2017,2019 Peter Conrad <conrad@quisquis.de>
+(C) 2012,2015,2017,2019,2020 Peter Conrad <conrad@quisquis.de>
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 3 as
diff --git a/djbdns-1.05-dnssec.patch b/djbdns-1.05-dnssec.patch
index 99a55e4..f2a53a1 100644
--- a/djbdns-1.05-dnssec.patch
+++ b/djbdns-1.05-dnssec.patch
@@ -1,4 +1,4 @@
-(C) 2012 Peter Conrad <conrad@quisquis.de>
+(C) 2012,2019,2020 Peter Conrad <conrad@quisquis.de>
 
 This patch is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 3 as
@@ -1223,8 +1223,8 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
 +base32hex.o
 +printtype.o
 +edns0.o
---- djbdns-1.05-ipv6/tdlookup.c	2019-07-22 14:04:16.803064553 +0200
-+++ djbdns-1.05-dnssec/tdlookup.c	2019-07-22 20:36:57.566950278 +0200
+--- djbdns-1.05.orig/tdlookup.c	2020-05-31 12:26:32.153583322 +0200
++++ djbdns-1.05/tdlookup.c	2020-05-31 11:59:14.367285275 +0200
 @@ -10,6 +10,9 @@
  #include "response.h"
  #include "ip6.h"
@@ -1253,7 +1253,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  
  static int find(char *d,int flagwild)
  {
-@@ -105,6 +110,123 @@
+@@ -105,6 +110,122 @@
    return response_addname(d1);
  }
  
@@ -1323,8 +1323,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
 +  }
 +
 +  /* Find covering hash */
-+  char nibble = ((digest[0] >> 4) & 0xf) + '0';
-+  if (nibble > '9') { nibble += 'a' - '9' - 1; }
++  char nibble = ((digest[0] >> 4) & 0xf) + 'A';
 +  salt[0] = 1;
 +  salt[1] = nibble;
 +  byte_copy(salt+2, dns_domain_length(control), control);
@@ -1377,7 +1376,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  static int doit(char *q,char qtype[2])
  {
    unsigned int bpos;
-@@ -118,6 +240,8 @@
+@@ -118,6 +239,8 @@
    int r;
    int flagns;
    int flagauthoritative;
@@ -1386,7 +1385,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
    char x[20];
    uint16 u16;
    char addr[8][4];
-@@ -132,18 +256,28 @@
+@@ -132,18 +255,28 @@
    for (;;) {
      flagns = 0;
      flagauthoritative = 0;
@@ -1417,7 +1416,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
    if (!flagauthoritative) {
      response[2] &= ~4;
      goto AUTHORITY; /* q is in a child zone */
-@@ -152,7 +286,11 @@
+@@ -152,7 +285,11 @@
  
    flaggavesoa = 0;
    flagfound = 0;
@@ -1430,7 +1429,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  
    for (;;) {
      addrnum = addr6num = 0;
-@@ -162,8 +300,26 @@
+@@ -162,8 +299,26 @@
        if (r == -1) return 0;
        flagfound = 1;
        if (flaggavesoa && byte_equal(type,2,DNS_T_SOA)) continue;
@@ -1459,7 +1458,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  	addrttl = ttl;
  	i = dns_random(addrnum + 1);
  	if (i < 8) {
-@@ -174,7 +330,7 @@
+@@ -174,7 +329,7 @@
  	if (addrnum < 1000000) ++addrnum;
  	continue;
        }
@@ -1468,7 +1467,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  	addr6ttl = ttl;
  	i = dns_random(addr6num + 1);
  	if (i < 8) {
-@@ -188,6 +344,9 @@
+@@ -188,6 +343,9 @@
        if (!response_rstart(q,type,ttl)) return 0;
        if (byte_equal(type,2,DNS_T_NS) || byte_equal(type,2,DNS_T_CNAME) || byte_equal(type,2,DNS_T_PTR)) {
  	if (!doname()) return 0;
@@ -1478,7 +1477,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
        }
        else if (byte_equal(type,2,DNS_T_MX)) {
  	if (!dobytes(2)) return 0;
-@@ -199,6 +358,13 @@
+@@ -199,6 +357,13 @@
  	if (!dobytes(20)) return 0;
          flaggavesoa = 1;
        }
@@ -1492,7 +1491,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
        else
          if (!response_addbytes(data + dpos,dlen - dpos)) return 0;
        response_rfinish(RESPONSE_ANSWER);
-@@ -219,10 +385,24 @@
+@@ -219,10 +384,24 @@
      if (flagfound) break;
      if (wild == control) break;
      if (!*wild) break; /* impossible */
@@ -1517,7 +1516,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
    if (!flagfound)
      response_nxdomain();
  
-@@ -230,22 +410,49 @@
+@@ -230,22 +409,49 @@
    AUTHORITY:
    aupos = response_len;
  
@@ -1579,7 +1578,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
        cdb_findstart(&c);
        while (r = find(control,0)) {
          if (r == -1) return 0;
-@@ -254,10 +461,33 @@
+@@ -254,10 +460,33 @@
  	  if (!doname()) return 0;
            response_rfinish(RESPONSE_AUTHORITY);
          }
@@ -1613,7 +1612,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  
    bpos = anpos;
    while (bpos < arpos) {
-@@ -265,25 +495,33 @@
+@@ -265,25 +494,33 @@
      bpos = dns_packet_copy(response,arpos,bpos,x,10); if (!bpos) return 0;
      if (byte_equal(x,2,DNS_T_NS) || byte_equal(x,2,DNS_T_MX)) {
        if (byte_equal(x,2,DNS_T_NS)) {
@@ -1654,7 +1653,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
          }
        }
      }
-@@ -291,10 +529,10 @@
+@@ -291,10 +528,10 @@
      bpos += u16;
    }
  
@@ -1667,7 +1666,7 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
        byte_zero(response + RESPONSE_AUTHORITY,2);
        response_len = aupos;
      }
-@@ -316,6 +554,9 @@
+@@ -316,6 +553,9 @@
    cdb_init(&c,fd);
  
    r = doit(q,qtype);
@@ -1677,10 +1676,119 @@ diff -rNU3 djbdns-1.05.tds-base/TARGETS djbdns-1.05.tinydnssec/TARGETS
  
    cdb_free(&c);
    close(fd);
-diff -rNU3 djbdns-1.05.tds-base/tinydns-data.c djbdns-1.05.tinydnssec/tinydns-data.c
---- djbdns-1.05.tds-base/tinydns-data.c	2012-12-06 22:45:38.000000000 +0100
-+++ djbdns-1.05.tinydnssec/tinydns-data.c	2012-12-06 22:39:13.000000000 +0100
-@@ -436,7 +436,7 @@
+--- djbdns-1.05.orig/tinydns-data.c	2020-05-31 12:26:32.153583322 +0200
++++ djbdns-1.05/tinydns-data.c	2020-05-31 11:49:26.624848116 +0200
+@@ -155,14 +155,15 @@
+   rr_add(buf,4);
+   rr_add(ttd,8);
+ }
+-void rr_finish(const char *owner)
++void rr_finish(const char *owner, int to_lower)
+ {
+   if (byte_equal(owner,2,"\1*")) {
+     owner += 2;
+     result.s[2] -= 19;
+   }
+   if (!stralloc_copyb(&key,owner,dns_domain_length(owner))) nomem();
+-  case_lowerb(key.s,key.len);
++  if (to_lower)
++    case_lowerb(key.s,key.len);
+   if (cdb_make_add(&cdb,key.s,key.len,result.s,result.len) == -1)
+     die_datatmp();
+ }
+@@ -295,7 +296,7 @@
+ 	if (!dns_domain_fromdot(&d2,f[2].s,f[2].len)) nomem();
+ 	rr_addname(d2);
+ 	rr_add(soa,20);
+-	rr_finish(d1);
++	rr_finish(d1, 1);
+ 	break;
+ 
+       case '.': case '&':
+@@ -319,17 +320,17 @@
+ 	  rr_add("\12hostmaster",11);
+ 	  rr_addname(d1);
+ 	  rr_add(defaultsoa,20);
+-	  rr_finish(d1);
++	  rr_finish(d1, 1);
+ 	}
+ 
+ 	rr_start(DNS_T_NS,ttl,ttd,loc);
+ 	rr_addname(d2);
+-	rr_finish(d1);
++	rr_finish(d1, 1);
+ 
+ 	if (ip4_scan(f[1].s,ip)) {
+ 	  rr_start(DNS_T_A,ttl,ttd,loc);
+ 	  rr_add(ip,4);
+-	  rr_finish(d2);
++	  rr_finish(d2, 1);
+ 	}
+ 
+ 	break;
+@@ -346,13 +347,13 @@
+ 	if (ip4_scan(f[1].s,ip)) {
+ 	  rr_start(DNS_T_A,ttl,ttd,loc);
+ 	  rr_add(ip,4);
+-	  rr_finish(d1);
++	  rr_finish(d1, 1);
+ 
+ 	  if (line.s[0] == '=') {
+ 	    dns_name4_domain(dptr,ip);
+ 	    rr_start(DNS_T_PTR,ttl,ttd,loc);
+ 	    rr_addname(d1);
+-	    rr_finish(dptr);
++	    rr_finish(dptr, 1);
+ 	  }
+ 	}
+ 	break;
+@@ -368,18 +369,18 @@
+ 	if (ip6_scan_flat(f[1].s,ip6)) {
+ 	  rr_start(DNS_T_AAAA,ttl,ttd,loc);
+ 	  rr_add(ip6,16);
+-	  rr_finish(d1);
++	  rr_finish(d1, 1);
+ 
+ 	  if (line.s[0] == '6') {	/* emit both .ip6.arpa and .ip6.int */
+ 	    dns_name6_domain(d6ptr,ip6,DNS_IP6_ARPA);
+ 	    rr_start(DNS_T_PTR,ttl,ttd,loc);
+ 	    rr_addname(d1);
+-	    rr_finish(d6ptr);
++	    rr_finish(d6ptr, 1);
+ 
+ 	    dns_name6_domain(d6ptr,ip6,DNS_IP6_INT);
+ 	    rr_start(DNS_T_PTR,ttl,ttd,loc);
+ 	    rr_addname(d1);
+-	    rr_finish(d6ptr);
++	    rr_finish(d6ptr, 1);
+ 	  }
+ 	}
+ 	break;
+@@ -406,12 +407,12 @@
+ 	uint16_pack_big(buf,u);
+ 	rr_add(buf,2);
+ 	rr_addname(d2);
+-	rr_finish(d1);
++	rr_finish(d1, 1);
+ 
+ 	if (ip4_scan(f[1].s,ip)) {
+ 	  rr_start(DNS_T_A,ttl,ttd,loc);
+ 	  rr_add(ip,4);
+-	  rr_finish(d2);
++	  rr_finish(d2, 1);
+ 	}
+ 	break;
+ 
+@@ -428,7 +429,7 @@
+ 	else
+ 	  rr_start(DNS_T_PTR,ttl,ttd,loc);
+ 	rr_addname(d2);
+-	rr_finish(d1);
++	rr_finish(d1, 1);
+ 	break;
+ 
+       case '\'':
+@@ -444,14 +445,14 @@
  	i = 0;
  	while (i < f[1].len) {
  	  k = f[1].len - i;
@@ -1689,6 +1797,23 @@ diff -rNU3 djbdns-1.05.tds-base/tinydns-data.c djbdns-1.05.tinydnssec/tinydns-da
  	  ch = k;
  	  rr_add(&ch,1);
  	  rr_add(f[1].s + i,k);
+ 	  i += k;
+ 	}
+ 
+-	rr_finish(d1);
++	rr_finish(d1, 1);
+ 	break;
+ 
+       case ':':
+@@ -483,7 +484,7 @@
+ 
+ 	rr_start(type,ttl,ttd,loc);
+ 	rr_add(f[2].s,f[2].len);
+-	rr_finish(d1);
++	rr_finish(d1, u != 65282); /* preserve uppercase for hash database */
+ 	break;
+ 
+       default:
 diff -rNU3 djbdns-1.05.tds-base/tinydns-get.c djbdns-1.05.tinydnssec/tinydns-get.c
 --- djbdns-1.05.tds-base/tinydns-get.c	2001-02-11 22:11:45.000000000 +0100
 +++ djbdns-1.05.tinydnssec/tinydns-get.c	2012-12-06 22:39:13.000000000 +0100
diff --git a/html/install.html b/html/install.html
index fdc2a6b..ef78763 100644
--- a/html/install.html
+++ b/html/install.html
@@ -29,7 +29,8 @@ <h2>Requirements</h2>
    Unfortunately, fefe refuses to name a license for this patch, which means
    that I cannot redistribute it.</li>
 
-<li>My own fixes to the Makefile (IPv6-related): djbdns-ipv6-make.patch</li>
+<li>My own fixes to the Makefile (IPv6-related):
+    <a href="http://www.tinydnssec.org/djbdns-ipv6-make.patch">djbdns-ipv6-make.patch</a></li>
 </ol>
 
 <h2>Build</h2>
@@ -37,7 +38,7 @@ <h2>Build</h2>
 <ol>
 <li>Download and unpack the <a href="http://cr.yp.to/djbdns/install.html">original djbdns sources</a>.</li>
 <li>Download and apply the patches listed above.</li>
-<li>Download and unpack <a href="tinydnssec-1.05-1.5.tar.gz">tinydnssec</a> in
+<li>Download and unpack <a href="tinydnssec-1.05-1.7.tar.gz">tinydnssec</a> in
     the top-level source directory.</li>
 <li>Apply djbdns-1.05-dnssec.patch.</li>
 <li>Install as per
@@ -72,7 +73,7 @@ <h2>Test</h2>
 <h2>License information</h2>
 
 <p>
-(C) 2012,2015,2017,2019 Peter Conrad
+(C) 2012,2015,2017,2019,2020 Peter Conrad
 </p>
 <p>
 This program is free software: you can redistribute it and/or modify
diff --git a/run-tests.sh b/run-tests.sh
index 3337a03..dd43254 100755
--- a/run-tests.sh
+++ b/run-tests.sh
@@ -30,6 +30,11 @@ set -e
 ##########################################
 # Test example zones and tinydns responses
 
+( echo "managed-keys {";
+  grep '^#K[^:]*:257:' test/data \
+    | sed 's=^#K\([^:]*\):\([0-9]*\):\([0-9]*\):\([0-9]*\):\([^:]*\):.*= \1 initial-key \2 \3 \4 "\5";='
+  echo "};" ) >test/trust.keys
+
 ./tinydns-sign.pl test/example.?sk <test/data >data
 ./tinydns-data
 rm data
@@ -37,8 +42,8 @@ rm data
 for i in test/q-*; do
     id="${i#test/q}"
     echo -n "$i ... "
-    read sec type name <"$i"
-    ./tinydns-get "$sec" "$type" $name | tail -n +2 >test/"o$id"
+    read name zone type sec <"$i"
+    ./tinydns-get $sec "$type" $name$zone | tail -n +2 >test/"o$id"
     sed -s 's/\b[0-9]\{10\}\b/<TIME>/g;/00 RRSIG /s/[^ ]*$/<SIG>/;s/^[0-9]\{1,\}/<SIZE>/' <test/"o$id" >test/"t$id"
     if diff "test/t$id" "test/a$id" >/dev/null; then
 	echo "OK"
@@ -85,21 +90,31 @@ if [ "$1" = "-t" ]; then
     for i in test/q-*; do
 	id="${i#test/q}"
 	echo -n "$i (tcp) ... "
-	read sec type name <"$i"
+	read name zone type sec <"$i"
 	if [ "$sec" = "-s" ]; then
 	    sec="+dnssec +bufsize=1220"
 	elif [ "$sec" = "-S" ]; then
 	    sec="+dnssec +bufsize=2000"
 	fi
-	dig +norecurse +tcp $sec "$type" $name @$SERVER >"test/ot$id"
+	dig +norecurse +tcp $sec "$type" $name$zone @$SERVER >"test/ot$id"
 	dig2tiny "test/ot$id" "test/ttt$id"
 	sed -s 's/\b[0-9]\{10\}\b/<TIME>/g;s/\b[0-9]\{14\}\b/<TIME>/g;/00 RRSIG /s/[^ ]*$/<SIG>/' <test/"ttt$id" | \
 	  sort >test/"tt$id"
 	if sort <"test/a$id" | diff -wi - "test/tt$id" >/dev/null; then
-	    echo "OK"
+	    result=OK
+	    if [ -n "$sec" -a "$1" = "-u" ] && grep -q "$zone" test/trust.keys; then
+		truncate -s 0 "test/dt$id"
+		echo ".$id" \
+		  | grep -qE '.-(0[2679]|2[346])' \
+		  || delv -a test/trust.keys +tcp +short +root="$zone" +nodlv @"$SERVER" $name$zone $type >"test/dt$id" 2>&1
+		grep -vE 'failed.*nx(domain|rrset)' "test/dt$id" \
+		  | grep -i fail \
+		  && result="FAIl: delv validation"
+	    fi
 	else
-	    echo "FAIL: dig +tcp"
+	    result="FAIL: dig +notcp"
 	fi
+	echo "$result"
     done
 fi
 
@@ -113,21 +128,31 @@ if [ "$1" = "-u" ]; then
     for i in test/q-*; do
 	id="${i#test/q}"
 	echo -n "$i (udp) ... "
-	read sec type name <"$i"
+	read name zone type sec <"$i"
 	if [ "$sec" = "-s" ]; then
 	    sec="+dnssec +bufsize=1220"
 	elif [ "$sec" = "-S" ]; then
 	    sec="+dnssec +bufsize=2000"
 	fi
-	dig +norecurse +notcp $sec "$type" $name @$SERVER >"test/ou$id"
+	dig +norecurse +notcp $sec "$type" $name$zone @$SERVER >"test/ou$id"
 	dig2tiny "test/ou$id" "test/tut$id"
 	sed -s 's/\b[0-9]\{10\}\b/<TIME>/g;s/\b[0-9]\{14\}\b/<TIME>/g;/00 RRSIG /s/[^ ]*$/<SIG>/' <test/"tut$id" | \
 	  sort >test/"tu$id"
 	if sort <"test/a$id" | diff -wi - "test/tu$id" >/dev/null; then
-	    echo "OK"
+	    result=OK
+	    if [ -n "$sec" ] && grep -q "$zone" test/trust.keys; then
+		truncate -s 0 "test/du$id"
+		echo ".$id" \
+		  | grep -qE '.-(0[2679]|2[346])' \
+		  || delv -a test/trust.keys +notcp +short +root="$zone" +nodlv @"$SERVER" $name$zone $type >"test/du$id" 2>&1
+		grep -vE 'failed.*nx(domain|rrset)' "test/dt$id" \
+		  | grep -i fail \
+		  && result="FAIl: delv validation"
+	    fi
 	else
-	    echo "FAIL: dig +notcp"
+	    result="FAIL: dig +notcp"
 	fi
+	echo "$result"
     done
 fi
 
diff --git a/test/a-44 b/test/a-44
new file mode 100644
index 0000000..4b08bd3
--- /dev/null
+++ b/test/a-44
@@ -0,0 +1,10 @@
+<SIZE> bytes, 1+2+5+1 records, response, authoritative, noerror
+query: A 1.bug-202005.xx
+answer: 1.bug-202005.xx 86400 RRSIG A 7 2 86400 <TIME> <TIME> 44495 bug-202005.xx <SIG>
+answer: 1.bug-202005.xx 86400 A 1.2.3.4
+authority: u4kmi4aqmefd24lmtg51hc9s1aljpc0h.bug-202005.xx 86400 NSEC3 1 0 12 AABBCCDD hetkrmlecvmqlfotp27b7pheo7b99aod A RRSIG
+authority: u4kmi4aqmefd24lmtg51hc9s1aljpc0h.bug-202005.xx 86400 RRSIG NSEC3 7 3 86400 <TIME> <TIME> 44495 bug-202005.xx <SIG>
+authority: bug-202005.xx 259200 NS ns1.bug-202005.xx
+authority: bug-202005.xx 259200 NS ns2.bug-202005.xx
+authority: bug-202005.xx 259200 RRSIG NS 7 2 259200 <TIME> <TIME> 44495 bug-202005.xx <SIG>
+additional: . 0 OPT 512 0 0 8000
diff --git a/test/a-45 b/test/a-45
new file mode 100644
index 0000000..d6a47f5
--- /dev/null
+++ b/test/a-45
@@ -0,0 +1,10 @@
+<SIZE> bytes, 1+2+5+1 records, response, authoritative, noerror
+query: A sub.1.bug-202005.xx
+answer: sub.1.bug-202005.xx 86400 RRSIG A 7 2 86400 <TIME> <TIME> 44495 bug-202005.xx <SIG>
+answer: sub.1.bug-202005.xx 86400 A 1.2.3.4
+authority: u4kmi4aqmefd24lmtg51hc9s1aljpc0h.bug-202005.xx 86400 NSEC3 1 0 12 AABBCCDD hetkrmlecvmqlfotp27b7pheo7b99aod A RRSIG
+authority: u4kmi4aqmefd24lmtg51hc9s1aljpc0h.bug-202005.xx 86400 RRSIG NSEC3 7 3 86400 <TIME> <TIME> 44495 bug-202005.xx <SIG>
+authority: bug-202005.xx 259200 NS ns1.bug-202005.xx
+authority: bug-202005.xx 259200 NS ns2.bug-202005.xx
+authority: bug-202005.xx 259200 RRSIG NS 7 2 259200 <TIME> <TIME> 44495 bug-202005.xx <SIG>
+additional: . 0 OPT 512 0 0 8000
diff --git a/test/a-46 b/test/a-46
new file mode 100644
index 0000000..31d0d38
--- /dev/null
+++ b/test/a-46
@@ -0,0 +1,5 @@
+<SIZE> bytes, 1+1+2+0 records, response, authoritative, noerror
+query: A 1.bug-202005.xx
+answer: 1.bug-202005.xx 86400 A 1.2.3.4
+authority: bug-202005.xx 259200 NS ns1.bug-202005.xx
+authority: bug-202005.xx 259200 NS ns2.bug-202005.xx
diff --git a/test/a-47 b/test/a-47
new file mode 100644
index 0000000..b75d2e0
--- /dev/null
+++ b/test/a-47
@@ -0,0 +1,5 @@
+<SIZE> bytes, 1+1+2+0 records, response, authoritative, noerror
+query: A sub.1.bug-202005.xx
+answer: sub.1.bug-202005.xx 86400 A 1.2.3.4
+authority: bug-202005.xx 259200 NS ns1.bug-202005.xx
+authority: bug-202005.xx 259200 NS ns2.bug-202005.xx
diff --git a/test/a-48 b/test/a-48
new file mode 100644
index 0000000..edfe869
--- /dev/null
+++ b/test/a-48
@@ -0,0 +1,11 @@
+<SIZE> bytes, 1+0+8+1 records, response, authoritative, nxdomain
+query: A 23.bug-201907.xx
+authority: bug-201907.xx 2500 SOA ns1.bug-201907.xx bugs.bug-201907.xx <TIME> 3600 300 3600000 3600
+authority: bug-201907.xx 2500 RRSIG SOA 7 2 2500 <TIME> <TIME> 44495 bug-201907.xx <SIG>
+authority: mommf7eoir860kafe2svq3skg8931ter.bug-201907.xx 86400 NSEC3 1 0 12 AABBCCDD nktouv25ij58mqjbrnv5chn5tp0os33e NS SOA RRSIG DNSKEY NSEC3PARAM
+authority: mommf7eoir860kafe2svq3skg8931ter.bug-201907.xx 86400 RRSIG NSEC3 7 3 86400 <TIME> <TIME> 44495 bug-201907.xx <SIG>
+authority: jlvi3gvq4und75uno2669hta94qjuf8d.bug-201907.xx 86400 NSEC3 1 0 12 AABBCCDD mommf7eoir860kafe2svq3skg8931ter A RRSIG
+authority: jlvi3gvq4und75uno2669hta94qjuf8d.bug-201907.xx 86400 RRSIG NSEC3 7 3 86400 <TIME> <TIME> 44495 bug-201907.xx <SIG>
+authority: vu6o9jbv9vgkspu0cser5248i4717i3c.bug-201907.xx 86400 NSEC3 1 0 12 AABBCCDD 5k5q9fve7svr623nqk9k81jb4eumftgc MX RRSIG
+authority: vu6o9jbv9vgkspu0cser5248i4717i3c.bug-201907.xx 86400 RRSIG NSEC3 7 3 86400 <TIME> <TIME> 44495 bug-201907.xx <SIG>
+additional: . 0 OPT 512 0 0 8000
diff --git a/test/data b/test/data
index 4b07eb5..b787748 100644
--- a/test/data
+++ b/test/data
@@ -79,3 +79,13 @@ Zbug-201907.xx:ns1.bug-201907.xx:bugs.bug-201907.xx:1081539377:3600:300:3600000:
 
 @*.c.bug-201907.xx:1.2.3.4:a.mx.bug-201907.xx:1:300
 @c.bug-201907.xx:1.2.3.4:b:1:300
+
+Zbug-202005.xx:ns1.bug-202005.xx:bugs.bug-202005.xx:1081539377:3600:300:3600000:3600:2500
+&bug-202005.xx::ns1.bug-202005.xx
+&bug-202005.xx::ns2.bug-202005.xx
+#Kbug-202005.xx:256:3:7:AwEAAZvSuWicF6oQ8QarGTQ84GDgYD3c12nrz/K2PQ98eCy0SKOZ+p4662QxkUGTmrxoUSGVlPp2arYXNs5AVf+ggt9zpb+ZSLV18Z152kAA6iHXVrwTbUZX1Eg4IqxzrSX2/jqs2dqQF7dDZcNV7xNpKfKDTW5J5d7vbkhcM8/xxb1p:::
+#Kbug-202005.xx:257:3:7:AwEAAdBi/kUytR/v7iW9h9qsgtuj5BSDEvE5djja8UEdFLqThQEJ0bnptExEoS8acYQYhLiufAEfp7no0bV2wcS6jR9cIRS0iZ/NNaPeG04U9HDz1VXiZ9xIsifw6feJlHEUAWMxtq7KF2Kyn3jOz05o08zk5XcIQnBDZiPw96bQfDlxMiM8umPWh8iZa6VmzQJ9bbouyoAppm/9O+ha7lCdMUbvIcKLoYVaVyK+pI2vHH4RaqrGUcposqi4hzJzOZvCU5FtJ+4uWGV+rleTmgR+YWS1gwfbNtaGIQacCAcSDA184TwKuUmHoHdBcrond7eyZGMVbKTbQ/MpiRI56uHd2bxqurBc6NmEsG9r3IZs+TsTvnkQVPksho39gcifpt/NKJ0uN01ZNUUvWQIZREm1UB/uR2hFWJ1hCvPkI08B5AbxIeRc8cb864PJHw2zye0wi6Ey0CHJK04KZLU+f6s80v7TsWmy/1gIMQMrDmiClkJQ/oFddCgisi/SgGbiaIkm5HUgEzBkTnZRluWwgZHVmJHI9I1Vwnyh3NReJo0IIRE90QGrOzA9l/op938f96E1ucFze28OzffhuLCQmmsrMXrKHnqg3K7vV+yk2v7vHec2GoKPuDwg5Lc6O1jOfx2AtoK0OC8Aj3XztynbzjdjJscxZr+C4JeN25pl8ilBT0Zp:::
+#Pbug-202005.xx:1:0:12::aabbccdd:::
+
++*.bug-202005.xx:1.2.3.4
++www.bug-202005.xx:1.2.3.5
diff --git a/test/q-01 b/test/q-01
index bef04de..f9da26b 100644
--- a/test/q-01
+++ b/test/q-01
@@ -1,2 +1,2 @@
--s mx x.w.example
+x.w. example mx -s
 # RFC-4035 Appendix B.1
diff --git a/test/q-02 b/test/q-02
index b5cfc62..e405378 100644
--- a/test/q-02
+++ b/test/q-02
@@ -1,2 +1,2 @@
--s mx mc.a.example
+mc.a. example mx -s
 # RFC-4035 Appendix B.4
diff --git a/test/q-03 b/test/q-03
index ec55a89..307a8bc 100644
--- a/test/q-03
+++ b/test/q-03
@@ -1,2 +1,2 @@
--s a a.c.x.w.example
+a.c.x.w. example a -s
 # RFC-5155 Appendix B.1
diff --git a/test/q-04 b/test/q-04
index 72ff808..5b22095 100644
--- a/test/q-04
+++ b/test/q-04
@@ -1,2 +1,2 @@
--s mx ns1.example
+ns1. example mx -s
 # RFC-5155 Appendix B.2
diff --git a/test/q-05 b/test/q-05
index da2d679..a26cc27 100644
--- a/test/q-05
+++ b/test/q-05
@@ -1,2 +1,2 @@
--s a y.w.example
+y.w. example a -s
 # RFC-5155 Appendix B.2.1
diff --git a/test/q-06 b/test/q-06
index c08772a..e729510 100644
--- a/test/q-06
+++ b/test/q-06
@@ -1,2 +1,2 @@
--s mx a.z.w.example
+a.z.w. example mx -s
 # RFC-5155 Appendix B.4
diff --git a/test/q-07 b/test/q-07
index 3079f01..26443ce 100644
--- a/test/q-07
+++ b/test/q-07
@@ -1,2 +1,2 @@
--S mx a.z.w.example
+a.z.w. example mx -S
 # RFC-5155 Appendix B.4
diff --git a/test/q-08 b/test/q-08
index 1123888..1017873 100644
--- a/test/q-08
+++ b/test/q-08
@@ -1,2 +1,2 @@
--s aaaa a.z.w.example
+a.z.w. example aaaa -s
 # RFC-5155 Appendix B.5
diff --git a/test/q-09 b/test/q-09
index 30ed504..04c7a99 100644
--- a/test/q-09
+++ b/test/q-09
@@ -1,2 +1,2 @@
--s ds example
+\  example ds -s
 # RFC-5155 Appendix B.6
diff --git a/test/q-10 b/test/q-10
index 3947108..70a97b2 100644
--- a/test/q-10
+++ b/test/q-10
@@ -1 +1 @@
-mx x.w.example
+x.w. example mx
diff --git a/test/q-11 b/test/q-11
index 075e5e6..bad1e3e 100644
--- a/test/q-11
+++ b/test/q-11
@@ -1 +1 @@
-mx mc.a.example
+mc.a. example mx
diff --git a/test/q-12 b/test/q-12
index 333e0bd..c4ec5fb 100644
--- a/test/q-12
+++ b/test/q-12
@@ -1 +1 @@
-a a.c.x.w.example
+a.c.x.w. example a
diff --git a/test/q-13 b/test/q-13
index f98714e..e0e18c8 100644
--- a/test/q-13
+++ b/test/q-13
@@ -1 +1 @@
-mx ns1.example
+ns1. example mx
diff --git a/test/q-14 b/test/q-14
index f442db7..dc4a3c2 100644
--- a/test/q-14
+++ b/test/q-14
@@ -1 +1 @@
-a y.w.example
+y.w. example a
diff --git a/test/q-15 b/test/q-15
index 8aeba48..76553e0 100644
--- a/test/q-15
+++ b/test/q-15
@@ -1 +1 @@
-mx a.z.w.example
+a.z.w. example mx
diff --git a/test/q-16 b/test/q-16
index 15de40d..c8dccb9 100644
--- a/test/q-16
+++ b/test/q-16
@@ -1 +1 @@
-aaaa a.z.w.example
+a.z.w. example aaaa
diff --git a/test/q-17 b/test/q-17
index 0362480..6fe2c74 100644
--- a/test/q-17
+++ b/test/q-17
@@ -1 +1 @@
-ds example
+\  example ds
diff --git a/test/q-18 b/test/q-18
index 18e7a2b..fc76c1d 100644
--- a/test/q-18
+++ b/test/q-18
@@ -1 +1 @@
-mx an.example.xx
+an. example.xx mx
diff --git a/test/q-19 b/test/q-19
index 195f284..157cdd8 100644
--- a/test/q-19
+++ b/test/q-19
@@ -1 +1 @@
-mx another.example.xx
+another. example.xx mx
diff --git a/test/q-20 b/test/q-20
index fed41b4..d0240db 100644
--- a/test/q-20
+++ b/test/q-20
@@ -1 +1 @@
-mx simple.example.xx
+simple. example.xx mx
diff --git a/test/q-21 b/test/q-21
index d0c8d6a..5b6d334 100644
--- a/test/q-21
+++ b/test/q-21
@@ -1 +1 @@
-mx sub.example.xx
+sub. example.xx mx
diff --git a/test/q-22 b/test/q-22
index 2bafbd8..e6c6841 100644
--- a/test/q-22
+++ b/test/q-22
@@ -1 +1 @@
-a simple.example.xx
+simple. example.xx a
diff --git a/test/q-23 b/test/q-23
index 274715c..7774a08 100644
--- a/test/q-23
+++ b/test/q-23
@@ -1 +1 @@
--s mx an.example.xx
+an. example.xx mx -s
diff --git a/test/q-24 b/test/q-24
index 71c8006..7ec5888 100644
--- a/test/q-24
+++ b/test/q-24
@@ -1 +1 @@
--s mx another.example.xx
+another. example.xx mx -s
diff --git a/test/q-25 b/test/q-25
index 20d96e9..bb207a2 100644
--- a/test/q-25
+++ b/test/q-25
@@ -1 +1 @@
--s mx simple.example.xx
+simple. example.xx mx -s
diff --git a/test/q-26 b/test/q-26
index 626d4b4..0812970 100644
--- a/test/q-26
+++ b/test/q-26
@@ -1 +1 @@
--s mx sub.example.xx
+sub. example.xx mx -s
diff --git a/test/q-27 b/test/q-27
index 1030c51..b4c60ae 100644
--- a/test/q-27
+++ b/test/q-27
@@ -1 +1 @@
--s a simple.example.xx
+simple. example.xx a -s
diff --git a/test/q-28 b/test/q-28
index b53f963..196a0cc 100644
--- a/test/q-28
+++ b/test/q-28
@@ -1 +1 @@
-cname an.example.xx
+an. example.xx cname
diff --git a/test/q-29 b/test/q-29
index 9d31260..a75e530 100644
--- a/test/q-29
+++ b/test/q-29
@@ -1 +1 @@
--s cname an.example.xx
+an. example.xx cname -s
diff --git a/test/q-30 b/test/q-30
index 15d5ee6..1294c74 100644
--- a/test/q-30
+++ b/test/q-30
@@ -1 +1 @@
-aaaa a.ns.unsigned.xx
+a.ns. unsigned.xx aaaa
diff --git a/test/q-31 b/test/q-31
index 23d7d82..fe56845 100644
--- a/test/q-31
+++ b/test/q-31
@@ -1 +1 @@
--s aaaa a.ns.unsigned.xx
+a.ns. unsigned.xx aaaa -s
diff --git a/test/q-32 b/test/q-32
index 68769ec..7c69945 100644
--- a/test/q-32
+++ b/test/q-32
@@ -1 +1 @@
-a nx.unsigned.xx
+nx. unsigned.xx a
diff --git a/test/q-33 b/test/q-33
index bfd510e..1258b55 100644
--- a/test/q-33
+++ b/test/q-33
@@ -1 +1 @@
--s a nx.unsigned.xx
+nx. unsigned.xx a -s
diff --git a/test/q-34 b/test/q-34
index d04f65e..cb950f6 100644
--- a/test/q-34
+++ b/test/q-34
@@ -1 +1 @@
-mx wc.w.unsigned.xx
+wc.w. unsigned.xx mx
diff --git a/test/q-35 b/test/q-35
index 15b6fd3..06e8662 100644
--- a/test/q-35
+++ b/test/q-35
@@ -1 +1 @@
--s mx wc.w.unsigned.xx
+wc.w. unsigned.xx mx -s
diff --git a/test/q-36 b/test/q-36
index 6c7aec9..d2a9ee5 100644
--- a/test/q-36
+++ b/test/q-36
@@ -1 +1 @@
-mx an.unsigned.xx
+an. unsigned.xx mx
diff --git a/test/q-37 b/test/q-37
index 52a2dec..d21f9e5 100644
--- a/test/q-37
+++ b/test/q-37
@@ -1 +1 @@
--s mx an.unsigned.xx
+an. unsigned.xx mx -s
diff --git a/test/q-38 b/test/q-38
index b8778b8..43470c3 100644
--- a/test/q-38
+++ b/test/q-38
@@ -1 +1 @@
-mx another.unsigned.xx
+another. unsigned.xx mx
diff --git a/test/q-39 b/test/q-39
index a79f33f..ab79d95 100644
--- a/test/q-39
+++ b/test/q-39
@@ -1 +1 @@
--s mx another.unsigned.xx
+another. unsigned.xx mx -s
diff --git a/test/q-40 b/test/q-40
index 5058b27..7dd629f 100644
--- a/test/q-40
+++ b/test/q-40
@@ -1 +1 @@
--s hinfo xx.example
+xx. example hinfo -s
diff --git a/test/q-41 b/test/q-41
index 1471b8d..1cb2af2 100644
--- a/test/q-41
+++ b/test/q-41
@@ -1,2 +1,2 @@
--s a www.a.bug-201907.xx
+www.a. bug-201907.xx a -s
 # Buggy wildcard handling reported in 2019-07, depends on RR order in data.cdb file
diff --git a/test/q-42 b/test/q-42
index f063e6f..2e08199 100644
--- a/test/q-42
+++ b/test/q-42
@@ -1,2 +1,2 @@
--s aaaa www.b.bug-201907.xx
+www.b. bug-201907.xx aaaa -s
 # Buggy wildcard handling reported in 2019-07, depends on RR order in data.cdb file
diff --git a/test/q-43 b/test/q-43
index 58cb605..23b3ff9 100644
--- a/test/q-43
+++ b/test/q-43
@@ -1,2 +1,2 @@
--s mx www.c.bug-201907.xx
+www.c. bug-201907.xx mx -s
 # Buggy wildcard handling reported in 2019-07, depends on RR order in data.cdb file
diff --git a/test/q-44 b/test/q-44
new file mode 100644
index 0000000..dff4b41
--- /dev/null
+++ b/test/q-44
@@ -0,0 +1,2 @@
+1. bug-202005.xx a -s
+# Hash database in [0-9a-f].domain shadows top-level wildcard *.domain
diff --git a/test/q-45 b/test/q-45
new file mode 100644
index 0000000..35f6a32
--- /dev/null
+++ b/test/q-45
@@ -0,0 +1,2 @@
+sub.1. bug-202005.xx a -s
+# Hash database in [0-9a-f].domain shadows top-level wildcard *.domain
diff --git a/test/q-46 b/test/q-46
new file mode 100644
index 0000000..d17cb19
--- /dev/null
+++ b/test/q-46
@@ -0,0 +1,2 @@
+1. bug-202005.xx a
+# Hash database in [0-9a-f].domain shadows top-level wildcard *.domain
diff --git a/test/q-47 b/test/q-47
new file mode 100644
index 0000000..9a1aa48
--- /dev/null
+++ b/test/q-47
@@ -0,0 +1,2 @@
+sub.1. bug-202005.xx a
+# Hash database in [0-9a-f].domain shadows top-level wildcard *.domain
diff --git a/test/q-48 b/test/q-48
new file mode 100644
index 0000000..8344b9b
--- /dev/null
+++ b/test/q-48
@@ -0,0 +1,2 @@
+23. bug-201907.xx a -s
+# First entry in hash database has wrong predecessor
diff --git a/tinydns-sign.pl b/tinydns-sign.pl
index 17c4a7e..6c82962 100755
--- a/tinydns-sign.pl
+++ b/tinydns-sign.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 
-# Copyright (C) 2012,2015 Peter Conrad <conrad@quisquis.de>
+# Copyright (C) 2012,2015,2020 Peter Conrad <conrad@quisquis.de>
 
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 3 as
@@ -254,7 +254,7 @@
     }
     $prev->{next} = $first->{hash};
     unshift @{$byNibble[0]}, $prev->{hash};
-    for (my $nib = 1; $nib <= $#byNibble && $#{$byNibble[$nib]} < 0; $nib++) {
+    for (my $nib = 1; $nib <= $#byNibble && $#{$byNibble[$nib - 1]} < 1; $nib++) {
 	unshift @{$byNibble[$nib]}, $prev->{hash};
     }
     for (my $nib = $#byNibble + 1; $nib < 16; $nib++) {
@@ -279,7 +279,7 @@
 	&makeGenericRecord($hash->{generator}, 65281, &wireName($hash->{name}), $n3p->{ttl}, $n3p->{ts}, $n3p->{lo});
     }
     for (my $nib = 0; $nib < 16; $nib++) {
-	my $name = sprintf("%x", $nib).".$zone";
+	my $name = chr(ord("A") + $nib).".$zone";
 	my $rec = &getOrCreateRRs($name);
 	$rec->addRecord(65282, join("", @{$byNibble[$nib]}), $n3p->{ttl}, $n3p->{ts}, $n3p->{lo});
 	&makeGenericRecord($name, 65282, join("", @{$byNibble[$nib]}), $n3p->{ttl}, $n3p->{ts}, $n3p->{lo});