iterate: fix NSEC3 records missing from answer in an edge case
When positive wildcard expansion happens, NSEC(3) records are needed
to prove that the expansion was allowed. If the NSEC3 had too many
iterations, we downgrade the answer to insecure status, but
unintentionally we also dropped the NSEC3 record from the answer.
That was breaking DNSSEC validation of that answer, e.g. when
forwarding to Knot Resolver. The validator needs the NSEC3 -
either to validate the expansion or to determine that it's too expensive.
projects / thirdparty / knot-resolver.git / commit
