invalid NSEC bitmap for delegation point
According to https://tools.ietf.org/html/rfc4035#section-2.3, the NSEC bitmap at a delegation point should include only authoritative RRs and NS.
The bitmap for the NSEC RR at a delegation point requires special
attention. Bits corresponding to the delegation NS RRset and any
RRsets for which the parent zone has authoritative data MUST be set;
bits corresponding to any non-NS RRset for which the parent is not
authoritative MUST be clear.
At the delegation point, only DS, NSEC, and RRSIG are authoritative. So the NSEC bitmap for child.example in the following zone signed by Knot should not contain A type.
;; Zone dump (Knot DNS 1.99.1)
example. 10 IN SOA ns.example. admin.example. 403 1 1 8 10
example. 10 DNSKEY 256 3 8 ...
child.example. 10 NS ns.child.example.
child.example. 10 NS child.example.
child.example. 10 A 127.0.0.1
ns.child.example. 10 A 127.0.0.2
foo.example. 10 TXT "bar"
ns.example. 10 AAAA ::
;; DNSSEC signatures
...
;; DNSSEC NSEC chain
example. 10 NSEC child.example. SOA RRSIG NSEC DNSKEY
child.example. 10 NSEC foo.example. A NS RRSIG NSEC
foo.example. 10 NSEC ns.example. TXT RRSIG NSEC
ns.example. 10 NSEC example. AAAA RRSIG NSEC