send EDNS with SERVFAILs, e.g. on validation failures
Large pipeline seems good: https://gitlab.labs.nic.cz/knot/knot-resolver/pipelines/49582 (earlier version: https://gitlab.labs.nic.cz/knot/knot-resolver/pipelines/49365)
Possible caveats: modules that want to produce a SERVFAIL will need to clear
to_wire flags on RRs that shouldn't go into the answer (which depends on what the module wants to achieve). That's probably hard to avoid, as e.g. in case of CNAME chains we should use non-empty SERVFAILs anyway (but that will be fixed in !660 (closed) or similar).