lib/iterate: scrub DNSSEC records when DO=1

if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit

lib/layer/iterate.c

@@ -164,7 +164,14 @@ static int update_parent(const knot_rrset_t *rr, struct kr_request *req)
 
 static int update_answer(const knot_rrset_t *rr, unsigned hint, struct kr_request *req)
 {
+	/* Scrub DNSSEC records when not requested. */
 	knot_pkt_t *answer = req->answer;
+	if (!knot_edns_do(answer->opt_rr)) {
+		if (rr->type != knot_pkt_qtype(answer) && knot_rrtype_is_dnssec(rr->type)) {
+			return KNOT_STATE_DONE; /* Scrub */
+		}
+	}
+
 	int ret = knot_pkt_put(answer, hint, rr, 0);
 	if (ret != KNOT_EOK) {
 		knot_wire_set_tc(answer->wire);

lib/layer/rrcache.c

@@ -173,7 +173,6 @@ static int commit_rr(const char *key, void *val, void *data)
 	}
 
 	/* Save RRSIG in a special cache. */
-	unsigned drift = baton->timestamp;
 	if (KEY_COVERING_RRSIG(key)) {
 		return commit_rrsig(baton, rr);
 	}

lib/resolve.c

@@ -197,7 +197,7 @@ static int answer_finalize(struct kr_request *request, int state)
 	struct kr_rplan *rplan = &request->rplan;
 	if (state == KNOT_STATE_DONE && !EMPTY_LIST(rplan->resolved)) {
 		struct kr_query *last = TAIL(rplan->resolved);
-		if (last->flags & QUERY_DNSSEC_WANT) {
+		if ((last->flags & QUERY_DNSSEC_WANT) && knot_edns_do(answer->opt_rr)) {
 			knot_wire_set_ad(answer->wire);
 		}
 	}

tests/testdata/iter_validate.rpl

@@ -108,13 +108,34 @@ RANGE_END
 
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+cz. IN NS
+ENTRY_END
+
+; check that it answers a plain query
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+cz. IN NS
+SECTION ANSWER
+cz.			18000	IN	NS	a.ns.nic.cz.
+cz.			18000	IN	NS	b.ns.nic.cz.
+cz.			18000	IN	NS	c.ns.nic.cz.
+cz.			18000	IN	NS	d.ns.nic.cz.
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
 cz. IN NS
 ENTRY_END
 
 ; recursion happens here.
-STEP 10 CHECK_ANSWER
+STEP 4 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
 REPLY QR RD RA AD NOERROR