NOERROR from pre-RFC 2308 servers is treated as lame
Knot Resolver 4.0.0 does not accept NOERROR answers from pre-RFC 2308 auths, i.e. auths which do not send SOA RR in AUTHORITY section of NOERROR answer.
Example from live Internet:
resolve('blogs.cisco.com', kres.type.AAAA, kres.class.IN, {}, function(pkt) print(pkt) end)
...
[65537.22][iter] 'blogs.glb-ext.cisco.com.' type 'AAAA' new uid was assigned .25, parent uid .00
[65537.25][resl] => id: '43849' querying: '72.163.5.22#00053' score: 10 zone cut: 'glb-ext.cisco.com.' qname: 'BLogS.glb-eXT.CiscO.Com.' qtype: 'AAAA' proto: 'udp'
[65537.25][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 43849
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1280 B; ext-rcode: Unused
;; QUESTION SECTION
blogs.glb-ext.cisco.com. AAAA
[65537.25][iter] <= rcode: NOERROR
[65537.25][iter] <= lame response: non-auth sent negative response
This seems to be caused by is_authoritative()
in lib/layer/iterate.c.