nameserver: don't follow DNAME under delegation (NONAUTH node)

src/knot/nameserver/internet.c

@@ -381,8 +381,9 @@ static int name_not_found(knot_pkt_t *pkt, knotd_qdata_t *qdata)
 	}
 
 	/* Name is under DNAME, use it for substitution. */
+	bool encloser_auth = !(qdata->extra->encloser->flags & (NODE_FLAGS_NONAUTH | NODE_FLAGS_DELEG));
 	knot_rrset_t dname_rrset = node_rrset(qdata->extra->encloser, KNOT_RRTYPE_DNAME);
-	if (!knot_rrset_empty(&dname_rrset)) {
+	if (encloser_auth && !knot_rrset_empty(&dname_rrset)) {
 		qdata->extra->node = qdata->extra->encloser; /* Follow encloser as new node. */
 		return follow_cname(pkt, KNOT_RRTYPE_DNAME, qdata);
 	}

tests-extra/data/flags.zone

@@ -72,6 +72,7 @@ f.dname-tree	DNAME	f.f.dname-tree
 
 dname-out	DNAME	outside.zone.
 dname-dangl	DNAME	dangling
+dname.below.sub	DNAME	dname-tree
 
 ; DS tests
 ds-sub		NS	dns.net.ds-sub

tests-extra/tests/basic/query/test.py

@@ -177,6 +177,10 @@ resp.check(rcode="NOERROR")
 resp = knot.dig("dname.flags", "DNAME", udp=True)
 resp.cmp(bind)
 
+# DNAME being below a delegation
+resp = knot.dig("a.dname.below.sub.flags", "A", udp=True)
+resp.cmp(bind, additional=True)
+
 # DNAME query leading out of zone
 resp = knot.dig("a.dname-out.flags", "A", udp=True)
 resp.cmp(bind)