Knot copies Z flag from query header without zeroing it

ICANN contacted us (CentralNic) notifying us of a compliance issue with nodes in our Anycast network that run Knot. Our BIND and NSD nodes were not affected.

Page 26 of RFC 1035 describes the Z flag of the header thusly:

Z               Reserved for future use.  Must be zero in all queries
                 and responses.

when the header for the response is constructed, the Z flag is not zeroed, but is instead copied from the query.

Here is a Perl script which can be used to test a server:

#!/usr/bin/perl
use Net::DNS;
use strict;

my ($server, $qname, $qtype) = @ARGV;

if (!defined($server) || $server eq '') {
	print STDERR "Usage: zflag.l SERVER [QNAME [QTYPE]]\n";
	exit(1);
}

$qname = $qname || '.';
$qtype = $qtype || 'A';

my $packet = Net::DNS::Packet->new($qname, $qtype, 'IN');

my $resolver = Net::DNS::Resolver->new(
	'nameservers'	=> [ $server ],
	'udp_timeout'	=> 1,
	'tcp_timeout'	=> 1,
	'retry'		=> 3,
	'retrans'	=> 1,
);

$packet->header->z(1);
my $answer = $resolver->send($packet);
printf("%s %s\n", ($answer ? $answer->header->z : '-'), $server);

Here's the result when I run it against the DNS servers for knot-dnz.cz:

$ dig +short NS knot-dns.cz | while read h ;  do perl zflag.pl $h ; done
1 d.ns.nic.cz.
1 b.ns.nic.cz.
0 a.ns.nic.cz.

Presumably b and d run Knot, but a runs something else (BIND I think).