unsigned zone with bare CNAME pointing to signed zone yields AD flag set

zone nic.mx is not signed.
zone nicmexico.mx is signed.
www.nic.mx. is CNAME to nicmexico.mx
depending on upstream answer to query nicmexico.mx IN A, the answer from kresd may or may not have AD flag set

Reproducer is in test https://gitlab.labs.nic.cz/knot/deckard/commit/372ecb456d2516cbb1916e42485ed5846a98c3e0.

Expected result:

STEP 10 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.nic.mx.		IN	A
ENTRY_END

STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH flags rcode question answer
REPLY QR RD RA DO NOERROR
SECTION QUESTION
www.nic.mx.			IN	A
SECTION ANSWER
www.nic.mx.		300	IN	CNAME	www.nicmexico.mx.
www.nicmexico.mx.	171139	IN	A	200.94.180.57
www.nicmexico.mx.	171139	IN	A	200.94.180.56
www.nicmexico.mx.	171139	IN	A	200.94.180.54
www.nicmexico.mx.	171139	IN	A	200.94.180.55
www.nicmexico.mx.	171139	IN	RRSIG	A 7 3 172800 20170221235959 20161221161902 14618 nicmexico.mx. s3THv+Ay2WrcOTG6bo+54Zc/rff/jhzcJKZ3ZRYMXhw3FToSvTOSqsIG1gzW/Sk6r2oikHH3nNluaMTAXfCULu2mHiQVAuFlnajFSMPcm8KvEyV0cCT7knkAFqb+ODkimPMufRHiOLbnhQk9/A25qK7J8rCB76IUmzk41hYRNBU=
ENTRY_END

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Admin message

unsigned zone with bare CNAME pointing to signed zone yields AD flag set