support forwarding to kresd so DNSSEC validation can work

In cases when kresd is run without a configured trust anchor it strips DNSSEC records (like RRSIG). It also happens if kresd thinks that particular zone is insecure.

This breaks any validator using this non-validating kresd as forwarder and also cases where validating client has different set of trust achors than kresd it forwards to.

Affected version: 96d29c0e

# rm *.mdb && sudo kresd -v &
# dig @127.0.0.1 +dnssec .
[    0][plan] plan '.' type 'A'
[12071][iter]   '.' type 'A' id was assigned, parent id 0
[12071][resl]   => using root hints
[15848][iter]   '.' type 'A' id was assigned, parent id 0
[15848][resl]   => querying: '2001:dc3::35' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][resl]   => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: '.' type: 'A' proto: 'udp'
[15848][iter]   <= rcode: NOERROR
[15848][ pc ]   => answer cached for TTL=900
[15848][resl]   <= server: '2001:dc3::35' rtt: >=285 ms
[15848][resl]   <= server: '202.12.27.33' rtt: 35 ms
[    0][resl] finished: 4, queries: 1, mempool: 16400 B

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41638
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.				IN	A

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2017020600 1800 900 604800 86400

;; Query time: 286 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Po úno 06 12:20:15 CET 2017
;; MSG SIZE  rcvd: 103

Further inspection in Wireshark showed that DO bit is received by kresd but not set in queries to upstream servers.

Edited Oct 06, 2017 by Petr Špaček

Admin message

support forwarding to kresd so DNSSEC validation can work