AD flag is incorrectly returned in NXDOMAIN answers covered by an NSEC3 record with opt-out

$ kdig lachicabionica.com +adflag
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 56321
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
[...]

All versions of knot-resolver are affected, most likely. It seems only this specific case is wrong.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Admin message

AD flag is incorrectly returned in NXDOMAIN answers covered by an NSEC3 record with opt-out