policies and sub-queries
Policies are currently only applied to full requests, i.e. when begin
happens for layers. We do copy the flag and server list when creating sub-queries, but:
- not everywhere, e.g. the dns64 module is broken in this respect;
- the subquery might be for a name that the policy should apply differently, e.g. users attempting to handle different parts of the DNS tree differently. A similar situation is on CNAME jumps, as those may also lead to a different part of the tree.