CNAME breaks DS queries if CNAME is at apex (non-compliant auth side)

kresd replies incorrectly for name.example. DS queries if name.example. has CNAME at apex name.example..

This seems to affect only non-compliant servers which allow CNAME at apex. Such zones are illegal according to https://tools.ietf.org/html/rfc1034#section-3.6.2.

This bug is present in 2.3.0 and breaks validating forwarders which point to kresd. Related: #153 (closed)

Affected domain: ucarecdn.com

DNSViz: http://dnsviz.net/d/ucarecdn.com/WvYPzQ/dnssec/

DNSViz mirror dnsviz-ucarecdn.pdf

Second affected domain (with wildcard): coder.show

DNSViz: http://dnsviz.net/d/coder.show/WwVyFQ/dnssec/

DNSViz mirror dnsviz-coder-show.pdf

Steps to reproduce:

  1. dig +dnssec coder.show A
  2. dig +dnssec coder.show DS
Edited by Petr Špaček