Not-yet-valid signature causes SERVFAIL + data in answer section
Reproducer:
# dig @::1 signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl +rrcomments
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> @::1 signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl +rrcomments
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5493
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl. IN A
;; ANSWER SECTION:
signotincepted.ok.ok.bad-dnssec.wb.sidnlabs.nl. 3600 IN A 94.198.159.39
;; Query time: 952 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Jun 20 14:09:32 UTC 2019
;; MSG SIZE rcvd: 91
We should return no data on DNSSEC validation errors (except for +CD bit).