downgrades due to NSEC3 limits interact badly with wildcards (and validating the resolver answer)
Reported here. This particular example, an auth returns an answer shooting over limit:
;; ANSWER SECTION:
www.rezervujstul.cz. 3600 A 185.59.210.141
www.rezervujstul.cz. 3600 RRSIG A 13 2 3600 20240523000000 20240502000000 13481 rezervujstul.cz. [omitted]
;; AUTHORITY SECTION:
t4h2dn52ecfsraeit9cr2jf3ftr755jv.rezervujstul.cz. 3600 NSEC3 1 0 100 BA2329586C8F467A 33ushjibf6cscdps8l6iir3h1n27jjjh A AAAA RRSIG
t4h2dn52ecfsraeit9cr2jf3ftr755jv.rezervujstul.cz. 3600 RRSIG NSEC3 13 3 3600 20240523000000 20240502000000 13481 rezervujstul.cz. [omitted]
and Knot Resolver downgrades the name and serves just the A+RRSIG.
Such an answer can't be DNSSEC-validated. The NSEC3+RRSIG is needed to either confirm the positive proof or decide that the downgrade should happen.