downgrades due to NSEC3 limits interact badly with wildcards (and validating the resolver answer)

Reported here. This particular example, an auth returns an answer shooting over limit:

;; ANSWER SECTION:
www.rezervujstul.cz.    3600    A       185.59.210.141
www.rezervujstul.cz.    3600    RRSIG   A 13 2 3600 20240523000000 20240502000000 13481 rezervujstul.cz. [omitted]

;; AUTHORITY SECTION:
t4h2dn52ecfsraeit9cr2jf3ftr755jv.rezervujstul.cz. 3600  NSEC3   1 0 100 BA2329586C8F467A 33ushjibf6cscdps8l6iir3h1n27jjjh A AAAA RRSIG
t4h2dn52ecfsraeit9cr2jf3ftr755jv.rezervujstul.cz. 3600  RRSIG   NSEC3 13 3 3600 20240523000000 20240502000000 13481 rezervujstul.cz. [omitted]

and Knot Resolver downgrades the name and serves just the A+RRSIG.

Such an answer can't be DNSSEC-validated. The NSEC3+RRSIG is needed to either confirm the positive proof or decide that the downgrade should happen.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Admin message

downgrades due to NSEC3 limits interact badly with wildcards (and validating the resolver answer)