WIP: resolve: adjust srubbing of DNSSEC RRs from answer

(based atop !301 (merged))

the first two commits are uninteresting here

@vcunat I'm not really sure if this is solving particular problem (which one?) or if it refactoring to make it more maintainable (I hope) :-)

Should we rebase and merge it?

added needinfo label

I've seen no related problem. I'm still not really certain which way to interpret the RFCs – the way we have it now or the way after this MR. The whole thing doesn't seem important at all, so it just got stalled.

closed

Replaced by !975 (merged) and https://gitlab.labs.nic.cz/knot/knot-resolver/-/merge_requests/965/diffs?commit_id=909dd67b2ed5062937bb3d1aef21e7b7ffed6af4.

No, this is about something else. In case the client doesn't send +dnssec, DNSSEC records should not be included. The RFC (linked in the diff) doesn't seem very clear about edge cases, but some edges in the current code feel weird to me, e.g.:

$ kdig foo18g85.com NSEC3
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 41603
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 4; ADDITIONAL: 0

;; QUESTION SECTION:
;; foo18g85.com.                IN      NSEC3

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1588255325 1800 900 604800 86400
ck0pojmg874ljref7efn8430qvit8bsm.com. 86400     IN      NSEC3   1 1 0 - ck0q1gin43n1arrc9osm6qpqr81h5m9a NS SOA RRSIG DNSKEY NSEC3PARAM
32e0lpu03e3eu6v9gq6vkv6l7is5ic4a.com. 86400     IN      NSEC3   1 1 0 - 32e1tv6ovgh5i8kp6tjnn34ok0mjsvr6 NS DS RRSIG
3rl2q58205687c8i9kc9mv46dghcns45.com. 86400     IN      NSEC3   1 1 0 - 3rl3odp8d910939i655b97gaqu6ve1q7 NS DS RRSIG

Still, the importance of this seems very low, which is why this MR remained without much attention.