rec: unexpected SERVFAIL on a nodata answer for a secure domain

[giganteous]

• Program: Recursor
• Issue type: Bug report

Short description

Signed domain gives SERVFAIL (bogus) answer on the AAAA query where auth says NODATA.

http://dnsviz.net/d/assets.webshopapp.com/dnssec/?rr=28&a=all&ds=all&ta=.&tk=

Environment

• Operating system: Debian/stretch
• Software version: 0.0.1798g0e9a0d5-1pdns.stretch
• Software source: repo

Steps to reproduce

1. load pdns-recursor
2. dig AAAA assets.webshopapp.com @resolver

Expected behaviour

nodata

Actual behaviour

servfail

Other information

13:28|   rgacogne: looking
13:31|   rgacogne: I think I have a fix for that this case on a branch
13:31|   rgacogne: let me check
13:32|   rgacogne: yeah, it works fine on my branch
13:32|   rgacogne: I'm not ready to PR it yet, though :-/
13:32|     kaisan: rgacogne: do you want me to file it
13:33|   rgacogne: kaisan: if you don't mind, so I don't forget to PR and merge before rec 4.1.0 :)

[rgacogne]

Our NSEC3 denial code is wrong for this exact case. I have a fix on a branch, just needs a bit of work before I can open a PR.