Present "resolving error for DANE TLSA record" in stead of "no DANE TLSA record" (false negative)

[baknu]

From a mail conversation between BK and GT (subject: "Comparison between dev.internet.nl and internet.nl" / date: 9 February 2022):

Besides I found the following inconsistency that is a possible false negative in our measurements. Sometimes we do not detect a DANE record that should be there. This happens on all environments. I thought that this would not be possible with DNSSEC signed domains and a validating resolver on the side of Internet.nl. George might be able to tell what is happening here.

• https://dev.internet.nl/site/gemeentemaastricht.nl/3823/#control-panel-25
• https://internet.nl/site/krimpenerwaard.nl/1494146/#control-panel-25
• https://en.batch.internet.nl/mail/switch.ch/2096010/#control-panel-27

You are right. No data and DNSSEC should result to bogus.
I believe here Unbound is returning SERVFAIL (something wrong with
resolving; probably no answer or something else).
I think we need to check the SERVFAIL RCODE and present something
different like resolution error instead of no TLSA record.

Tip: the rcode here
(

Internet.nl/checks/tasks/__init__.py

Line 103 in b9ec533

data["rcode"] = result.rcode

)
can go before the if and checked at the dane logic.