Ensure responses sourced from mirror zones have the AD bit set
Zone RRsets are assigned trust level "ultimate" upon load, which causes the AD bit to not be set in responses coming from slave zones, including mirror zones. Make dns_zoneverify_dnssec() update the trust level of verified RRsets to "secure" so that the AD bit is set in such responses. No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in case of any DNSSEC failure, which causes the mirror zone version being verified to be discarded.
Showing with 23 additions and 1 deletion