"A record from a delegated zone" policy check

[tobez]

Via Daniel Stirnimann:

$TTL    1d
$INCLUDE Kexample.com.+008+18169.key
$INCLUDE Kexample.com.+008+57699.key
@       IN      SOA     ns.example.com. hostmaster.example.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

                IN      NS      ns1.example.net.
sub             IN      NS      ns1.example.net.
test.sub        IN      A       127.0.0.1

The error is that there exists the "test.sub" record but "sub" is
already delegated.

BIND "dnssec-signzone" ignores "test.sub" and does not create
RRSIG/NSEC/NSEC3 records.

When I verify the signed zone (using NSEC) with validns, no error is shown.

When I verify the signed zone (using NSEC3) with validns, the error:
"no corresponding NSEC3 found for test.sub.example.com." is shown which
is correct.

I'm not sure what's the right way of handling this error is. In any
case, I think the error message should be the same whether NSEC or NSEC3
is used. Practically, I could live with a WARNING and not an ERROR
because, as far as BIND dnssec-signzone goes, the additional record of
the delegated zone is not signed, so does not lead to a signing error.
However, I'm not sure if other DNSSEC signing tools handle this the same
way.

[tobez]

Validns is wrong producing an error for NSEC3.

An acceptable way of reporting this would be to report an "Unused glue
record" or a "Record from a delegated zone", optionally, activated via yet
another policy check. Do you concur?

The only thing I need to check is what dnssec-signzone does for/what RFCs
say about real glue records such as

sub     IN NS ns1.sub
ns1.sub IN A  1.2.3.4

[tobez]

Mostly solved by commit fddc43c.

Still need to add the policy check.