Fix: DNSSEC - return SERVFAIL when signed zone omits RRSIG

[MaciejTe]

Summary:

Fix DNSSEC nosig: SERVFAIL when signed zone omits RRSIG

• Fail closed on missing RRSIG when delegation is secure (DS present)

• Map to SERVFAIL with EDE RRSIGsMissing

• Update resolver and handler tests for nosig dnscheck case

[semihalev]

Can you skip Test_resolverNSEC3nodataerror test with t.Skip("Skipping: testlabs.example.com DNSSEC configuration is currently broken (external dependency)") The test failed.

[MaciejTe]

@semihalev Looks like forwarder_test was failing because of upstream DNS failure resolutions; I have created mock DNS server in forwarder package test and injected *dns.Client to Exchange function to fix the issue (precisely, to make it possible to use InsecureSkipVerify: true in tls.Config). Please let me know if this approach is acceptable.

[codecov]

Codecov Report

❌ Patch coverage is 65.33333% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.37%. Comparing base (ef02637) to head (246870d).

Files with missing lines	Patch %	Lines
middleware/resolver/resolver.go	69.84%	13 Missing and 6 partials ⚠️
util/helpers.go	0.00%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #447      +/-   ##
==========================================
+ Coverage   80.16%   80.37%   +0.21%     
==========================================
  Files          77       77              
  Lines        8942     8960      +18     
==========================================
+ Hits         7168     7202      +34     
+ Misses       1376     1358      -18     
- Partials      398      400       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[semihalev]

A small linter issue detected, after the fix looks everything good.