plugin/cache: Fix filtering (#4148)

The filtering of DNSSEC records in the cache plugin was not done
correctly. Also the change to introduced this bug didn't take into
account that the cache - by virtue of differentiating between DNSSEC and
no-DNSSEC - relied on not copying the data from the cache.

This change copies and then filters the data and factors the filtering
into a function that is used in two places (albeit with on ugly boolean
parameters to prevent copying things twice).

Add tests, do_test.go is moved to test/cache_test.go because the OPT
handing is done outside of the cache plugin. The core server re-attaches
the correct OPT when replying, so that makes for a better e2e test.

Added small unit test for filterRRslice and an explicit test that asks
for DNSSEC first and then plain, and vice versa to test cache behavior.

Fixes: #4146

Signed-off-by: Miek Gieben <miek@miek.nl>

plugin/cache/dnssec.go

@@ -0,0 +1,43 @@
+package cache
+
+import "github.com/miekg/dns"
+
+// isDNSSEC returns true if r is a DNSSEC record. NSEC,NSEC3,DS and RRSIG/SIG
+// are DNSSEC records. DNSKEYs is not in this list on the assumption that the
+// client explictly asked for it.
+func isDNSSEC(r dns.RR) bool {
+	switch r.Header().Rrtype {
+	case dns.TypeNSEC:
+		return true
+	case dns.TypeNSEC3:
+		return true
+	case dns.TypeDS:
+		return true
+	case dns.TypeRRSIG:
+		return true
+	case dns.TypeSIG:
+		return true
+	}
+	return false
+}
+
+// filterRRSlice filters rrs and removes DNSSEC RRs when do is false. In the returned slice
+// the TTLs are set to ttl. If dup is true the RRs in rrs are _copied_ into the slice that is
+// returned.
+func filterRRSlice(rrs []dns.RR, ttl uint32, do, dup bool) []dns.RR {
+	j := 0
+	rs := make([]dns.RR, len(rrs), len(rrs))
+	for _, r := range rrs {
+		if !do && isDNSSEC(r) {
+			continue
+		}
+		r.Header().Ttl = ttl
+		if dup {
+			rs[j] = dns.Copy(r)
+		} else {
+			rs[j] = r
+		}
+		j++
+	}
+	return rs[:j]
+}