plugin/sign: fix signing of authoritative data (#3479)

Don't sign data we are not authoritative for. This adds an AuthWalk
which skips names we should not authoritative for. Adds a few tests to
check this is the case. Generates zones have been compared to
dnssec-signzone.

A number of changes have been made:

* don't add DS records to the apex
* NSEC TTL is the SOA's minttl value (copying bind9)
* Various cleanups
* signer struct was cleaned up: doesn't need ttl, nor expiration or
  inception.
* plugin/sign: remove apex stuff from names()
  This is never used because we will always have other types in the
  apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and
  CDNSKEY).

Signed-off-by: Miek Gieben <miek@miek.nl>
Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>

plugin/sign/nsec.go

@@ -9,24 +9,19 @@ import (
 	"github.com/miekg/dns"
 )
 
-// names returns the elements of the zone in nsec order. If the returned boolean is true there were
-// no other apex records than SOA and NS, which are stored separately.
-func names(origin string, z *file.Zone) ([]string, bool) {
-	// if there are no apex records other than NS and SOA we'll miss the origin
-	// in this list. Check the first element and if not origin prepend it.
+// names returns the elements of the zone in nsec order.
+func names(origin string, z *file.Zone) []string {
+	// There will also be apex records other than NS and SOA (who are kept separate), as we
+	// are adding DNSKEY and CDS/CDNSKEY records in the apex *before* we sign.
 	n := []string{}
-	z.Walk(func(e *tree.Elem, _ map[uint16][]dns.RR) error {
+	z.AuthWalk(func(e *tree.Elem, _ map[uint16][]dns.RR, auth bool) error {
+		if !auth {
+			return nil
+		}
 		n = append(n, e.Name())
 		return nil
 	})
-	if len(n) == 0 {
-		return nil, false
-	}
-	if n[0] != origin {
-		n = append([]string{origin}, n...)
-		return n, true
-	}
-	return n, false
+	return n
 }
 
 // NSEC returns an NSEC record according to name, next, ttl and bitmap. Note that the bitmap is sorted before use.