Ignore spurious `RRSig`s which sign `DNSKEY`s with a ZSK
There's no reason to include an `RRSig` signing `DNSKEY`s with a
ZSK - validators only care about the KSK signing `DNSKEY`s, hence
*Key*-Signing Key. However, OVH appears to include such signatures
anyway, which we must ignore.
Here we do so by pre-filtering the `RRSig`s we try to validate by
key tag before calling `verify_rrsig`. This causes us to calculate
the key tag a few extra times, but that's not a huge deal.
projects / dnssec-prover / commit