Set RD bit on checkds requests

It is allowed to point parental-agents to a resolver. Therefore, the
RD bit should be set on requests.

Upon receiving a DS response, ensure that the message has either the
AA or the RA bit set.

(cherry picked from commit e34722ed43)

lib/dns/zone.c

@@ -20826,6 +20826,7 @@ checkds_done(isc_task_t *task, isc_event_t *event) {
 	/* Validate response. */
 	CHECK(validate_ds(zone, message));
 
+	/* Check RCODE. */
 	if (message->rcode != dns_rcode_noerror) {
 		dns_zone_log(zone, ISC_LOG_NOTICE,
 			     "checkds: bad DS response from %s: %.*s", addrbuf,
@@ -20833,6 +20834,17 @@ checkds_done(isc_task_t *task, isc_event_t *event) {
 		goto failure;
 	}
 
+	/* Make sure that either AA or RA bit is set. */
+	if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+	    (message->flags & DNS_MESSAGEFLAG_RA) == 0)
+	{
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "checkds: bad DS response from %s: expected AA or "
+			     "RA bit set",
+			     addrbuf);
+		goto failure;
+	}
+
 	/* Lookup DS RRset. */
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (result == ISC_R_SUCCESS) {
@@ -21055,6 +21067,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) {
 
 	message->opcode = dns_opcode_query;
 	message->rdclass = zone->rdclass;
+	message->flags |= DNS_MESSAGEFLAG_RD;
 
 	result = dns_message_gettempname(message, &tempname);
 	if (result != ISC_R_SUCCESS) {