Clear dns64_aaaaok immediately after use

The DNS64 state information stored in client->query.dns64_aaaaok
could cause an assertion failure in query_respond() if the server
was configured in such a way as to trigger a new recursion before
the query had been reset - for example, by using the filter-aaaa
plugin, which may need to recurse to find out whether an A record
exists.

This has been addressed by clearing DNS64 state information
immediately after the call to query_filter64().

(cherry picked from commit 7213b038f0)

bin/tests/system/filter_aaaa/ns5/named.conf.in

@@ -23,9 +23,9 @@ options {
 	dnssec-validation no;
 	notify yes;
 	dns64 64:ff9b::/96 {
-			    clients { any; };
-			    exclude { any; };
-			    mapped { any; };
+		clients { any; };
+		exclude { ::1/128; };
+		mapped { any; };
 	};
 	minimal-responses no;
 };

lib/ns/query.c

@@ -716,7 +716,6 @@ query_reset(ns_client_t *client, bool everything) {
 	if (client->query.dns64_aaaaok != NULL) {
 		isc_mem_put(client->mctx, client->query.dns64_aaaaok,
 			    client->query.dns64_aaaaoklen * sizeof(bool));
-		client->query.dns64_aaaaok = NULL;
 		client->query.dns64_aaaaoklen = 0;
 	}
 
@@ -8331,6 +8330,10 @@ query_addanswer(query_ctx_t *qctx) {
 	} else if (qctx->client->query.dns64_aaaaok != NULL) {
 		query_filter64(qctx);
 		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+		isc_mem_put(qctx->client->mctx,
+			    qctx->client->query.dns64_aaaaok,
+			    qctx->client->query.dns64_aaaaoklen * sizeof(bool));
+		qctx->client->query.dns64_aaaaoklen = 0;
 	} else {
 		if (!qctx->is_zone && RECURSIONOK(qctx->client) &&
 		    !QUERY_STALETIMEOUT(&qctx->client->query))