hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
The NSEC3 closest-encloser proof validation in hickory-proto's (0.25.0-alpha.3 … 0.25.2) and hickory-net's (0.26.0-alpha.1 .. 0.26.0) DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA name. When the SOA in a response's authority section is not an ancestor of the …