ldns-verify-zone: DNAME-occluded records get confusing warning about glue

[Habbie]

With a zone containing

x.example.com.		3005	IN	DNAME	example.nl.
a.x.example.com.	3005	IN	A	192.0.2.5

(plus SOA, DNSKEY, signatures, etc.), ldns-verify-zone reports:

Error: a.x.example.com.	A has signature(s), but is glue
Error: a.x.example.com. has an NSEC(3), but is glue
There were errors in the zone

It is correct in flagging those records (they should not be there, as the DNAME occludes them), but the error text is wrong. I briefly looked at the code, fixing this might mean adding another bool similar to is_glue to the data astructure.

[wtoorop]

You are right, it is actually marking all occluded data (including glue). See this excerpt from dnssec_zone.h:

        /**
         * Unlike what the name is_glue suggests, this field is set to true by
         * ldns_dnssec_zone_mark_glue() or ldns_dnssec_zone_mark_and_get_glue()
         * when the name, this dnssec_name struct represents, is occluded.
         * Names that contain other occluded rrsets and records with glue on
         * the delegation point will NOT have this bool set to true.
         * This field should NOT be read directly, but only via the 
         * ldns_dnssec_name_is_glue() function!
         */
        bool is_glue;

Perhaps it would already be an improvement to just change the message in ", but is occluded (or glue)" instead of ", but is glue" WDYT?