Describe the bug
The test cases inet_res_SUITE:tsig_client/1 (and maybe inet_res_SUITE:tsig_server/1) sometimes fails for newer versions of Knot.

When investigating this it became clear that tsig_client/1 fails the AXFR request it intends to do because Knot returns an error code 9 (not authoritative for the requested domain). So there is no zone transfer return, and therefor no multiple TSIG signed replies, which is what the test case intends to test.

Instead the server replies with a TSIG signed error, which the test case passes despite a lot of TSIG code didn't execute. On later versions on Knot it seems the error return is not signed, which fails the test. Therefore it seems the test fails occasionally in our daily tests, but the reality is that it doesn't test what it is supposed to test.

To Reproduce
Modify the test case to print the server replies, and it shows that there is no zone transfer but instead an error reply.

Expected behavior
I guess there is some tiny little Knot configuration detail that needs fixing to make Knot believe it is authoritative for the zone, but I have not found it with a quick look and search.

The test case should check the result code to verify that the zone transfer is successful, in addition to verifying the TSIG signature.

To facilitate this a new API function in inet_res is probably needed, a low level one that decodes the result code but allows to inspect the TSIG signature afterwards.

Affected versions
28 and probably earlier

Additional context
TSIG in inet_res was added in PR #6985, by @jimdigriz, so you will probably figure this one out in a jiffy... ;-)