But it also "disables resolver function" - does not follow CNAME responses

Sure, when it's configured with authoritative: false, we have RD=1 and the target server is obliged to follow CNAME chains to the end.  When it doesn't, it looks like the CNAME leads to a NODATA (and perhaps it forgot to add SOA there), so that's how we interpret it now.

I disagree that having more tweakables is a good way forward.  This part of logic is quite complex as it is.  Adding more variants of the behavior will make the code more difficult to maintain and more buggy.  And requiring the users to tweak this kind of behavior is just bad; it should work by default.

The ideal way forward is to have well-defined a protocol which *both* sides follow.  What I could consider in future is to adapt the behavior of Knot Resolver to be more resilient to overcome this kind of brokenness.  (and fixing #429 as well, as I wrote already, as that change makes sense regardless of your particular case)

--Vladimir