From 19b0e3bf21054efa1d25be64131fcabf2bb4f40e Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 12 Oct 2019 21:54:37 +0100
Subject: [PATCH] Check for REFUSED and SERVFAIL replies to DNSKEY queries.

---
 src/dnssec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index 7ec7edc..df9aecc 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -679,6 +679,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
   union all_addr a;
 
   if (ntohs(header->qdcount) != 1 ||
+      RCODE(header) == SERVFAIL || RCODE(header) == REFUSED ||
       !extract_name(header, plen, &p, name, 1, 4))
     return STAT_BOGUS;