Check for REFUSED and SERVFAIL replies to DNSKEY queries.

2025-12-19 10:18:25 +00:00 · 2019-10-12 21:54:37 +01:00
parent 203ce0a081
commit 19b0e3bf21
1 changed files with 1 additions and 0 deletions
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -679,6 +679,7 @@ int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, ch
  union all_addr a;

  if (ntohs(header->qdcount) != 1 ||
+      RCODE(header) == SERVFAIL || RCODE(header) == REFUSED ||
      !extract_name(header, plen, &p, name, 1, 4))
    return STAT_BOGUS;