From b47b04c8460321d18bd76e641f7cf2ba626e32ad Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 25 Feb 2014 23:13:28 +0000
Subject: [PATCH] Return INSECURE when validation fails with proved
 non-existent DS.

---
 src/dnssec.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index a902ded..8a99a26 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1072,10 +1072,10 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
   GETSHORT(qtype, p);
   GETSHORT(qclass, p);
 
-  if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
-    return STAT_BOGUS;
-  
-  val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
+  if (qtype != T_DS || qclass != class)
+    val = STAT_BOGUS;
+  else
+    val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
   
   if (val == STAT_BOGUS)
     {
@@ -1083,7 +1083,11 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
       extract_name(header, plen, &p, name, 1, 4);
       log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
     }
-
+  
+  /* proved that no DS exists, can't validate */
+  if (val == STAT_SECURE && ntohs(header->ancount) == 0)
+    return STAT_INSECURE;
+  
   return val;
 }