Fix DNSSEC validation of ANY queries.
diff --git a/CHANGELOG b/CHANGELOG
index e0d2fed..55c33b9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,17 @@
+version 2.71
+ Subtle change to error handling to help DNSSEC validation
+ when servers fail to provide NODATA answers for
+ non-existent DS records.
+
+ Tweak code which removes DNSSEC records from answers when
+ not required. Fixes broken answers when additional section
+ has real records in it. Thanks to Marco Davids for the bug
+ report.
+
+ Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
+ for spotting that too.
+
+
version 2.70
Fix crash, introduced in 2.69, on TCP request when dnsmasq
compiled with DNSSEC support, but running without DNSSEC
diff --git a/src/dnssec.c b/src/dnssec.c
index 1aea299..47ecc51 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1682,6 +1682,9 @@
GETSHORT(qtype, p1);
GETSHORT(qclass, p1);
ans_start = p1;
+
+ if (qtype == T_ANY)
+ have_answer = 1;
/* Can't validate an RRISG query */
if (qtype == T_RRSIG)