An NSEC record cannot attest to its own non-existance!
diff --git a/src/dnssec.c b/src/dnssec.c
index 12d8ac3..7c09d0d 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -860,7 +860,7 @@
GETSHORT(qclass, p);
if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
- return STAT_INSECURE;
+ return STAT_BOGUS;
/* See if we have cached a DS record which validates this key */
if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
@@ -894,7 +894,7 @@
GETSHORT(flags, p);
if (*p++ != 3)
- return STAT_INSECURE;
+ return STAT_BOGUS;
algo = *p++;
keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
key = NULL;
@@ -984,7 +984,7 @@
GETSHORT(flags, p);
if (*p++ != 3)
- return STAT_INSECURE;
+ return STAT_BOGUS;
algo = *p++;
keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
@@ -1080,7 +1080,7 @@
GETSHORT(qclass, p);
if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
- return STAT_INSECURE;
+ return STAT_BOGUS;
val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
@@ -1255,6 +1255,10 @@
if (rc == 0)
{
+ /* 4035 para 5.4. Last sentence */
+ if (type == T_NSEC || type == T_RRSIG)
+ return STAT_SECURE;
+
/* NSEC with the same name as the RR we're testing, check
that the type in question doesn't appear in the type map */
rdlen -= p - psave;