--- /dev/null
+From 5e321739db381a1d7b5964d76e9c81471d2564c9 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 12 Jan 2015 23:16:56 +0000
+Subject: [PATCH 30/55] Don't answer from cache RRsets from wildcards, as we
+ don't have NSECs.
+
+---
+ src/dnssec.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index afb3dca38cb1..d39ab85ed966 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1818,11 +1818,14 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
+ struct blockdata *key;
+ struct crec *crecp;
+ char *wildname;
++ int have_wildcard = 0;
+
+ rc = validate_rrset(now, header, plen, class1, type1, name, keyname, &wildname, NULL, 0, 0, 0);
+
+ if (rc == STAT_SECURE_WILDCARD)
+ {
++ have_wildcard = 1;
++
+ /* An attacker replay a wildcard answer with a different
+ answer and overlay a genuine RR. To prove this
+ hasn't happened, the answer must prove that
+@@ -1913,7 +1916,11 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
+ p2 += 13; /* labels, orig_ttl, expiration, inception */
+ GETSHORT(keytag, p2);
+
+- if ((key = blockdata_alloc((char*)psave, rdlen2)))
++ /* We don't cache sigs for wildcard answers, because to reproduce the
++ answer from the cache will require one or more NSEC/NSEC3 records
++ which we don't cache. The lack of the RRSIG ensures that a query for
++ this RRset asking for a secure answer will always be forwarded. */
++ if (!have_wildcard && (key = blockdata_alloc((char*)psave, rdlen2)))
+ {
+ if (!(crecp = cache_insert(name, &a, now, ttl, F_FORWARD | F_DNSKEY | F_DS)))
+ blockdata_free(key);
+--
+2.1.0
+