Don't validate error returns.

diff --git a/src/dnssec.c b/src/dnssec.c
index 5467dff1fd1c6ef44f92dc9e07c6f009d1479138..324aceb44c7ad196e5e87b54a31d30562e081c4c 100644 (file)
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -955,6 +955,9 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
   int type1, class1, rdlen1, type2, class2, rdlen2;
   int i, j, rc;
 
+  if (RCODE(header) != NXDOMAIN && RCODE(header) != NOERROR)
+    return STAT_INSECURE;
+
   if (!(ans_start = skip_questions(header, plen)))
     return STAT_INSECURE;