GETSHORT(qtype, p);
GETSHORT(qclass, p);
- if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
- return STAT_BOGUS;
-
- val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
+ if (qtype != T_DS || qclass != class)
+ val = STAT_BOGUS;
+ else
+ val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
if (val == STAT_BOGUS)
{
extract_name(header, plen, &p, name, 1, 4);
log_query(F_UPSTREAM, name, NULL, "BOGUS DS");
}
-
+
+ /* proved that no DS exists, can't validate */
+ if (val == STAT_SECURE && ntohs(header->ancount) == 0)
+ return STAT_INSECURE;
+
return val;
}