rec: Don't override a Bogus state, handle NSEC3s for unpublished DNSKEY

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3f05c592f27ed4f21e8f7f682b536480c0d56e15..a2272726db96c394cca32f22aaf64414f553e1d1 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2770,19 +2770,18 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
           /* that actually does happen when a server returns NS records in authority
              along with the DNSKEY, leading us to trying to validate the RRSIGs for
              the NS with the DNSKEY that we are about to process. */
-          if (name == signer && (type == QType::NSEC || type == QType::NSEC3)) {
+          if ((name == signer && type == QType::NSEC) || type == QType::NSEC3) {
             /* if we are trying to validate the DNSKEY (should not happen here),
                or more likely NSEC(3)s proving that it does not exist, we have a problem.
                In that case let's see if the DS does exist, and if it does let's go Bogus
             */
             dsmap_t results;
             vState dsState = getDSRecords(signer, results, false, depth, true);
-            if (dsState == vState::Insecure) {
+            if (vStateIsBogus(dsState) || dsState == vState::Insecure) {
               return dsState;
             }
             return vState::BogusUnableToGetDNSKEYs;
           }
-
           return vState::Indeterminate;
         }
       }