From 0a42544346186f5e37276e7e5269e657459d62c9 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 30 Nov 2020 17:06:02 +0100
Subject: [PATCH] rec: Actually discard invalid RRSIGs with too high labels
 count

---
 pdns/validate.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index dc1e4c4dce..154d49f274 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -789,6 +789,7 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t
     unsigned int labelCount = name.countLabels();
     if (signature->d_labels > labelCount) {
       LOG(name<<": Discarding invalid RRSIG whose label count is "<<signature->d_labels<<" while the RRset owner name has only "<<labelCount<<endl);
+      continue;
     }
 
     auto keysMatchingTag = getByTag(keys, signature->d_tag, signature->d_algorithm);
-- 
2.47.2