Small tweak to DNSSEC fix.

diff --git a/src/dnssec.c b/src/dnssec.c
index 5fb375c627da17fa6f6ea3e64d4379df779b19a6..39b6b51e011fa293aa098266ac508550e0e82dd9 100644 (file)
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2172,6 +2172,10 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
 
                  rc = validate_rrset(now, header, plen, class, nsec_type, daemon->workspacename, keyname, NULL, NULL, 0, 0, 0);
 
+                 /* NSECs can't be wildcards. */
+                 if (rc == STAT_SECURE_WILDCARD)
+                   rc = STAT_BOGUS;
+
                  if (rc != STAT_SECURE)
                    return rc;
                }