GETSHORT(qclass, p);
if (qtype != T_DNSKEY || qclass != class || ntohs(header->ancount) == 0)
- return STAT_INSECURE;
+ return STAT_BOGUS;
/* See if we have cached a DS record which validates this key */
if (!(crecp = cache_find_by_name(NULL, name, now, F_DS)))
GETSHORT(flags, p);
if (*p++ != 3)
- return STAT_INSECURE;
+ return STAT_BOGUS;
algo = *p++;
keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
key = NULL;
GETSHORT(flags, p);
if (*p++ != 3)
- return STAT_INSECURE;
+ return STAT_BOGUS;
algo = *p++;
keytag = dnskey_keytag(algo, flags, p, rdlen - 4);
GETSHORT(qclass, p);
if (qtype != T_DS || qclass != class || ntohs(header->ancount) == 0)
- return STAT_INSECURE;
+ return STAT_BOGUS;
val = dnssec_validate_reply(now, header, plen, name, keyname, NULL);
if (rc == 0)
{
+ /* 4035 para 5.4. Last sentence */
+ if (type == T_NSEC || type == T_RRSIG)
+ return STAT_SECURE;
+
/* NSEC with the same name as the RR we're testing, check
that the type in question doesn't appear in the type map */
rdlen -= p - psave;