Mark dnssec-failed.org as bogus

Do not throw away bogus result from getKeysFor

diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index 232549af254646e281c825d4b2694f89e7e2f5aa..4b951d97e2a39b53f502f18ca32dca114a5d6c82 100644 (file)
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -38,19 +38,20 @@ vState validateRecords(const vector<DNSRecord>& recs)
 
   SRRecordOracle sro;
 
+  vState state;
   if(numsigs) {
     for(const auto& csp : cspmap) {
       for(const auto& sig : csp.second.signatures) {
-       getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
-       //      cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl;
+        state = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
+        //     cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl;
       }
     }
-
+    if(state == Bogus) return state;
     validateWithKeySet(cspmap, validrrsets, keys);
   }
   else {
     //    cerr<<"no sigs, hoping for Insecure"<<endl;
-    vState state = getKeysFor(sro, recs.begin()->d_name, keys); // um WHAT DOES THIS MEAN - try first qname??
+    state = getKeysFor(sro, recs.begin()->d_name, keys); // um WHAT DOES THIS MEAN - try first qname??
     //    cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys "<<endl;
     return state;
   }