From d3699bb6bc97172a98b013ce2b53e70ae5f43e83 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 16 Jul 2015 22:37:37 +0100
Subject: [PATCH] Small tweak to DNSSEC fix.

---
 src/dnssec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/dnssec.c b/src/dnssec.c
index 5fb375c..39b6b51 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2172,6 +2172,10 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
 
 		  rc = validate_rrset(now, header, plen, class, nsec_type, daemon->workspacename, keyname, NULL, NULL, 0, 0, 0);
 
+		  /* NSECs can't be wildcards. */
+		  if (rc == STAT_SECURE_WILDCARD)
+		    rc = STAT_BOGUS;
+
 		  if (rc != STAT_SECURE)
 		    return rc;
 		}
-- 
2.47.3