RPZ now treats covering NSEC records the same as negative answers

diff --git a/lib/ns/query.c b/lib/ns/query.c
index c3bf4e8c454f03890056b559eeded4496da92be9..fdff214288d92fbdb165ba060a68cbf643d7e05d 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3977,6 +3977,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
        case DNS_R_EMPTYWILD:
        case DNS_R_NCACHENXDOMAIN:
        case DNS_R_NCACHENXRRSET:
+       case DNS_R_COVERINGNSEC:
        case DNS_R_CNAME:
        case DNS_R_DNAME:
                qresult_type = qresult_type_restart;