From fcfaff123506b8c2300038934eef46892576d2d2 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 21 Jan 2016 01:07:56 +0100
Subject: resolved: if we detect a message with incomplete DNSSEC data,
 consider this an invalid packet event

---
 src/resolve/resolved-dns-transaction.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 6b465abe48..018cfc7a63 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -675,6 +675,10 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) {
         /* All our auxiliary DNSSEC transactions are complete now. Try
          * to validate our RRset now. */
         r = dns_transaction_validate_dnssec(t);
+        if (r == -EBADMSG) {
+                dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
+                return;
+        }
         if (r < 0) {
                 dns_transaction_complete(t, DNS_TRANSACTION_RESOURCES);
                 return;
-- 
cgit v1.2.3-54-g00ecf