578297
diff --git a/lib/dns/message.c b/lib/dns/message.c
578297
index 869d258..c1f9498 100644
578297
--- a/lib/dns/message.c
578297
+++ b/lib/dns/message.c
578297
@@ -1150,6 +1150,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
578297
 	return (ISC_FALSE);
578297
 }
578297
 
578297
+/*
578297
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
578297
+ * covering RRSIGs.
578297
+ */
578297
+static isc_boolean_t
578297
+auth_signed(dns_namelist_t *section) {
578297
+	dns_name_t *name;
578297
+
578297
+	for (name = ISC_LIST_HEAD(*section);
578297
+	     name != NULL;
578297
+	     name = ISC_LIST_NEXT(name, link))
578297
+	{
578297
+		int auth_dnssec = 0, auth_rrsig = 0;
578297
+		dns_rdataset_t *rds;
578297
+
578297
+		for (rds = ISC_LIST_HEAD(name->list);
578297
+		     rds != NULL;
578297
+		     rds = ISC_LIST_NEXT(rds, link))
578297
+		{
578297
+			switch (rds->type) {
578297
+			case dns_rdatatype_ds:
578297
+				auth_dnssec |= 0x1;
578297
+				break;
578297
+			case dns_rdatatype_nsec:
578297
+				auth_dnssec |= 0x2;
578297
+				break;
578297
+			case dns_rdatatype_nsec3:
578297
+				auth_dnssec |= 0x4;
578297
+				break;
578297
+			case dns_rdatatype_rrsig:
578297
+				break;
578297
+			default:
578297
+				continue;
578297
+			}
578297
+
578297
+			switch (rds->covers) {
578297
+			case dns_rdatatype_ds:
578297
+				auth_rrsig |= 0x1;
578297
+				break;
578297
+			case dns_rdatatype_nsec:
578297
+				auth_rrsig |= 0x2;
578297
+				break;
578297
+			case dns_rdatatype_nsec3:
578297
+				auth_rrsig |= 0x4;
578297
+				break;
578297
+			default:
578297
+				break;
578297
+			}
578297
+		}
578297
+
578297
+		if (auth_dnssec != auth_rrsig)
578297
+			return (ISC_FALSE);
578297
+	}
578297
+
578297
+	return (ISC_TRUE);
578297
+}
578297
+
578297
 static isc_result_t
578297
 getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
578297
 	   dns_section_t sectionid, unsigned int options)
578297
@@ -1175,12 +1232,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
578297
 	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
578297
 	seen_problem = ISC_FALSE;
578297
 
578297
+	section = &msg->sections[sectionid];
578297
+
578297
 	for (count = 0; count < msg->counts[sectionid]; count++) {
578297
 		int recstart = source->current;
578297
 		isc_boolean_t skip_name_search, skip_type_search;
578297
 
578297
-		section = &msg->sections[sectionid];
578297
-
578297
 		skip_name_search = ISC_FALSE;
578297
 		skip_type_search = ISC_FALSE;
578297
 		free_rdataset = ISC_FALSE;
578297
@@ -1354,7 +1411,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
578297
 			goto cleanup;
578297
 		rdata->rdclass = rdclass;
578297
 		issigzero = ISC_FALSE;
578297
-		if (rdtype == dns_rdatatype_rrsig  &&
578297
+		if (rdtype == dns_rdatatype_rrsig &&
578297
 		    rdata->flags == 0) {
578297
 			covers = dns_rdata_covers(rdata);
578297
 			if (covers == 0)
578297
@@ -1565,6 +1622,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
578297
 		INSIST(free_rdataset == ISC_FALSE);
578297
 	}
578297
 
578297
+	/*
578297
+	 * If any of DS, NSEC or NSEC3 appeared in the
578297
+	 * authority section of a query response without
578297
+	 * a covering RRSIG, FORMERR
578297
+	 */
578297
+	if (sectionid == DNS_SECTION_AUTHORITY &&
578297
+	    msg->opcode == dns_opcode_query &&
578297
+	    ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
578297
+	    ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
578297
+	    !preserve_order &&
578297
+	    !auth_signed(section))
578297
+		DO_FORMERR;
578297
+
578297
 	if (seen_problem)
578297
 		return (DNS_R_RECOVERABLE);
578297
 	return (ISC_R_SUCCESS);
578297
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
578297
index 2bc4461..e5600a3 100644
578297
--- a/lib/dns/resolver.c
578297
+++ b/lib/dns/resolver.c
578297
@@ -5194,13 +5194,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
578297
 							      rdataset->type,
578297
 							      &noqname);
578297
 					if (tresult == ISC_R_SUCCESS &&
578297
-					    noqname != NULL) {
578297
-						tresult =
578297
-						     dns_rdataset_addnoqname(
578297
+					    noqname != NULL)
578297
+						(void) dns_rdataset_addnoqname(
578297
 							    rdataset, noqname);
578297
-						RUNTIME_CHECK(tresult ==
578297
-							      ISC_R_SUCCESS);
578297
-					}
578297
 				}
578297
 				addedrdataset = ardataset;
578297
 				result = dns_db_addrdataset(fctx->cache, node,
578297
@@ -5330,11 +5326,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
578297
 				tresult = findnoqname(fctx, name,
578297
 						      rdataset->type, &noqname);
578297
 				if (tresult == ISC_R_SUCCESS &&
578297
-				    noqname != NULL) {
578297
-					tresult = dns_rdataset_addnoqname(
578297
-							    rdataset, noqname);
578297
-					RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
578297
-				}
578297
+				    noqname != NULL)
578297
+					(void) dns_rdataset_addnoqname(
578297
+						       rdataset, noqname);
578297
 			}
578297
 
578297
 			/*