2 files changed, 24 insertions, 5 deletions

diff --git a/libdane/dane.c b/libdane/dane.c
index 6f7698ff50..666e12b517 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -648,6 +648,8 @@ dane_verify_crt_raw(dane_state_t s,
 	*verify = 0;
 	idx = 0;
 	do {
+		unsigned int record_verify = 0;
+
 		ret =
 		    dane_query_data(r, idx++, &usage, &type, &match,
 				    &data);
@@ -664,23 +666,35 @@ dane_verify_crt_raw(dane_state_t s,
 			|| usage == DANE_CERT_USAGE_CA)) {
 			ret =
 			    verify_ca(chain, chain_size, chain_type, type,
-				      match, &data, verify);
+				      match, &data, &record_verify);
 			if (ret < 0) {
 				gnutls_assert();
 				goto cleanup;
 			}
 			checked = 1;
+			if (record_verify == 0) {
+				*verify = 0;
+				break;
+			} else {
+				*verify |= record_verify;
+			}
 		} else if (!(vflags & DANE_VFLAG_ONLY_CHECK_CA_USAGE)
 			   && (usage == DANE_CERT_USAGE_LOCAL_EE
 			       || usage == DANE_CERT_USAGE_EE)) {
 			ret =
 			    verify_ee(&chain[0], chain_type, type, match,
-				      &data, verify);
+				      &data, &record_verify);
 			if (ret < 0) {
 				gnutls_assert();
 				goto cleanup;
 			}
 			checked = 1;
+			if (record_verify == 0) {
+				*verify = 0;
+				break;
+			} else {
+				*verify |= record_verify;
+			}
 		}
 	}
 	while (1);
@@ -688,6 +702,10 @@ dane_verify_crt_raw(dane_state_t s,
 	if ((vflags & DANE_VFLAG_FAIL_IF_NOT_CHECKED) && checked == 0)
 		ret =
 		    gnutls_assert_val(DANE_E_REQUESTED_DATA_NOT_AVAILABLE);
+	else if (checked == 0)
+	{
+		*verify |= DANE_VERIFY_UNKNOWN_DANE_INFO;
+	}
 	else
 		ret = 0;
 
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 9fd807793e..98e4a96faa 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -140,19 +140,20 @@ typedef enum dane_verify_flags_t {
 
 /**
  * dane_verify_status_t:
- * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constrains was violated.
+ * @DANE_VERIFY_CA_CONSTRAINTS_VIOLATED: The CA constraints were violated.
  * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
- * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
+ * @DANE_VERIFY_UNKNOWN_DANE_INFO: No known DANE data was found in the DNS record.
  *
  * Enumeration of different verification status flags.
  */
 typedef enum dane_verify_status_t {
 	DANE_VERIFY_CA_CONSTRAINTS_VIOLATED = 1,
 	DANE_VERIFY_CERT_DIFFERS = 1 << 1,
-	DANE_VERIFY_NO_DANE_INFO = 1 << 2,
+	DANE_VERIFY_UNKNOWN_DANE_INFO = 1 << 2,
 } dane_verify_status_t;
 
 #define DANE_VERIFY_CA_CONSTRAINS_VIOLATED DANE_VERIFY_CA_CONSTRAINTS_VIOLATED
+#define DANE_VERIFY_NO_DANE_INFO DANE_VERIFY_UNKNOWN_DANE_INFO
 
 int
 dane_verification_status_print(unsigned int status,