-
Don't stash a packet with mismatching QNAME+QTYPE. When receiving an NXDOMAIN or NODATA packet in an insecure zone, it would get cached with KR_RANK_INSECURE regardless of mismatch in QNAME. If the 0x20 pattern was preserved in the fake QNAME, such packet would then be used to answer queries with matching QNAME, even if there's no proof that this QNAME is insecure.