From 6d6c50db3a47e5af5ec463fa3d4b94cb677cb880 Mon Sep 17 00:00:00 2001
From: Ville Vesilehto <ville@vesilehto.fi>
Date: Thu, 2 Apr 2026 00:19:54 +0300
Subject: [PATCH] fix(dnssec): add defensive nil checks (#7997)

---
 plugin/dnssec/dnssec.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go
index 0032c048c..0b714a1af 100644
--- a/plugin/dnssec/dnssec.go
+++ b/plugin/dnssec/dnssec.go
@@ -48,6 +48,9 @@ func (d Dnssec) Sign(state request.Request, now time.Time, server string) *dns.M
 
 	mt, _ := response.Typify(req, time.Now().UTC()) // TODO(miek): need opt record here?
 	if mt == response.Delegation {
+		if len(req.Ns) == 0 {
+			return req
+		}
 		// We either sign DS or NSEC of DS.
 		ttl := req.Ns[0].Header().Ttl
 
@@ -68,7 +71,7 @@ func (d Dnssec) Sign(state request.Request, now time.Time, server string) *dns.M
 	}
 
 	if mt == response.NameError || mt == response.NoData {
-		if req.Ns[0].Header().Rrtype != dns.TypeSOA || len(req.Ns) > 1 {
+		if len(req.Ns) != 1 || req.Ns[0].Header().Rrtype != dns.TypeSOA {
 			return req
 		}