===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/dns.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- src/usr.bin/ssh/dns.c	2015/08/20 22:32:42	1.35
+++ src/usr.bin/ssh/dns.c	2017/09/01 05:53:56	1.36
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.35 2015/08/20 22:32:42 deraadt Exp $ */
+/* $OpenBSD: dns.c,v 1.36 2017/09/01 05:53:56 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -291,16 +291,18 @@
 		free(dnskey_digest);
 	}
 
-	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
-	freerrset(fingerprints);
-
-	if (*flags & DNS_VERIFY_FOUND)
+	if (*flags & DNS_VERIFY_FOUND) {
 		if (*flags & DNS_VERIFY_MATCH)
 			debug("matching host key fingerprint found in DNS");
+		else if (counter == fingerprints->rri_nrdatas)
+			*flags |= DNS_VERIFY_MISSING;
 		else
 			debug("mismatching host key fingerprint found in DNS");
-	else
+	} else
 		debug("no host key fingerprint found in DNS");
+
+	free(hostkey_digest); /* from sshkey_fingerprint_raw() */
+	freerrset(fingerprints);
 
 	return 0;
 }