3 files changed, 10 insertions, 1 deletions

diff --git a/net/base/cert_status_flags.cc b/net/base/cert_status_flags.cc
index 7e20cec..a6bdce4 100644
--- a/net/base/cert_status_flags.cc
+++ b/net/base/cert_status_flags.cc
@@ -33,6 +33,8 @@ int MapNetErrorToCertStatus(int error) {
       return CERT_STATUS_INVALID;
     case ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
       return CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
+    case ERR_CERT_NOT_IN_DNS:
+      return CERT_STATUS_NOT_IN_DNS;
     default:
       return 0;
   }
@@ -63,6 +65,8 @@ int MapCertStatusToNetError(int cert_status) {
     return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
   if (cert_status & CERT_STATUS_NO_REVOCATION_MECHANISM)
     return ERR_CERT_NO_REVOCATION_MECHANISM;
+  if (cert_status & CERT_STATUS_NOT_IN_DNS)
+    return ERR_CERT_NOT_IN_DNS;
 
   NOTREACHED();
   return ERR_UNEXPECTED;
diff --git a/net/base/cert_status_flags.h b/net/base/cert_status_flags.h
index 26e465c..8bf2565 100644
--- a/net/base/cert_status_flags.h
+++ b/net/base/cert_status_flags.h
@@ -21,10 +21,12 @@ enum {
   CERT_STATUS_REVOKED                    = 1 << 6,
   CERT_STATUS_INVALID                    = 1 << 7,
   CERT_STATUS_WEAK_SIGNATURE_ALGORITHM   = 1 << 8,
+  CERT_STATUS_NOT_IN_DNS                 = 1 << 9,
 
   // Bits 16 to 30 are for non-error statuses.
   CERT_STATUS_IS_EV                      = 1 << 16,
   CERT_STATUS_REV_CHECKING_ENABLED       = 1 << 17,
+  CERT_STATUS_IS_DNSSEC                  = 1 << 18,
 
   // 1 << 31 (the sign bit) is reserved so that the cert status will never be
   // negative.
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 035007f..9b706ce 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -69,6 +69,7 @@
 #include "base/string_number_conversions.h"
 #include "base/string_util.h"
 #include "net/base/address_list.h"
+#include "net/base/cert_status_flags.h"
 #include "net/base/cert_verifier.h"
 #include "net/base/dnsrr_resolver.h"
 #include "net/base/dnssec_chain_verifier.h"
@@ -1708,6 +1709,7 @@ int SSLClientSocketNSS::DoVerifyDNSSEC(int result) {
   if (ssl_config_.dnssec_enabled) {
     DNSValidationResult r = CheckDNSSECChain(hostname_, server_cert_nss_);
     if (r == DNSVR_SUCCESS) {
+      server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
       GotoState(STATE_VERIFY_CERT_COMPLETE);
       return OK;
     }
@@ -1746,18 +1748,19 @@ int SSLClientSocketNSS::DoVerifyDNSSECComplete(int result) {
   if (!ssl_config_.dnssec_enabled) {
     // If DNSSEC is not enabled we don't take any action based on the result,
     // except to record the latency, above.
-    GotoState(STATE_VERIFY_CERT);
     return OK;
   }
 
   switch (r) {
     case DNSVR_FAILURE:
       GotoState(STATE_VERIFY_CERT_COMPLETE);
+      server_cert_verify_result_.cert_status |= CERT_STATUS_NOT_IN_DNS;
       return ERR_CERT_NOT_IN_DNS;
     case DNSVR_CONTINUE:
       GotoState(STATE_VERIFY_CERT);
       break;
     case DNSVR_SUCCESS:
+      server_cert_verify_result_.cert_status |= CERT_STATUS_IS_DNSSEC;
       GotoState(STATE_VERIFY_CERT_COMPLETE);
       break;
     default: