diff --git a/CVE-2018-14644.patch b/CVE-2018-14644.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c6782dd77e2fb64158c67452315e5d1ad1ff05b5
--- /dev/null
+++ b/CVE-2018-14644.patch
@@ -0,0 +1,89 @@
+Description: CVE-2018-14644
+ A remote attacker sending a DNS query for a meta-type like OPT can lead to a
+ zone being wrongly cached as failing DNSSEC validation. It only arises if the
+ parent zone is signed, and all the authoritative servers for that parent zone
+ answer with FORMERR to a query for at least one of the meta-types. As a result,
+ subsequent queries from clients requesting DNSSEC validation will be answered
+ with a ServFail.
+
+---
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://downloads.powerdns.com/patches/2018-07/CVE-2018-14644-rec-4.0.8.patch
+Bug-Debian: https://bugs.debian.org/913162
+Last-Update: 2018-11-30
+
+Index: pdns-recursor-3.6.2/syncres.cc
+===================================================================
+--- pdns-recursor-3.6.2.orig/syncres.cc
++++ pdns-recursor-3.6.2/syncres.cc
+@@ -84,6 +84,18 @@ SyncRes::SyncRes(const struct timeval& n
+ /** everything begins here - this is the entry point just after receiving a packet */
+ int SyncRes::beginResolve(const string &qname, const QType &qtype, uint16_t qclass, vector<DNSResourceRecord>&ret)
+ {
++ /* rfc6895 section 3.1 + RRSIG and NSEC3 */
++ static std::set<uint16_t> metaTypes;
++ metaTypes.insert(QType::AXFR);
++ metaTypes.insert(QType::IXFR);
++ metaTypes.insert(QType::RRSIG);
++ metaTypes.insert(QType::NSEC3);
++ metaTypes.insert(QType::OPT);
++ metaTypes.insert(QType::TSIG);
++ metaTypes.insert(QType::TKEY);
++ metaTypes.insert(QType::MAILA);
++ metaTypes.insert(QType::MAILB);
++
+ s_queries++;
+
+ if( (qtype.getCode() == QType::AXFR))
+@@ -121,7 +133,11 @@ int SyncRes::beginResolve(const string &
+ ret.push_back(rr);
+ return 0;
+ }
+-
++
++ if (metaTypes.count(qtype.getCode())) {
++ return -1;
++ }
++
+ if(qclass==QClass::ANY)
+ qclass=QClass::IN;
+ else if(qclass!=QClass::IN)
+@@ -332,7 +348,7 @@ int SyncRes::asyncresolveWrapper(const C
+ }
+ }
+ else if(mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSPINGOK || mode == EDNSStatus::EDNSIGNORANT ) {
+- if(res->d_rcode == RCode::FormErr) {
++ if(!res->d_haveEDNS && (res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp)) {
+ // cerr<<"Downgrading to EDNSNOPING because of FORMERR!"<<endl);
+ mode = EDNSStatus::EDNSNOPING;
+ continue;
+@@ -357,7 +373,7 @@ int SyncRes::asyncresolveWrapper(const C
+ }
+ }
+ else if(mode==EDNSStatus::EDNSNOPING) {
+- if(res->d_rcode == RCode::FormErr) {
++ if(!res->d_haveEDNS && (res->d_rcode == RCode::FormErr || res->d_rcode == RCode::NotImp)) {
+ // cerr<<"Downgrading to mode 4, FORMERR!"<<endl);
+ mode = EDNSStatus::NOEDNS;
+ continue;
+Index: pdns-recursor-3.6.2/qtype.hh
+===================================================================
+--- pdns-recursor-3.6.2.orig/qtype.hh
++++ pdns-recursor-3.6.2/qtype.hh
+@@ -82,7 +82,7 @@ public:
+ #undef DS
+ enum typeenum {A=1, NS=2, CNAME=5, SOA=6, MR=9, PTR=12, HINFO=13, MX=15, TXT=16, RP=17, AFSDB=18, SIG=24, KEY=25, AAAA=28, LOC=29, SRV=33, NAPTR=35, KX=36,
+ CERT=37, A6=38, DNAME=39, OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51,
+- TLSA=52, SPF=99, EUI48=108, EUI64=109, TSIG=250, IXFR=251, AXFR=252, MAILB=253, MAILA=254, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
++ TLSA=52, SPF=99, EUI48=108, EUI64=109, TKEY=249, TSIG=250, IXFR=251, AXFR=252, MAILB=253, MAILA=254, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
+ typedef pair<string,uint16_t> namenum;
+ static vector<namenum> names;
+
+@@ -156,6 +156,7 @@ private:
+ qtype_insert("SPF", 99);
+ qtype_insert("EUI48", 108);
+ qtype_insert("EUI64", 109);
++ qtype_insert("TKEY", 249);
+ // qtype_insert("TSIG", 250);
+ qtype_insert("IXFR", 251);
+ qtype_insert("AXFR", 252);