pullup:

1047.   [bug]           When a request was refused due to being signed with
                        a TSIG key derived from an unsigned TKEY negotiation,
                        the response could have an rcode of SUCCESS rather
                        than REFUSED. [RT #1886]

diff --git a/CHANGES b/CHANGES
index 93165d8875694b2173e201275caf1f71f23bba95..4254fe76d6b994b661b573aad7173b20453db9c0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+1047.  [bug]           When a request was refused due to being signed with
+                       a TSIG key derived from an unsigned TKEY negotiation,
+                       the response could have an rcode of SUCCESS rather
+                       than REFUSED. [RT #1886]
+
 
 1041.  [bug]           Dig/host/nslookup could catch an assertion failure
                        on SIGINT due to an uninitialized variable. [RT #1867]

diff --git a/bin/named/client.c b/bin/named/client.c
index 0d0b431938422c6d5f5ba8e23c80d204ece63a83..272571b39402d5109bc3a0fc4ea8a29c3665fa0c 100644 (file)
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.136.2.7 2001/09/19 02:46:55 marka Exp $ */
+/* $Id: client.c,v 1.136.2.8 2001/10/12 01:08:20 marka Exp $ */
 
 #include <config.h>
 
@@ -1413,6 +1413,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
                ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
                              NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
                              "request is signed by a nonauthoritative key");
+               sigresult = DNS_R_REFUSED;
                /*
                 * Accept update messages signed by unknown keys so that
                 * update forwarding works transparently through slaves