Be sure to return an error response when fetching a TSIG key fails.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 600591a011135c67b1a6f5205787abfb36f68331..209c3546353a16f1541c5ddd94d294b8af90e3df 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -689,10 +689,14 @@ int TCPNameserver::doAXFR(const ZoneName &targetZone, std::unique_ptr<DNSPacket>
     if (algorithm != g_gsstsigdnsname) {
       if(!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
         g_log<<Logger::Warning<<logPrefix<<"TSIG key not found"<<endl;
+        outpacket->setRcode(RCode::NotAuth);
+        sendPacket(outpacket,outsock);
         return 0;
       }
       if (B64Decode(tsig64, tsigsecret) == -1) {
         g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+        outpacket->setRcode(RCode::ServFail);
+        sendPacket(outpacket,outsock);
         return 0;
       }
     }
@@ -1295,10 +1299,14 @@ int TCPNameserver::doIXFR(std::unique_ptr<DNSPacket>& q, int outsock)
       }
       if (!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
         g_log << Logger::Error << "TSIG key '" << tsigkeyname << "' for domain '" << target << "' not found" << endl;
+        outpacket->setRcode(RCode::NotAuth);
+        sendPacket(outpacket,outsock);
         return 0;
       }
       if (B64Decode(tsig64, tsigsecret) == -1) {
         g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+        outpacket->setRcode(RCode::ServFail);
+        sendPacket(outpacket,outsock);
         return 0;
       }
     }