Only look at tsig.error in responses

author Mark Andrews <marka@isc.org>

Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)

committer Michał Kępień <michal@isc.org>

Tue, 5 May 2020 21:45:57 +0000 (23:45 +0200)
author Mark Andrews <marka@isc.org>
Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)
committer Michał Kępień <michal@isc.org>
Tue, 5 May 2020 21:45:57 +0000 (23:45 +0200)
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c

index c89d3996328f149c1446cc790a5ba192c51315c4..929de8166e4e7b38117364e6a46ea02c6e2015ec 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1338,8 +1338,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                         goto cleanup_context;
                 }
                 msg->verified_sig = 1;
-       } else if (tsig.error != dns_tsigerror_badsig &&
-                  tsig.error != dns_tsigerror_badkey) {
+       } else if (!response || (tsig.error != dns_tsigerror_badsig &&
+                                tsig.error != dns_tsigerror_badkey))
+       {
                 tsig_log(msg->tsigkey, 2, "signature was empty");
                 return (DNS_R_TSIGVERIFYFAILURE);
         }
@@ -1388,7 +1389,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                 }
         }
  
-       if (tsig.error != dns_rcode_noerror) {
+       if (response && tsig.error != dns_rcode_noerror) {
                 msg->tsigstatus = tsig.error;
                 if (tsig.error == dns_tsigerror_badtime)
                         ret = DNS_R_CLOCKSKEW;
author	Mark Andrews <marka@isc.org>
	Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)
committer	Michał Kępień <michal@isc.org>
	Tue, 5 May 2020 21:45:57 +0000 (23:45 +0200)