s4:dns_server: dns_verify_tsig should return REFUSED on error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit db350bc573b378fb0615bdd8592cc9c62f6db146)

diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
index 19d6b0dad14b8d34382f2f13fdd63c19021511e8..f9b3bd161c523bed79b1619e94d02f0762aa636c 100644 (file)
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -145,7 +145,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 
        tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
        if (tkey == NULL) {
-               DBG_DEBUG("dns_find_tkey() => NOTAUTH / DNS_RCODE_BADKEY\n");
+               DBG_DEBUG("dns_find_tkey() => REFUSED / DNS_RCODE_BADKEY\n");
                /*
                 * We must save the name for use in the TSIG error
                 * response and have no choice here but to save the
@@ -157,7 +157,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
                        return WERR_NOT_ENOUGH_MEMORY;
                }
                state->tsig_error = DNS_RCODE_BADKEY;
-               return DNS_ERR(NOTAUTH);
+               return DNS_ERR(REFUSED);
        }
        DBG_DEBUG("dns_find_tkey() => found\n");
 
@@ -249,7 +249,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
                dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
                DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
                state->tsig_error = DNS_RCODE_BADSIG;
-               return DNS_ERR(NOTAUTH);
+               return DNS_ERR(REFUSED);
        }
 
        if (!NT_STATUS_IS_OK(status)) {