From: Miod Vallat <miod.vallat@powerdns.com>
Date: Mon, 20 Oct 2025 09:01:04 +0000 (+0200)
Subject: Be sure to return an error response when fetching a TSIG key fails.
X-Git-Tag: rec-5.4.0-beta1~73^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d8375289e519e7ac95b09442f201d39e0135599;p=thirdparty%2Fpdns.git

Be sure to return an error response when fetching a TSIG key fails.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 600591a011..209c354635 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -689,10 +689,14 @@ int TCPNameserver::doAXFR(const ZoneName &targetZone, std::unique_ptr<DNSPacket>
     if (algorithm != g_gsstsigdnsname) {
       if(!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
         g_log<<Logger::Warning<<logPrefix<<"TSIG key not found"<<endl;
+        outpacket->setRcode(RCode::NotAuth);
+        sendPacket(outpacket,outsock);
         return 0;
       }
       if (B64Decode(tsig64, tsigsecret) == -1) {
         g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+        outpacket->setRcode(RCode::ServFail);
+        sendPacket(outpacket,outsock);
         return 0;
       }
     }
@@ -1295,10 +1299,14 @@ int TCPNameserver::doIXFR(std::unique_ptr<DNSPacket>& q, int outsock)
       }
       if (!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
         g_log << Logger::Error << "TSIG key '" << tsigkeyname << "' for domain '" << target << "' not found" << endl;
+        outpacket->setRcode(RCode::NotAuth);
+        sendPacket(outpacket,outsock);
         return 0;
       }
       if (B64Decode(tsig64, tsigsecret) == -1) {
         g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+        outpacket->setRcode(RCode::ServFail);
+        sendPacket(outpacket,outsock);
         return 0;
       }
     }