From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 30 May 2024 12:42:53 +0000 (+0200)
Subject: s4:dns_server: dns_verify_tsig should return REFUSED on error
X-Git-Tag: samba-4.19.8~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6d3d87babdc8bfa72ee30f7b102155b49ba24748;p=thirdparty%2Fsamba.git

s4:dns_server: dns_verify_tsig should return REFUSED on error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit db350bc573b378fb0615bdd8592cc9c62f6db146)
---

diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
index 19d6b0dad14..f9b3bd161c5 100644
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -145,7 +145,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 
 	tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
 	if (tkey == NULL) {
-		DBG_DEBUG("dns_find_tkey() => NOTAUTH / DNS_RCODE_BADKEY\n");
+		DBG_DEBUG("dns_find_tkey() => REFUSED / DNS_RCODE_BADKEY\n");
 		/*
 		 * We must save the name for use in the TSIG error
 		 * response and have no choice here but to save the
@@ -157,7 +157,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 			return WERR_NOT_ENOUGH_MEMORY;
 		}
 		state->tsig_error = DNS_RCODE_BADKEY;
-		return DNS_ERR(NOTAUTH);
+		return DNS_ERR(REFUSED);
 	}
 	DBG_DEBUG("dns_find_tkey() => found\n");
 
@@ -249,7 +249,7 @@ WERROR dns_verify_tsig(struct dns_server *dns,
 		dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
 		DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
 		state->tsig_error = DNS_RCODE_BADSIG;
-		return DNS_ERR(NOTAUTH);
+		return DNS_ERR(REFUSED);
 	}
 
 	if (!NT_STATUS_IS_OK(status)) {