From: Brian Wellington <source@isc.org>
Date: Fri, 8 Jun 2001 19:38:59 +0000 (+0000)
Subject:  891.	[bug]		Return an error when a SIG(0) signed response to
X-Git-Tag: v9.1.3rc2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc4eca28b19ca4a7a5985f7759d5f95a6cfab51b;p=thirdparty%2Fbind9.git

 891.	[bug]		Return an error when a SIG(0) signed response to
			an unsigned query is seen.  This should actually
			do the verification, but it's not currently
			possible. [RT #1391]
---

diff --git a/CHANGES b/CHANGES
index b0086f3aaee..7bbba42aac7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+ 891.	[bug]		Return an error when a SIG(0) signed response to
+			an unsigned query is seen.  This should actually
+			do the verification, but it's not currently
+			possible. [RT #1391]
 
  860.	[func]		Drop cross class glue in zone transfers.
 
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 2698407893e..b2a4c1b3dd9 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.56.2.5 2001/05/29 22:54:19 bwelling Exp $
+ * $Id: dnssec.c,v 1.56.2.6 2001/06/08 19:38:57 bwelling Exp $
  */
 
 
@@ -678,13 +678,15 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	REQUIRE(msg != NULL);
 	REQUIRE(key != NULL);
 
-	if (is_response(msg))
-		REQUIRE(msg->query != NULL);
-
 	mctx = msg->mctx;
 
 	msg->verify_attempted = 1;
 
+	if (is_response(msg)) {
+		if (msg->query == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
+	}
+
 	isc_buffer_usedregion(source, &source_r);
 
 	RETERR(dns_rdataset_first(msg->sig0));
diff --git a/lib/dns/result.c b/lib/dns/result.c
index 0f2b0a88021..7fcfd293680 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.84.2.3 2001/05/14 03:22:04 marka Exp $ */
+/* $Id: result.c,v 1.84.2.4 2001/06/08 19:38:59 bwelling Exp $ */
 
 #include <config.h>
 
@@ -80,8 +80,8 @@ static const char *text[DNS_R_NRESULTS] = {
 	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
 	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
 
-	"expected a TSIG",		       /* 45 DNS_R_EXPECTEDTSIG	     */
-	"did not expect a TSIG",	       /* 46 DNS_R_UNEXPECTEDTSIG    */
+	"expected a TSIG or SIG(0)",	       /* 45 DNS_R_EXPECTEDTSIG	     */
+	"did not expect a TSIG or SIG(0)",     /* 46 DNS_R_UNEXPECTEDTSIG    */
 	"TKEY is unacceptable",		       /* 47 DNS_R_INVALIDTKEY	     */
 	"hint",				       /* 48 DNS_R_HINT		     */
 	"drop",				       /* 49 DNS_R_DROP		     */