From 6d5f22b56da6813bec67efd6afc79d18f447dbb4 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 25 Jun 2025 10:21:42 +0200
Subject: [PATCH] - xfr-tsig, fix tsig_verify_query.

---
 testdata/tsig_test.1 | 4 ++--
 util/tsig.c          | 4 ++++
 util/tsig.h          | 3 +++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/testdata/tsig_test.1 b/testdata/tsig_test.1
index ba4075923..0fcde7b32 100644
--- a/testdata/tsig_test.1
+++ b/testdata/tsig_test.1
@@ -49,9 +49,9 @@ c00e00f1bafa240f41ee9cbe507b9802e7070000
 0000
 endpacket
 
+tsig-verify-query test.key 1750419725 0 0 0
+
 # reply for www.example.net A
 #packet
 #e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
 #endpacket
-#
-#tsig-verify-query test.key 1750419725 0 0 0
diff --git a/util/tsig.c b/util/tsig.c
index e9d913f83..85d41aab4 100644
--- a/util/tsig.c
+++ b/util/tsig.c
@@ -1053,6 +1053,9 @@ tsig_verify_query(struct tsig_data* tsig, struct sldns_buffer* pkt,
 		return LDNS_RCODE_SERVFAIL;
 	}
 	sldns_buffer_write_u16_at(pkt, 0, rr->original_query_id);
+	LDNS_ARCOUNT_SET( sldns_buffer_begin(pkt)
+	                , LDNS_ARCOUNT(sldns_buffer_begin(pkt)) - 1);
+	sldns_buffer_set_position(pkt, rr->tsig_pos);
 
 	/* Write the key name uncompressed */
 	sldns_buffer_write(&var, key->name, key->name_len);
@@ -1138,6 +1141,7 @@ tsig_parse(struct sldns_buffer* pkt, struct tsig_record* rr)
 		verbose(VERB_ALGO, "tsig_verify_query: packet too short");
 		return LDNS_RCODE_FORMERR;
 	}
+	rr->tsig_pos = sldns_buffer_position(pkt);
 	rr->key_name = sldns_buffer_current(pkt);
 	rr->key_name_len = pkt_dname_len(pkt);
 	if(rr->key_name_len == 0) {
diff --git a/util/tsig.h b/util/tsig.h
index 0808c0604..97bf8414e 100644
--- a/util/tsig.h
+++ b/util/tsig.h
@@ -57,6 +57,9 @@ struct tsig_record {
 	uint8_t* key_name;
 	/** length of the key_name */
 	size_t key_name_len;
+	/** the position of the TSIG RR in the packet, it is before the owner
+	 * name. */
+	size_t tsig_pos;
 	/** the algorithm name, as a domain name. */
 	uint8_t* algorithm_name;
 	/** length of the algorithm_name */
-- 
2.47.2