From 3d8375289e519e7ac95b09442f201d39e0135599 Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod.vallat@powerdns.com>
Date: Mon, 20 Oct 2025 11:01:04 +0200
Subject: [PATCH] Be sure to return an error response when fetching a TSIG key
 fails.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---
 pdns/tcpreceiver.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 600591a011..209c354635 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -689,10 +689,14 @@ int TCPNameserver::doAXFR(const ZoneName &targetZone, std::unique_ptr<DNSPacket>
     if (algorithm != g_gsstsigdnsname) {
       if(!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
         g_log<<Logger::Warning<<logPrefix<<"TSIG key not found"<<endl;
+        outpacket->setRcode(RCode::NotAuth);
+        sendPacket(outpacket,outsock);
         return 0;
       }
       if (B64Decode(tsig64, tsigsecret) == -1) {
         g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+        outpacket->setRcode(RCode::ServFail);
+        sendPacket(outpacket,outsock);
         return 0;
       }
     }
@@ -1295,10 +1299,14 @@ int TCPNameserver::doIXFR(std::unique_ptr<DNSPacket>& q, int outsock)
       }
       if (!db.getTSIGKey(tsigkeyname, algorithm, tsig64)) {
         g_log << Logger::Error << "TSIG key '" << tsigkeyname << "' for domain '" << target << "' not found" << endl;
+        outpacket->setRcode(RCode::NotAuth);
+        sendPacket(outpacket,outsock);
         return 0;
       }
       if (B64Decode(tsig64, tsigsecret) == -1) {
         g_log<<Logger::Error<<logPrefix<<"unable to Base-64 decode TSIG key '"<<tsigkeyname<<"'"<<endl;
+        outpacket->setRcode(RCode::ServFail);
+        sendPacket(outpacket,outsock);
         return 0;
       }
     }
-- 
2.47.3