From: Brian Wellington <bwelling@xbill.org>
Date: Fri, 4 Jul 2025 19:32:08 +0000 (-0700)
Subject: TSIG fix for make_response() (#1206)
X-Git-Tag: v2.8.0rc1~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c2d2a7b726ddd8e283a8bd4f35ad30e6c5e69e7b;p=thirdparty%2Fdnspython.git

TSIG fix for make_response() (#1206)

If a query contained a TSIG record that was unverified, attempting to
make a response to that query would throw an exception.

This should fix https://github.com/rthalley/dnspython/issues/1205.
---

diff --git a/dns/message.py b/dns/message.py
index 1288b205..bd58ae91 100644
--- a/dns/message.py
+++ b/dns/message.py
@@ -1925,7 +1925,7 @@ def make_response(
                 if option.otype == dns.edns.OptionType.PADDING:
                     pad = 468
         response.use_edns(0, 0, our_payload, query.payload, pad=pad)
-    if query.had_tsig:
+    if query.had_tsig and query.keyring:
         assert query.mac is not None
         assert query.keyalgorithm is not None
         response.use_tsig(
diff --git a/tests/test_tsig.py b/tests/test_tsig.py
index 5d7ceba5..4715e393 100644
--- a/tests/test_tsig.py
+++ b/tests/test_tsig.py
@@ -366,3 +366,15 @@ example. 300 IN SOA . . 1 2 3 4 5
 
     def test_multi_with_pad(self):
         self._test_multi(468)
+
+    def test_make_response_to_unverified(self):
+        # Ensure that we can make a response to an unverified query that
+        # contained a TSIG.
+        q1 = dns.message.make_query("example", "a")
+        q1.use_tsig(keyring, keyname)
+        wire = q1.to_wire()
+
+        q2 = dns.message.from_wire(wire, keyring=False)
+        m = dns.message.make_response(q2)
+
+        self.assertIsNone(m.tsig)