unsigned int nmsg; /* Number of messages sent */
dns_tsigkey_t *tsigkey; /* Key used to create TSIG */
isc_buffer_t *lasttsig; /* the last TSIG */
+ isc_boolean_t verified_tsig; /* verified request MAC */
isc_boolean_t many_answers;
int sends; /* Send in progress */
isc_boolean_t shuttingdown;
dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
rrstream_t *stream, dns_tsigkey_t *tsigkey,
isc_buffer_t *lasttsig,
+ isc_boolean_t verified_tsig,
unsigned int maxtime,
unsigned int idletime,
isc_boolean_t many_answers,
zone, db, ver, quota, stream,
dns_message_gettsigkey(request),
tsigbuf,
+ request->verified_sig,
3600,
3600,
(format == dns_many_answers) ?
zone, db, ver, quota, stream,
dns_message_gettsigkey(request),
tsigbuf,
+ request->verified_sig,
dns_zone_getmaxxfrout(zone),
dns_zone_getidleout(zone),
(format == dns_many_answers) ?
dns_rdataclass_t qclass, dns_zone_t *zone,
dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
rrstream_t *stream, dns_tsigkey_t *tsigkey,
- isc_buffer_t *lasttsig, unsigned int maxtime,
- unsigned int idletime, isc_boolean_t many_answers,
- xfrout_ctx_t **xfrp)
+ isc_buffer_t *lasttsig, isc_boolean_t verified_tsig,
+ unsigned int maxtime, unsigned int idletime,
+ isc_boolean_t many_answers, xfrout_ctx_t **xfrp)
{
xfrout_ctx_t *xfr;
isc_result_t result;
xfr->end_of_stream = ISC_FALSE;
xfr->tsigkey = tsigkey;
xfr->lasttsig = lasttsig;
+ xfr->verified_tsig = verified_tsig;
xfr->txmem = NULL;
xfr->txmemlen = 0;
xfr->nmsg = 0;
CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
if (xfr->lasttsig != NULL)
isc_buffer_free(&xfr->lasttsig);
+ msg->verified_sig = xfr->verified_tsig;
/*
* Add a EDNS option to the message?
* has validated at this point. This is why we include a
* MAC length > 0 in the reply.
*/
-
ret = dst_context_create3(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_TRUE, &ctx);
if (response) {
dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+ INSIST(msg->verified_sig);
+
ret = dns_rdataset_first(msg->querytsig);
if (ret != ISC_R_SUCCESS)
goto cleanup_context;
} else if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
}
+ msg->verified_sig = 1;
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
tsig_log(msg->tsigkey, 2, "signature was empty");
}
msg->tsigstatus = dns_rcode_noerror;
- msg->verified_sig = 1;
ret = ISC_R_SUCCESS;
cleanup_context:
} else if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
}
+ msg->verified_sig = 1;
/*
* Here at this point, the MAC has been verified. Even
}
msg->tsigstatus = dns_rcode_noerror;
- msg->verified_sig = 1;
ret = ISC_R_SUCCESS;
cleanup_context: