Only look at tsig.error in responses

author Mark Andrews <marka@isc.org>

Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)

committer Michał Kępień <michal@isc.org>

Tue, 19 May 2020 10:29:21 +0000 (12:29 +0200)
author Mark Andrews <marka@isc.org>
Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)
committer Michał Kępień <michal@isc.org>
Tue, 19 May 2020 10:29:21 +0000 (12:29 +0200)
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c

index 02a6775502bba2683c89921ec030e5c71f1225f4..c940469520e120f9adfd5c4e9d43db131a3d0240 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1360,8 +1360,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                         goto cleanup_context;
                 }
                 msg->verified_sig = 1;
-       } else if (tsig.error != dns_tsigerror_badsig &&
-                  tsig.error != dns_tsigerror_badkey)
+       } else if (!response || (tsig.error != dns_tsigerror_badsig &&
+                                tsig.error != dns_tsigerror_badkey))
         {
                 tsig_log(msg->tsigkey, 2, "signature was empty");
                 return (DNS_R_TSIGVERIFYFAILURE);
@@ -1409,7 +1409,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
                 }
         }
  
-       if (tsig.error != dns_rcode_noerror) {
+       if (response && tsig.error != dns_rcode_noerror) {
                 msg->tsigstatus = tsig.error;
                 if (tsig.error == dns_tsigerror_badtime) {
                         ret = DNS_R_CLOCKSKEW;
author	Mark Andrews <marka@isc.org>
	Wed, 25 Mar 2020 06:46:26 +0000 (17:46 +1100)
committer	Michał Kępień <michal@isc.org>
	Tue, 19 May 2020 10:29:21 +0000 (12:29 +0200)