pullup:

1047.   [bug]           When a request was refused due to being signed with
                        a TSIG key derived from an unsigned TKEY negotiation,
                        the response could have an rcode of SUCCESS rather
                        than REFUSED. [RT #1886]

diff --git a/CHANGES b/CHANGES
index 7a63bd0d5c7720cbedd84d457eb3bb9fc6dde1d5..c13605bc6014049823af2e3fa87a46aec0dc3207 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+1047.  [bug]           When a request was refused due to being signed with
+                       a TSIG key derived from an unsigned TKEY negotiation,
+                       the response could have an rcode of SUCCESS rather
+                       than REFUSED. [RT #1886]
+
 1046.  [bug]           The help message for the --with-openssl configure
                        option was inaccurate. [RT #1880]
 

diff --git a/bin/named/client.c b/bin/named/client.c
index 8de64d42d30f30c5a50ce24a91e3c02119e2d06f..13acea7b0329cfee8720655802cef3012a38fd31 100644 (file)
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.176.2.1 2001/09/19 02:44:00 marka Exp $ */
+/* $Id: client.c,v 1.176.2.2 2001/10/12 01:05:51 marka Exp $ */
 
 #include <config.h>
 
@@ -1521,6 +1521,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
                ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
                              NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
                              "request is signed by a nonauthoritative key");
+               sigresult = DNS_R_REFUSED;
                /*
                 * Accept update messages signed by unknown keys so that
                 * update forwarding works transparently through slaves