From: Mark Andrews <marka@isc.org>
Date: Wed, 25 Mar 2020 06:46:26 +0000 (+1100)
Subject: Only look at tsig.error in responses
X-Git-Tag: v9.17.2~67^2~1^2~2
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=2d95c81452096478f0dbb071db21b2fba1df5bc1;p=thirdparty%2Fbind9.git

Only look at tsig.error in responses
---

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 02a6775502b..c940469520e 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1360,8 +1360,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			goto cleanup_context;
 		}
 		msg->verified_sig = 1;
-	} else if (tsig.error != dns_tsigerror_badsig &&
-		   tsig.error != dns_tsigerror_badkey)
+	} else if (!response || (tsig.error != dns_tsigerror_badsig &&
+				 tsig.error != dns_tsigerror_badkey))
 	{
 		tsig_log(msg->tsigkey, 2, "signature was empty");
 		return (DNS_R_TSIGVERIFYFAILURE);
@@ -1409,7 +1409,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		}
 	}
 
-	if (tsig.error != dns_rcode_noerror) {
+	if (response && tsig.error != dns_rcode_noerror) {
 		msg->tsigstatus = tsig.error;
 		if (tsig.error == dns_tsigerror_badtime) {
 			ret = DNS_R_CLOCKSKEW;