891. [bug] Return an error when a SIG(0) signed response to

an unsigned query is seen.  This should actually
			do the verification, but it's not currently
			possible. [RT #1391]

CHANGES

@@ -1,3 +1,7 @@
+ 891.	[bug]		Return an error when a SIG(0) signed response to
+ 			an unsigned query is seen.  This should actually
+			do the verification, but it's not currently
+			possible. [RT #1391]
 
  890.	[cleanup]	The man pages no longer require the mandoc macros
 			and should now format cleanly using most versions of

lib/dns/dnssec.c

@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.67 2001/05/29 22:54:07 bwelling Exp $
+ * $Id: dnssec.c,v 1.68 2001/06/08 19:37:27 bwelling Exp $
  */
 
 
@@ -689,13 +689,15 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	REQUIRE(msg != NULL);
 	REQUIRE(key != NULL);
 
-	if (is_response(msg))
-		REQUIRE(msg->query.base != NULL);
-
 	mctx = msg->mctx;
 
 	msg->verify_attempted = 1;
 
+	if (is_response(msg)) {
+		if (msg->query == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
+	}
+
 	isc_buffer_usedregion(source, &source_r);
 
 	RETERR(dns_rdataset_first(msg->sig0));

lib/dns/result.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.89 2001/05/10 17:51:48 gson Exp $ */
+/* $Id: result.c,v 1.90 2001/06/08 19:37:29 bwelling Exp $ */
 
 #include <config.h>
 
@@ -80,8 +80,8 @@ static const char *text[DNS_R_NRESULTS] = {
 	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
 	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
 
-	"expected a TSIG",		       /* 45 DNS_R_EXPECTEDTSIG	     */
-	"did not expect a TSIG",	       /* 46 DNS_R_UNEXPECTEDTSIG    */
+	"expected a TSIG or SIG(0)",	       /* 45 DNS_R_EXPECTEDTSIG	     */
+	"did not expect a TSIG or SIG(0)",     /* 46 DNS_R_UNEXPECTEDTSIG    */
 	"TKEY is unacceptable",		       /* 47 DNS_R_INVALIDTKEY	     */
 	"hint",				       /* 48 DNS_R_HINT		     */
 	"drop",				       /* 49 DNS_R_DROP		     */