From fd683b01ce367a7e5986ddae11d6388e640278ca Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 9 Jun 2021 13:37:20 -0700
Subject: [PATCH 1/2] nsupdate: try next server on REFUSED

when nsupdate sends an SOA query to a resolver, if it fails
with REFUSED, nsupdate will now try the next server rather than
aborting the update completely.

(cherry picked from commit 21003313070567e835204557961400bb6a0a78b4)
---
 bin/nsupdate/nsupdate.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 3b18892ba9..69bcfe0742 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2661,6 +2661,17 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 	check_result(result, "dns_request_getresponse");
+
+	if (rcvmsg->rcode == dns_rcode_refused) {
+		next_server("recvsoa", addr, DNS_R_REFUSED);
+		dns_message_detach(&rcvmsg);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		dns_message_settsigkey(soaquery, NULL);
+		sendrequest(&servers[ns_inuse], soaquery, &request);
+		return;
+	}
+
 	section = DNS_SECTION_ANSWER;
 	POST(section);
 	if (debugging) {

From e26db7cb9d383ca186dc8124004d5b56e457cf33 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 9 Jun 2021 14:58:48 -0700
Subject: [PATCH 2/2] CHANGES

(cherry picked from commit 693eb67af91aeeb9a427bcd44a2dc705d9352a37)
---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index d374179850..c9de9cfd9a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,9 @@
 			``named`` now sets the DON'T FRAGMENT flag on outgoing
 			UDP packets. [GL #2183]
 
+5665.	[bug]		'nsupdate' did not retry with another server if
+			it received a REFUSED response. [GL #2758]
+
 5664.	[func]		Handle a UDP sending error on UDP messages larger
 			than the path MTU; in such a case an empty response is
 			sent back with the TC (TrunCated) bit set. Re-enable