Fix forwarded TSIG message issue

The TSIG message was not validated correctly if the dns update message was forwarded by a slave.
The forwarded message get's a new ID, this means the TSIG signature is now invalid as the bytes that are calculated for the TSIG are different.
The TSIG record contains the original ID, so this replace the new id with the original ID and this makes the message valid again.

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 6da34f85140f7bf6b99f2511e2156c095f68db57..7cba28121a87e70493aad94e8a9089a2aef8530e 100644 (file)
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -539,10 +539,18 @@ string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigOff
   packet.resize(tsigOffset); // remove the TSIG record at the end as per RFC2845 3.4.1
   packet[(dnsHeaderOffset + sizeof(struct dnsheader))-1]--; // Decrease ARCOUNT because we removed the TSIG RR in the previous line.
   
+
+  // Replace the message ID with the original message ID from the TSIG record.
+  // This is needed for forwarded DNS Update as they get a new ID when forwarding (section 6.1 of RFC2136). The TSIG record stores the original ID and the
+  // signature was created with the original ID, so we replace it here to get the originally signed message.
+  char lo = trc.d_origID & 0xFF;
+  char hi = trc.d_origID >> 8;
+  packet[1] = lo;  
+  packet[0] = hi;
+
   if(!previous.empty()) {
     uint16_t len = htons(previous.length());
     message.append((char*)&len, 2);
-    
     message.append(previous);
   }