Changeset 2148

Timestamp:

04/09/11 20:29:01 (2 years ago)

Author:

ahu

Message:

sligthly improve error messages on checking the TSIG signatures on incoming zone transfers

Files:

• trunk/pdns/pdns/resolver.cc (modified) (1 diff)

trunk/pdns/pdns/resolver.cc

@@ -383 +383 @@
         theirMac = boost::dynamic_pointer_cast<TSIGRecordContent>(answer.first.d_content)->d_mac;
     }
+    if(theirMac.empty())
+      throw ResolverException("No TSIG on AXFR response from "+d_remote.toStringWithPort()+" , should be signed with TSIG key '"+d_tsigkeyname+"'");
+      
     string message = makeTSIGMessageFromTSIGPacket(string(d_buf.get(), len), mdp.getTSIGPos(), d_tsigkeyname, d_trc, d_trc.d_mac, false); // insert our question MAC
     string ourMac=calculateMD5HMAC(d_tsigsecret, message);
     // ourMac[0]++; // sabotage
     if(ourMac != theirMac)
-      throw ResolverException("AXFR response from "+d_remote.toStringWithPort()+" was not signed correctly with TSIG key '"+d_tsigkeyname+"'");
+      throw ResolverException("Signature failed to validate on AXFR response from "+d_remote.toStringWithPort()+" signed with TSIG key '"+d_tsigkeyname+"'");
   }