From 311918e5a6862eda1ee5a46423bb866aa9c64eb2 Mon Sep 17 00:00:00 2001
From: Brian Wellington <source@isc.org>
Date: Sat, 27 May 2000 00:07:52 +0000
Subject: [PATCH] Don't allow dynamic updates of SIG records, since it either
 leaves the database in an inconsistent state or fails when it shouldn't. 
 This will be supported at some point, but it's better to flat out refuse than
 fail badly.

---
 bin/named/update.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/bin/named/update.c b/bin/named/update.c
index afa1aa5c43..fd1306c683 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -2069,10 +2069,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NXT records."
 		 */
-		if (dns_db_issecure(db) && rdata.type == dns_rdatatype_nxt) {
-			FAILC(DNS_R_REFUSED,
-			      "explicit NXT updates are not allowed "
-			      "in secure zones");
+		if (dns_db_issecure(db)) {
+			if (rdata.type == dns_rdatatype_nxt) {
+				FAILC(DNS_R_REFUSED,
+				      "explicit NXT updates are not allowed "
+				      "in secure zones");
+			}
+			else if (rdata.type == dns_rdatatype_sig) {
+				FAILC(DNS_R_REFUSED,
+				      "explicit SIG updates are currently not "
+				      "supported in secure zones");
+			}
 		}
 
 		if (ssutable != NULL && client->signer != NULL) {