re-do #1047

1047.  [bug]           named was incorrectly refusing all requests signed
                       with a TSIG key derived from an unsigned TKEY
                       negotiation with a NOERROR response.  [RT #1886]

CHANGES

@@ -1,10 +1,9 @@
 1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
 			didn't work.
 
-1047.	[bug]		When a request was refused due to being signed with
+1047.	[bug]		named was incorrectly refusing all requests signed
-			a TSIG key derived from an unsigned TKEY negotiation,
+			with a TSIG key derived from an unsigned TKEY
-			the response could have an rcode of SUCCESS rather
+			negotiation with a NOERROR response.  [RT #1886]
-			than REFUSED. [RT #1886]
 
 1046.	[bug]		The help message for the --with-openssl configure
 			option was inaccurate. [RT #1880]

bin/named/client.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.184 2001/10/11 22:45:20 gson Exp $ */
+/* $Id: client.c,v 1.185 2001/10/12 03:58:04 marka Exp $ */
 
 #include <config.h>
 
@@ -1357,17 +1357,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "request is signed by a nonauthoritative key");
-		sigresult = DNS_R_REFUSED;
-		/*
-		 * Accept update messages signed by unknown keys so that
-		 * update forwarding works transparently through slaves
-		 * that don't have all the same keys as the master.
-		 */
-		if (!(client->message->tsigstatus == dns_tsigerror_badkey &&
-		      client->message->opcode == dns_opcode_update)) {
-			ns_client_error(client, sigresult);
-			goto cleanup;
-		}
 	} else {
 		/* There is a signature, but it is bad. */
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,