- xfr-tsig, fix tsig_verify_query.

testdata/tsig_test.1

@@ -49,9 +49,9 @@ c00e00f1bafa240f41ee9cbe507b9802e7070000
 0000
 endpacket
 
+tsig-verify-query test.key 1750419725 0 0 0
+
 # reply for www.example.net A
 #packet
 #e7078400000100010000000203777777076578616d706c65036e65740000010001c00c0001000100000e1000040a141e2800002904d00000000000000474657374036b65790000fa00ff00000000003a08686d61632d6d6435077369672d616c670372656703696e740000006855490d012c0010dc3c138476fcb04cc138aa5c59647b86e70700000000
 #endpacket
-#
-#tsig-verify-query test.key 1750419725 0 0 0

util/tsig.c

@@ -1053,6 +1053,9 @@ tsig_verify_query(struct tsig_data* tsig, struct sldns_buffer* pkt,
 		return LDNS_RCODE_SERVFAIL;
 	}
 	sldns_buffer_write_u16_at(pkt, 0, rr->original_query_id);
+	LDNS_ARCOUNT_SET( sldns_buffer_begin(pkt)
+	                , LDNS_ARCOUNT(sldns_buffer_begin(pkt)) - 1);
+	sldns_buffer_set_position(pkt, rr->tsig_pos);
 
 	/* Write the key name uncompressed */
 	sldns_buffer_write(&var, key->name, key->name_len);
@@ -1138,6 +1141,7 @@ tsig_parse(struct sldns_buffer* pkt, struct tsig_record* rr)
 		verbose(VERB_ALGO, "tsig_verify_query: packet too short");
 		return LDNS_RCODE_FORMERR;
 	}
+	rr->tsig_pos = sldns_buffer_position(pkt);
 	rr->key_name = sldns_buffer_current(pkt);
 	rr->key_name_len = pkt_dname_len(pkt);
 	if(rr->key_name_len == 0) {

util/tsig.h

@@ -57,6 +57,9 @@ struct tsig_record {
 	uint8_t* key_name;
 	/** length of the key_name */
 	size_t key_name_len;
+	/** the position of the TSIG RR in the packet, it is before the owner
+	 * name. */
+	size_t tsig_pos;
 	/** the algorithm name, as a domain name. */
 	uint8_t* algorithm_name;
 	/** length of the algorithm_name */