A TSIG noncompliance with RFC 2845

[zhouzoe]

• program: nsd

• issue type: bug report

• Description
  When nsd suth server receives a query TSIG and OPT RR, and the TSIG RR is not the last record in the additional section, the server return a response RCODE 9(NOTAUTH) or RCODE 0(with much information) instead of RCODE 1(FORMATERR).
  This is a noncompliance with RFC2845, as which says:

If an incoming message contains a TSIG record, it MUST be the last record in the additional section. Multiple TSIG records are not allowed. If a TSIG record is present in any other position, the packet is dropped and a response with RCODE
1 (FORMERR) MUST be returned.

• Environment
  operating system : ubuntu 18.04
  software version: NSD_4_3_4_RC1

• Expected response
  a response with RCODE 1 (FORMATERR).

• Actual response
  a response with RCODE 9 or RCODE 1.

[wcawijngaards]

The commit removes the backwards compatibility section where a TSIG before EDNS OPT was allowed by the code. This makes the code return FORMERR for TSIG before EDNS OPT in the additional section. This is also what RFC6891 and RFC8945 say should happen for this.