Description
We've encountered a bug with how DNSJAVA verifies the transaction signature of large responses.
In our environment, we can successfully perform an AXFR for a small zone (22 line zone file, 2096 bytes on the wire). But we get a TSIG related error (org.xbill.DNS.ZoneTransferException: TSIG failure: BADSIG) when transferring a larger zone (7855 line zone file, 400k on the wire).
This bug was introduced between versions 3.1.0 and 3.20. The TSIG class saw a significant rework there, and the interactions between the TSIG.StreamVerifier class and the TSIG.verify() method were broken then -- although seemingly only in cases where the signed response encompassed multiple messages.
While investigating this, we developed a patch for 3.5.2 this that we would be happy to submit as a pull request (or, really, help get this fixed some other way).