* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: update.c,v 1.185 2010/12/09 06:17:33 marka Exp $ */
+/* $Id: update.c,v 1.186 2010/12/18 01:56:19 each Exp $ */
#include <config.h>
#include <dns/rdatatype.h>
#include <dns/soa.h>
#include <dns/ssu.h>
+#include <dns/tsig.h>
#include <dns/view.h>
#include <dns/zone.h>
#include <dns/zt.h>
/* The ssu table to check against. */
dns_ssutable_t *table;
+
+ /* the key used for TKEY requests */
+ dst_key_t *key;
} ssu_check_t;
static isc_result_t
return (ISC_R_SUCCESS);
result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
ssuinfo->name, ssuinfo->tcpaddr,
- rrset->type);
+ rrset->type, ssuinfo->key);
return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
}
static isc_boolean_t
ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_ssutable_t *ssutable, dns_name_t *signer,
- isc_netaddr_t *tcpaddr)
+ isc_netaddr_t *tcpaddr, dst_key_t *key)
{
isc_result_t result;
ssu_check_t ssuinfo;
ssuinfo.table = ssutable;
ssuinfo.signer = signer;
ssuinfo.tcpaddr = tcpaddr;
+ ssuinfo.key = key;
result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
return (ISC_TF(result == ISC_R_SUCCESS));
}
switch(dns_zone_gettype(zone)) {
case dns_zone_master:
+ case dns_zone_dlz:
/*
* We can now fail due to a bad signature as we now know
* that we are the master.
if (ssutable != NULL) {
isc_netaddr_t *tcpaddr, netaddr;
+ dst_key_t *tsigkey = NULL;
/*
* If this is a TCP connection then pass the
* address of the client through for tcp-self
tcpaddr = &netaddr;
} else
tcpaddr = NULL;
+
+ if (client->message->tsigkey != NULL)
+ tsigkey = client->message->tsigkey->key;
+
if (rdata.type != dns_rdatatype_any) {
if (!dns_ssutable_checkrules(ssutable,
client->signer,
name, tcpaddr,
- rdata.type))
+ rdata.type,
+ tsigkey))
FAILC(DNS_R_REFUSED,
"rejected by secure update");
} else {
if (!ssu_checkall(db, ver, name, ssutable,
- client->signer, tcpaddr))
+ client->signer, tcpaddr,
+ tsigkey))
FAILC(DNS_R_REFUSED,
"rejected by secure update");
}