cvs updates from Mon Dec 20 21:24:21 EST 2010

[tridge/bind9.git] / bin / named / update.c

diff --git a/bin/named/update.c b/bin/named/update.c
index 81247733053836655b45f6427285ccf9dc3be244..a31a88ae58a894b0fc575d1a225e7f4aac706d9b 100644 (file)
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.185 2010/12/09 06:17:33 marka Exp $ */
+/* $Id: update.c,v 1.186 2010/12/18 01:56:19 each Exp $ */
 
 #include <config.h>
 
@@ -46,6 +46,7 @@
 #include <dns/rdatatype.h>
 #include <dns/soa.h>
 #include <dns/ssu.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -851,6 +852,9 @@ typedef struct {
 
        /* The ssu table to check against. */
        dns_ssutable_t *table;
+
+       /* the key used for TKEY requests */
+       dst_key_t *key;
 } ssu_check_t;
 
 static isc_result_t
@@ -867,14 +871,14 @@ ssu_checkrule(void *data, dns_rdataset_t *rrset) {
                return (ISC_R_SUCCESS);
        result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
                                         ssuinfo->name, ssuinfo->tcpaddr,
-                                        rrset->type);
+                                        rrset->type, ssuinfo->key);
        return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
 }
 
 static isc_boolean_t
 ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
             dns_ssutable_t *ssutable, dns_name_t *signer,
-            isc_netaddr_t *tcpaddr)
+            isc_netaddr_t *tcpaddr, dst_key_t *key)
 {
        isc_result_t result;
        ssu_check_t ssuinfo;
@@ -883,6 +887,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
        ssuinfo.table = ssutable;
        ssuinfo.signer = signer;
        ssuinfo.tcpaddr = tcpaddr;
+       ssuinfo.key = key;
        result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
        return (ISC_TF(result == ISC_R_SUCCESS));
 }
@@ -2719,6 +2724,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 
        switch(dns_zone_gettype(zone)) {
        case dns_zone_master:
+       case dns_zone_dlz:
                /*
                 * We can now fail due to a bad signature as we now know
                 * that we are the master.
@@ -3744,6 +3750,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
                if (ssutable != NULL) {
                        isc_netaddr_t *tcpaddr, netaddr;
+                       dst_key_t *tsigkey = NULL;
                        /*
                         * If this is a TCP connection then pass the
                         * address of the client through for tcp-self
@@ -3756,16 +3763,22 @@ update_action(isc_task_t *task, isc_event_t *event) {
                                tcpaddr = &netaddr;
                        } else
                                tcpaddr = NULL;
+
+                       if (client->message->tsigkey != NULL)
+                               tsigkey = client->message->tsigkey->key;
+
                        if (rdata.type != dns_rdatatype_any) {
                                if (!dns_ssutable_checkrules(ssutable,
                                                             client->signer,
                                                             name, tcpaddr,
-                                                            rdata.type))
+                                                            rdata.type,
+                                                            tsigkey))
                                        FAILC(DNS_R_REFUSED,
                                              "rejected by secure update");
                        } else {
                                if (!ssu_checkall(db, ver, name, ssutable,
-                                                 client->signer, tcpaddr))
+                                                 client->signer, tcpaddr,
+                                                 tsigkey))
                                        FAILC(DNS_R_REFUSED,
                                              "rejected by secure update");
                        }