900526
From 09f1a6e812c02bd8bf1644e2253e21c26d25613a Mon Sep 17 00:00:00 2001
900526
From: Tomas Hozza <thozza@redhat.com>
900526
Date: Thu, 20 Feb 2014 11:01:00 +0100
900526
Subject: [PATCH] check TSIG key ID when receiving NOTIFY
900526
900526
Signed-off-by: Tomas Hozza <thozza@redhat.com>
900526
---
900526
 lib/dns/zone.c | 8 ++++++--
900526
 1 file changed, 6 insertions(+), 2 deletions(-)
900526
900526
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
900526
index 01ff97b..54b7896 100644
900526
--- a/lib/dns/zone.c
900526
+++ b/lib/dns/zone.c
900526
@@ -11846,6 +11846,8 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
900526
 	int match = 0;
900526
 	isc_netaddr_t netaddr;
900526
 	isc_sockaddr_t local, remote;
900526
+	dns_tsigkey_t *tsigkey;
900526
+	dns_name_t *tsig;
900526
 
900526
 	REQUIRE(DNS_ZONE_VALID(zone));
900526
 
900526
@@ -11928,10 +11930,12 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
900526
 
900526
 	/*
900526
 	 * Accept notify requests from non masters if they are on
900526
-	 * 'zone->notify_acl'.
900526
+	 * 'zone->notify_acl' or if used key ID match the ACLs.
900526
 	 */
900526
+	tsigkey = dns_message_gettsigkey(msg);
900526
+	tsig = dns_tsigkey_identity(tsigkey);
900526
 	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
900526
-	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
900526
+	    dns_acl_match(&netaddr, tsig, zone->notify_acl,
900526
 			  &zone->view->aclenv,
900526
 			  &match, NULL) == ISC_R_SUCCESS &&
900526
 	    match > 0)
900526
-- 
900526
1.8.5.3
900526