diff options
| author | Phil Martin <root@frillip.com> | 2022-10-14 00:52:08 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-14 00:52:08 +0300 |
| commit | 92aaa9703b2f415ae0afd3fb66a3e569e41b4853 (patch) | |
| tree | 5dc6886ebc2a1ca2d6318de8500e1ef902b64e15 | |
| parent | e84271b36b530099a9c1d8de20d13148b99cb8a8 (diff) | |
TSIG SOA query fix (#9408)
* Use the TSIG keyring for the initial SOA request
Helps allow the use of keys in BIND ACLs to help certbot update the correct zone. Previously TSIG was only used for zone updates, rather than for both the authoritative SOA request and zone update.
* Update CHANGELOG.md
* Update AUTHORS.md
* Workaround for mypy failure due to dnspython stubs
As per https://github.com/certbot/certbot/pull/9408#issuecomment-1257868864
Co-authored-by: Alex Zorin <alex@zorin.id.au>
| -rw-r--r-- | AUTHORS.md | 1 | ||||
| -rw-r--r-- | certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py | 2 | ||||
| -rw-r--r-- | certbot/CHANGELOG.md | 2 |
3 files changed, 4 insertions, 1 deletions
diff --git a/AUTHORS.md b/AUTHORS.md index f8708dde1..4b8dd9e73 100644 --- a/AUTHORS.md +++ b/AUTHORS.md @@ -210,6 +210,7 @@ Authors * [Peter Conrad](https://github.com/pconrad-fb) * [Peter Eckersley](https://github.com/pde) * [Peter Mosmans](https://github.com/PeterMosmans) +* [Phil Martin](https://github.com/frillip) * [Philippe Langlois](https://github.com/langloisjp) * [Philipp Spitzer](https://github.com/spitza) * [Piero Steinger](https://github.com/Jadaw1n) diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py index 8cf6d9966..2c52486e2 100644 --- a/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py +++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py @@ -216,6 +216,8 @@ class _RFC2136Client: request = dns.message.make_query(domain, dns.rdatatype.SOA, dns.rdataclass.IN) # Turn off Recursion Desired bit in query request.flags ^= dns.flags.RD + # Use our TSIG keyring + request.use_tsig(self.keyring, algorithm=self.algorithm) # type: ignore[attr-defined] try: try: diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md index 231f5c453..9403209dc 100644 --- a/certbot/CHANGELOG.md +++ b/certbot/CHANGELOG.md @@ -10,7 +10,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/). ### Changed -* +* DNS RFC2136 module now uses the TSIG key to check for an authoritative SOA record. Helps the use of split-horizon and multiple views in BIND9 using the key in an ACL to determine which view to use. ### Fixed |