TSIG SOA query fix (#9408)

* Use the TSIG keyring for the initial SOA request Helps allow the use of keys in BIND ACLs to help certbot update the correct zone. Previously TSIG was only used for zone updates, rather than for both the authoritative SOA request and zone update. * Update CHANGELOG.md * Update AUTHORS.md * Workaround for mypy failure due to dnspython stubs As per https://github.com/certbot/certbot/pull/9408#issuecomment-1257868864 Co-authored-by: Alex Zorin <alex@zorin.id.au>
author: Phil Martin <root@frillip.com> 2022-10-14 00:52:08 +0300
committer: GitHub <noreply@github.com> 2022-10-14 00:52:08 +0300
commit: 92aaa9703b2f415ae0afd3fb66a3e569e41b4853 (patch)
tree: 5dc6886ebc2a1ca2d6318de8500e1ef902b64e15 /certbot-dns-rfc2136
parent: e84271b36b530099a9c1d8de20d13148b99cb8a8 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py b/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
index 8cf6d9966..2c52486e2 100644
--- a/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
+++ b/certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py
@@ -216,6 +216,8 @@ class _RFC2136Client:
         request = dns.message.make_query(domain, dns.rdatatype.SOA, dns.rdataclass.IN)
         # Turn off Recursion Desired bit in query
         request.flags ^= dns.flags.RD
+        # Use our TSIG keyring
+        request.use_tsig(self.keyring, algorithm=self.algorithm) # type: ignore[attr-defined]
 
         try:
             try:
author	Phil Martin <root@frillip.com>	2022-10-14 00:52:08 +0300
committer	GitHub <noreply@github.com>	2022-10-14 00:52:08 +0300
commit	92aaa9703b2f415ae0afd3fb66a3e569e41b4853 (patch)
tree	5dc6886ebc2a1ca2d6318de8500e1ef902b64e15 /certbot-dns-rfc2136
parent	e84271b36b530099a9c1d8de20d13148b99cb8a8 (diff)