From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 31 Jul 2025 12:43:43 +0000 (+0200)
Subject: - xfr-tsig, primary-tsig: addr tsig and allow-notify-tsig: addr tsig.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6634b8bcc537810e21375092a438502bf14b9d2b;p=thirdparty%2Funbound.git

- xfr-tsig, primary-tsig: addr tsig and allow-notify-tsig: addr tsig.
---

diff --git a/daemon/remote.c b/daemon/remote.c
index c17254bb5..22475c468 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -4696,6 +4696,8 @@ getmem_config_auth(struct config_auth* p)
 			+ getmem_config_strlist(s->masters)
 			+ getmem_config_strlist(s->urls)
 			+ getmem_config_strlist(s->allow_notify)
+			+ getmem_config_str2list(s->masters_tsig)
+			+ getmem_config_str2list(s->allow_notify_tsig)
 			+ getmem_str(s->zonefile)
 			+ s->rpz_taglistlen
 			+ getmem_str(s->rpz_action_override)
@@ -4947,6 +4949,12 @@ xfr_auth_master_equal(struct auth_master* m1, struct auth_master* m2)
 		return 0;
 	if(m1->port != m2->port)
 		return 0;
+
+	if((m1->tsig_key_name && !m2->tsig_key_name) || (!m1->tsig_key_name && m2->tsig_key_name))
+		return 0;
+	if(m1->tsig_key_name && m2->tsig_key_name && strcmp(m1->tsig_key_name, m2->tsig_key_name) != 0)
+		return 0;
+
 	return 1;
 }
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index bdfdc6450..cb8a24e38 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1226,7 +1226,8 @@ remote-control:
 # authoritatively.  zonefile: reads from file (and writes to it if you also
 # download it), primary: fetches with AXFR and IXFR, or url to zonefile.
 # With allow-notify: you can give additional (apart from primaries and urls)
-# sources of notifies.
+# sources of notifies. primary-tsig: and allow-notify-tsig: use addr keyname,
+# with the name of the TSIG key to use, declared as a tsig-key:.
 # auth-zone:
 #	name: "."
 #	primary: 170.247.170.2        # b.root-servers.net
@@ -1405,6 +1406,7 @@ remote-control:
 # and drop.  Policies can be loaded from a file, or using zone
 # transfer, or using HTTP. The respip module needs to be added
 # to the module-config, e.g.: module-config: "respip validator iterator".
+# Can also use primary-tsig: and allow-notify-tsig:
 # rpz:
 #     name: "rpz.example.com"
 #     zonefile: "rpz.example.com"
diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst
index c1a8406e5..522542e21 100644
--- a/doc/unbound.conf.rst
+++ b/doc/unbound.conf.rst
@@ -3691,6 +3691,12 @@ fallback activates to fetch from the upstream instead of the SERVFAIL.
     Alternate syntax for :ref:`primary<unbound.conf.auth.primary>`.
 
 
+@@UAHL@unbound.conf.auth@primary-tsig@@: *<IP address or host name>* *<tsig key>*
+    Similar to :ref:`primary<unbound.conf.auth.primary>` and the tsig key
+    is used for TSIG.
+    The key name is from a :ref:`tsig-key<unbound.conf.tsig-key>` entry.
+
+
 @@UAHL@unbound.conf.auth@url@@: *<URL to zone file>*
     Where to download a zonefile for the zone.
     With HTTP or HTTPS.
@@ -3737,6 +3743,12 @@ fallback activates to fetch from the upstream instead of the SERVFAIL.
         default.
 
 
+@@UAHL@unbound.conf.auth@allow-notify-tsig@@: *<IP address or host name or netblockIP/prefix>* *<tsig key>*
+    Similar to :ref:`allow-notify<unbound.conf.auth.allow-notify>` and the
+    tsig key is used for TSIG.
+    The key name is from a :ref:`tsig-key<unbound.conf.tsig-key>` entry.
+
+
 @@UAHL@unbound.conf.auth@fallback-enabled@@: *<yes or no>*
     If enabled, Unbound falls back to querying the internet as a resolver for
     this zone when lookups fail.
@@ -4840,6 +4852,12 @@ The RPZ zones can be configured in the config file with these settings in the
     Alternate syntax for :ref:`primary<unbound.conf.rpz.primary>`.
 
 
+@@UAHL@unbound.conf.rpz@primary-tsig@@: *<IP address or host name>* *<tsig key>*
+    Similar to :ref:`primary<unbound.conf.rpz.primary>` and the tsig key
+    is used for TSIG.
+    The key name is from a :ref:`tsig-key<unbound.conf.tsig-key>` entry.
+
+
 @@UAHL@unbound.conf.rpz@url@@: *<url to zonefile>*
     Where to download a zonefile for the zone.
     With HTTP or HTTPS.
@@ -4877,6 +4895,12 @@ The RPZ zones can be configured in the config file with these settings in the
         default.
 
 
+@@UAHL@unbound.conf.rpz@allow-notify-tsig@@: *<IP address or host name or netblockIP/prefix>* *<tsig key>*
+    Similar to :ref:`allow-notify<unbound.conf.rpz.allow-notify>` and the
+    tsig key is used for TSIG.
+    The key name is from a :ref:`tsig-key<unbound.conf.tsig-key>` entry.
+
+
 @@UAHL@unbound.conf.rpz@zonefile@@: *<filename>*
     The filename where the zone is stored.
     If not given then no zonefile is used.
diff --git a/services/authzone.c b/services/authzone.c
index 591a76cd9..e59d384f2 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -2110,7 +2110,7 @@ auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
 		}
 		return 0;
 	}
-	if(c->masters || c->urls) {
+	if(c->masters || c->masters_tsig || c->urls) {
 		if(!(x=auth_zones_find_or_add_xfer(az, z))) {
 			lock_rw_unlock(&az->lock);
 			lock_rw_unlock(&z->lock);
@@ -2312,6 +2312,7 @@ auth_free_masters(struct auth_master* list)
 		auth_free_master_addrs(list->list);
 		free(list->host);
 		free(list->file);
+		free(list->tsig_key_name);
 		free(list);
 		list = n;
 	}
@@ -3978,9 +3979,20 @@ auth_master_copy(struct auth_master* o)
 			return NULL;
 		}
 	}
+	if(m->tsig_key_name) {
+		m->tsig_key_name = strdup(m->tsig_key_name);
+		if(!m->tsig_key_name) {
+			free(m->file);
+			free(m->host);
+			free(m);
+			log_err("malloc failure");
+			return NULL;
+		}
+	}
 	if(m->list) {
 		m->list = auth_addr_list_copy(m->list);
 		if(!m->list) {
+			free(m->tsig_key_name);
 			free(m->file);
 			free(m->host);
 			free(m);
@@ -7278,6 +7290,7 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 {
 	struct auth_master* m;
 	struct config_strlist* p;
+	struct config_str2list* p2;
 	/* list points to the first, or next pointer for the new element */
 	while(*list) {
 		list = &( (*list)->next );
@@ -7300,6 +7313,21 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 			return 0;
 		}
 	}
+	for(p2 = c->masters_tsig; p2; p2 = p2->next) {
+		m = auth_master_new(&list);
+		if(!m) return 0;
+		m->ixfr = 1; /* this flag is not configurable */
+		m->host = strdup(p2->str);
+		if(!m->host) {
+			log_err("malloc failure");
+			return 0;
+		}
+		m->tsig_key_name = strdup(p2->str2);
+		if(!m->tsig_key_name) {
+			log_err("malloc failure");
+			return 0;
+		}
+	}
 	for(p = c->allow_notify; p; p = p->next) {
 		m = auth_master_new(&list);
 		if(!m) return 0;
@@ -7310,6 +7338,21 @@ xfer_set_masters(struct auth_master** list, struct config_auth* c,
 			return 0;
 		}
 	}
+	for(p2 = c->allow_notify_tsig; p2; p2 = p2->next) {
+		m = auth_master_new(&list);
+		if(!m) return 0;
+		m->allow_notify = 1;
+		m->host = strdup(p2->str);
+		if(!m->host) {
+			log_err("malloc failure");
+			return 0;
+		}
+		m->tsig_key_name = strdup(p2->str2);
+		if(!m->tsig_key_name) {
+			log_err("malloc failure");
+			return 0;
+		}
+	}
 	return 1;
 }
 
@@ -8645,6 +8688,8 @@ auth_primaries_get_mem(struct auth_master* list)
 			m += strlen(n->host)+1;
 		if(n->file)
 			m += strlen(n->file)+1;
+		if(n->tsig_key_name)
+			m += strlen(n->tsig_key_name)+1;
 	}
 	return m;
 }
diff --git a/services/authzone.h b/services/authzone.h
index b11e7f144..00e6343f2 100644
--- a/services/authzone.h
+++ b/services/authzone.h
@@ -457,6 +457,8 @@ struct auth_master {
 	int ssl;
 	/** the port number (for urls) */
 	int port;
+	/** the tsig key name (if any, or NULL) */
+	char* tsig_key_name;
 	/** if the host is a hostname, the list of resolved addrs, if any*/
 	struct auth_addr* list;
 };
diff --git a/util/config_file.c b/util/config_file.c
index 89e8760ce..a862c6a65 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -1641,6 +1641,8 @@ config_delauth(struct config_auth* p)
 	config_delstrlist(p->masters);
 	config_delstrlist(p->urls);
 	config_delstrlist(p->allow_notify);
+	config_deldblstrlist(p->masters_tsig);
+	config_deldblstrlist(p->allow_notify_tsig);
 	free(p->zonefile);
 	free(p->rpz_taglist);
 	free(p->rpz_action_override);
diff --git a/util/config_file.h b/util/config_file.h
index 9e6314561..f512cde54 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -848,6 +848,10 @@ struct config_auth {
 	struct config_strlist* urls;
 	/** list of allow-notify */
 	struct config_strlist* allow_notify;
+	/** list of masters with tsig key */
+	struct config_str2list* masters_tsig;
+	/** list of allow-notify with tsig key */
+	struct config_str2list* allow_notify_tsig;
 	/** zonefile (or NULL) */
 	char* zonefile;
 	/** provide downstream answers */
diff --git a/util/configlexer.lex b/util/configlexer.lex
index d415e7a04..9ddc5c1bc 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -361,8 +361,11 @@ rpz-signal-nxdomain-ra{COLON}	{ YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) }
 zonefile{COLON}			{ YDVAR(1, VAR_ZONEFILE) }
 master{COLON}			{ YDVAR(1, VAR_MASTER) }
 primary{COLON}			{ YDVAR(1, VAR_MASTER) }
+master-tsig{COLON}		{ YDVAR(2, VAR_MASTER_TSIG) }
+primary-tsig{COLON}		{ YDVAR(2, VAR_MASTER_TSIG) }
 url{COLON}			{ YDVAR(1, VAR_URL) }
 allow-notify{COLON}		{ YDVAR(1, VAR_ALLOW_NOTIFY) }
+allow-notify-tsig{COLON}	{ YDVAR(2, VAR_ALLOW_NOTIFY_TSIG) }
 for-downstream{COLON}		{ YDVAR(1, VAR_FOR_DOWNSTREAM) }
 for-upstream{COLON}		{ YDVAR(1, VAR_FOR_UPSTREAM) }
 fallback-enabled{COLON}		{ YDVAR(1, VAR_FALLBACK_ENABLED) }
diff --git a/util/configparser.y b/util/configparser.y
index 9638740c9..0233ec30c 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -192,6 +192,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_CACHEDB_REDISCONNECTTIMEOUT VAR_CACHEDB_REDISREPLICACONNECTTIMEOUT
 %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
 %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
+%token VAR_MASTER_TSIG VAR_ALLOW_NOTIFY_TSIG
 %token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
 %token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
 %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
@@ -465,9 +466,10 @@ authstart: VAR_AUTH_ZONE
 	;
 contents_auth: contents_auth content_auth
 	| ;
-content_auth: auth_name | auth_zonefile | auth_master | auth_url |
-	auth_for_downstream | auth_for_upstream | auth_fallback_enabled |
-	auth_allow_notify | auth_zonemd_check | auth_zonemd_reject_absence
+content_auth: auth_name | auth_zonefile | auth_master | auth_master_tsig |
+	auth_url | auth_for_downstream | auth_for_upstream |
+	auth_fallback_enabled | auth_allow_notify | auth_allow_notify_tsig |
+	auth_zonemd_check | auth_zonemd_reject_absence
 	;
 
 rpz_tag: VAR_TAGS STRING_ARG
@@ -562,9 +564,10 @@ rpzstart: VAR_RPZ
 	;
 contents_rpz: contents_rpz content_rpz
 	| ;
-content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
-	   auth_allow_notify | rpz_action_override | rpz_cname_override |
-	   rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream
+content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master |
+	auth_master_tsig | auth_url | auth_allow_notify |
+	auth_allow_notify_tsig | rpz_action_override | rpz_cname_override |
+	rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream
 	;
 server_num_threads: VAR_NUM_THREADS STRING_ARG
 	{
@@ -3252,6 +3255,14 @@ auth_master: VAR_MASTER STRING_ARG
 			yyerror("out of memory");
 	}
 	;
+auth_master_tsig: VAR_MASTER_TSIG STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(master-tsig:%s)\n", $2));
+		if(!cfg_str2list_insert(&cfg_parser->cfg->auths->masters_tsig,
+			$2, $3))
+			yyerror("out of memory");
+	}
+	;
 auth_url: VAR_URL STRING_ARG
 	{
 		OUTYY(("P(url:%s)\n", $2));
@@ -3267,6 +3278,14 @@ auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG
 			yyerror("out of memory");
 	}
 	;
+auth_allow_notify_tsig: VAR_ALLOW_NOTIFY_TSIG STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(allow-notify-tsig:%s)\n", $2));
+		if(!cfg_str2list_insert(
+			&cfg_parser->cfg->auths->allow_notify_tsig, $2, $3))
+			yyerror("out of memory");
+	}
+	;
 auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG
 	{
 		OUTYY(("P(zonemd-check:%s)\n", $2));