From: Miod Vallat <miod.vallat@powerdns.com>
Date: Mon, 21 Jul 2025 06:27:39 +0000 (+0200)
Subject: Make AXFR-MASTER-TSIG really a single item metadata.
X-Git-Tag: rec-5.4.0-alpha1~290^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fde2ed1a053700900ff728cc682e3edc5995dd5;p=thirdparty%2Fpdns.git

Make AXFR-MASTER-TSIG really a single item metadata.

In pdnsutil zone show, only list the first item if more than one.
In the API, do not allow setting more than one item.

Fixes: #9015

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
---

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 1f4517c9c7..601b3eb13b 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -2853,7 +2853,10 @@ static bool showZone(DNSSECKeeper& dnsseckeeper, const ZoneName& zone, bool expo
 
     meta.clear();
     if (B.getDomainMetadata(zone, "AXFR-MASTER-TSIG", meta) && !meta.empty()) {
-      cout << "Zone uses following TSIG key(s): " << boost::join(meta, ",") << endl;
+      // Although AXFR-MASTER-TSIG may contain a list of keys, the current
+      // state of DNSSECKeeper::getTSIGForAccess() causes only the first one
+      // to be ever used, so only list the first item here.
+      cout << "Zone uses following TSIG key: " << meta.front() << endl;
     }
 
     std::map<std::string, std::vector<std::string> > metamap;
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 47ac61eecd..499fa0ba5b 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -439,6 +439,10 @@ static void fillZone(UeberBackend& backend, const ZoneName& zonename, HttpRespon
   Json::array tsig_secondary_keys;
   for (const auto& keyname : tsig_secondary) {
     tsig_secondary_keys.emplace_back(apiNameToId(keyname));
+    // Although AXFR-MASTER-TSIG may contain a list of keys, the current
+    // state of DNSSECKeeper::getTSIGForAccess() causes only the first one
+    // to be ever used, so only return the first item here.
+    break;
   }
   doc["slave_tsig_key_ids"] = tsig_secondary_keys;
 
@@ -948,6 +952,9 @@ static void updateDomainSettingsFromDocument(UeberBackend& backend, DomainInfo&
   if (!document["slave_tsig_key_ids"].is_null()) {
     vector<string> metadata;
     extractJsonTSIGKeyIds(backend, document["slave_tsig_key_ids"], metadata);
+    if (metadata.size() > 1) {
+      throw ApiException("Only one TSIG secondary key is currently allowed");
+    }
     if (!domainInfo.backend->setDomainMetadata(zonename, "AXFR-MASTER-TSIG", metadata)) {
       throw HttpInternalServerErrorException("Unable to set new TSIG secondary keys for zone '" + zonename.toString() + "'");
     }