From e679b4ca18df1f17fb177b49f0426fb8f70c2a9f Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Tue, 14 Jun 2022 14:00:25 +0200
Subject: Merging upstream version 20220614.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 dehydrated/bin/dehydrated-nsupdate | 44 +++++++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 8 deletions(-)

(limited to 'dehydrated/bin')

diff --git a/dehydrated/bin/dehydrated-nsupdate b/dehydrated/bin/dehydrated-nsupdate
index 96c95eb..05027ab 100755
--- a/dehydrated/bin/dehydrated-nsupdate
+++ b/dehydrated/bin/dehydrated-nsupdate
@@ -109,12 +109,12 @@ NAMESERVERS_IPV4=""
 
 for NAMESERVER in ${NAMESERVERS}
 do
-	if [ -n "$(${DIG} +nocomments +noquestion +short AAAA ${NAMESERVER})" ]
+	if [ -n "$(${DIG} +nocomments +noquestion +short AAAA "${NAMESERVER}")" ]
 	then
 		NAMESERVERS_IPV6="${NAMESERVERS_IPV6} ${NAMESERVER}"
 	fi
 
-	if [ -n "$(${DIG} +nocomments +noquestion +short A ${NAMESERVER})" ]
+	if [ -n "$(${DIG} +nocomments +noquestion +short A "${NAMESERVER}")" ]
 	then
 		NAMESERVERS_IPV4="${NAMESERVERS_IPV4} ${NAMESERVER}"
 	fi
@@ -133,16 +133,44 @@ then
 	NAMESERVERS="${NAMESERVERS} ${NAMESERVERS_IPV4}"
 fi
 
-NAMESERVERS="$(echo ${NAMESERVERS} | sed -e 's| |\n|g' | sort -u -V)"
+NAMESERVERS="$(echo "${NAMESERVERS}" | sed -e 's| |\n|g' | sort -u -V)"
 
 # update nameservers
-if [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ]
-then
-	NSUPDATE_OPTIONS="-k ${TSIG_KEYFILE}"
-fi
-
 for NAMESERVER in ${NAMESERVERS}
 do
+	if [ -e "/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key" ]
+	then
+		# specific key per record
+		KEY="/etc/dehydrated/tsig/$(basename "${TXT_RECORD}" .).key"
+	elif [ -e "/etc/dehydrated/tsig/$(basename "${ZONE}" .).key" ]
+	then
+		# specific key per zone
+		KEY="/etc/dehydrated/tsig/$(basename "${ZONE}" .).key"
+	elif [ -e "/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key" ]
+	then
+		# specific key per nameserver
+		KEY="/etc/dehydrated/tsig/$(basename "${NAMESERVER}" .).key"
+	elif [ -e "/etc/dehydrated/tsig.key" ]
+	then
+		# global key (filesystem)
+		KEY="/etc/dehydrated/tsig.key"
+	elif [ -n "${TSIG_KEYFILE}" ] && [ -e "${TSIG_KEYFILE}" ]
+	then
+		# global key (conffile)
+		KEY="${TSIG_KEYFILE}"
+	else
+		# no key
+		KEY=""
+	fi
+
+	# ignoring comments to allow empty keyfiles to disable TSIG individually
+	TSIG="$(grep -sv '^#' "${KEY}" || true)"
+
+	if [ -n "${KEY}" ] && [ -n "${TSIG}" ]
+	then
+		NSUPDATE_OPTIONS="-k ${KEY}"
+	fi
+
 	echo -n "   + sending '${HOOK_ACTION}' for ${TXT_RECORD} to ${NAMESERVER}..."
 
 # shellcheck disable=SC2086
-- 
cgit v1.2.3