From edd82b2ce275d513fb2799b90ec464f434880e87 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 21 Feb 2014 00:09:28 +1100
Subject: [PATCH] 3753.   [bug]           allow-notify was ignoring keys. [RT
 #35425]

---
 CHANGES        | 2 ++
 lib/dns/zone.c | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 9c06ffde80..f14e0cefc0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3753.	[bug]		allow-notify was ignoring keys. [RT #35425]
+
 3752.	[bug]		Address potential REQUIRE failure if
 			DNS_STYLEFLAG_COMMENTDATA is set when printing out
 			a rdataset.
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index b45cd87c4c..88f359cfa1 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -12325,6 +12325,8 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	isc_sockaddr_t local, remote;
 	isc_uint32_t serial = 0;
 	isc_boolean_t have_serial = ISC_FALSE;
+	dns_tsigkey_t *tsigkey;
+	dns_name_t *tsig;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
@@ -12410,8 +12412,10 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	 * Accept notify requests from non masters if they are on
 	 * 'zone->notify_acl'.
 	 */
+	tsigkey = dns_message_gettsigkey(msg);
+	tsig = dns_tsigkey_identity(tsigkey);
 	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
-	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
+	    dns_acl_match(&netaddr, tsig, zone->notify_acl,
 			  &zone->view->aclenv,
 			  &match, NULL) == ISC_R_SUCCESS &&
 	    match > 0)