[master] further restrict update-policy local

4762.	[func]		"update-policy local" is now restricted to updates
			from local addresses. (Previously, other addresses
			were allowed so long as updates were signed by the
			local session key.) [RT #45492]

CHANGES

+4762.	[func]		"update-policy local" is now restricted to updates
+			from local addresses. (Previously, other addresses
+			were allowed so long as updates were signed by the
+			local session key.) [RT #45492]
+
 4761.	[protocol]	Add support for DOA. [RT #45612]
 4760.	[func]		Add glue cache statistics counters. [RT #46028]

bin/named/main.c

@@ -127,6 +127,7 @@ static isc_boolean_t noaa = ISC_FALSE;
 static unsigned int delay = 0;
 static isc_boolean_t nonearest = ISC_FALSE;
 static isc_boolean_t notcp = ISC_FALSE;
+static isc_boolean_t fixedlocal = ISC_FALSE;
 
 /*
  * -4 and -6
@@ -626,14 +627,21 @@ parse_command_line(int argc, char *argv[]) {
 			} else if (!strcmp(isc_commandline_argument, "notcp"))
 				notcp = ISC_TRUE;
 			else if (!strncmp(isc_commandline_argument, "tat=", 4))
+			{
 				named_g_tat_interval =
 					   atoi(isc_commandline_argument + 4);
-			else if (!strcmp(isc_commandline_argument,
+			} else if (!strcmp(isc_commandline_argument,
 					 "keepstderr"))
+			{
 				named_g_keepstderr = ISC_TRUE;
-			else
+			} else if (!strcmp(isc_commandline_argument,
+					   "fixedlocal"))
+			{
+				fixedlocal = ISC_TRUE;
+			} else {
 				fprintf(stderr, "unknown -T flag '%s\n",
 					isc_commandline_argument);
+			}
 			break;
 		case 'U':
 			named_g_udpdisp = parse_int(isc_commandline_argument,
@@ -1193,6 +1201,8 @@ setup(void) {
 		ns_server_setoption(sctx, NS_SERVER_NONEAREST, ISC_TRUE);
 	if (notcp)
 		ns_server_setoption(sctx, NS_SERVER_NOTCP, ISC_TRUE);
+	if (fixedlocal)
+		ns_server_setoption(sctx, NS_SERVER_FIXEDLOCAL, ISC_TRUE);
 	if (disable4)
 		ns_server_setoption(sctx, NS_SERVER_DISABLE4, ISC_TRUE);
 	if (disable6)

bin/named/zoneconf.c

@@ -218,7 +218,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 		const char *str;
 		isc_boolean_t grant = ISC_FALSE;
 		isc_boolean_t usezone = ISC_FALSE;
-		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
+		unsigned int mtype = dns_ssumatchtype_name;
 		dns_fixedname_t fname, fident;
 		isc_buffer_t b;
 		dns_rdatatype_t *types;
@@ -234,34 +234,34 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 
 		str = cfg_obj_asstring(matchtype);
 		if (strcasecmp(str, "name") == 0)
-			mtype = DNS_SSUMATCHTYPE_NAME;
+			mtype = dns_ssumatchtype_name;
 		else if (strcasecmp(str, "subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
+			mtype = dns_ssumatchtype_subdomain;
 		else if (strcasecmp(str, "wildcard") == 0)
-			mtype = DNS_SSUMATCHTYPE_WILDCARD;
+			mtype = dns_ssumatchtype_wildcard;
 		else if (strcasecmp(str, "self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELF;
+			mtype = dns_ssumatchtype_self;
 		else if (strcasecmp(str, "selfsub") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFSUB;
+			mtype = dns_ssumatchtype_selfsub;
 		else if (strcasecmp(str, "selfwild") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFWILD;
+			mtype = dns_ssumatchtype_selfwild;
 		else if (strcasecmp(str, "ms-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFMS;
+			mtype = dns_ssumatchtype_selfms;
 		else if (strcasecmp(str, "krb5-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELFKRB5;
+			mtype = dns_ssumatchtype_selfkrb5;
 		else if (strcasecmp(str, "ms-subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS;
+			mtype = dns_ssumatchtype_subdomainms;
 		else if (strcasecmp(str, "krb5-subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5;
+			mtype = dns_ssumatchtype_subdomainkrb5;
 		else if (strcasecmp(str, "tcp-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_TCPSELF;
+			mtype = dns_ssumatchtype_tcpself;
 		else if (strcasecmp(str, "6to4-self") == 0)
-			mtype = DNS_SSUMATCHTYPE_6TO4SELF;
+			mtype = dns_ssumatchtype_6to4self;
 		else if (strcasecmp(str, "zonesub") == 0) {
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
+			mtype = dns_ssumatchtype_subdomain;
 			usezone = ISC_TRUE;
 		} else if (strcasecmp(str, "external") == 0)
-			mtype = DNS_SSUMATCHTYPE_EXTERNAL;
+			mtype = dns_ssumatchtype_external;
 		else
 			INSIST(0);
 
@@ -373,7 +373,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
 
 		result = dns_ssutable_addrule(table, ISC_TRUE,
 					      named_g_server->session_keyname,
-					      DNS_SSUMATCHTYPE_SUBDOMAIN,
+					      dns_ssumatchtype_local,
 					      dns_zone_getorigin(zone),
 					      1, &any);
 

bin/tests/system/nsupdate/clean.sh

@@ -11,12 +11,12 @@
 #
 
 rm -f */named.memstats
-rm -f */named.run
+rm -f */named.run */ans.run
 rm -f Kxxx.*
 rm -f dig.out.*
 rm -f jp.out.ns3.*
 rm -f ns*/named.lock
-rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl
+rm -f */*.jnl
 rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
 rm -f ns1/many.test.db
 rm -f ns1/maxjournal.db
@@ -33,6 +33,7 @@ rm -f ns3/example.db
 rm -f ns3/many.test.bk
 rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
+rm -f ns5/local.db
 rm -f nsupdate.out*
 rm -f typelist.out.*
 rm -f ns1/sample.db

bin/tests/system/nsupdate/ns5/local.db.in

+; Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+local.nil		IN SOA	ns5.local.nil. hostmaster.local.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+local.nil.		NS	ns5.local.nil.
+ns5.local.nil.		A	10.53.0.5
+
+$ORIGIN local.nil.
+a			A	10.10.10.10

bin/tests/system/nsupdate/ns5/named.args

+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -U 4 -T fixedlocal

bin/tests/system/nsupdate/ns5/named.conf

+/*
+ * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port 5300;
+	pid-file "named.pid";
+	session-keyfile "session.key";
+	listen-on { 10.53.0.5; };
+	recursion no;
+	notify yes;
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "local.nil" {
+	type master;
+	file "local.db";
+	update-policy local;
+};

bin/tests/system/nsupdate/setup.sh

@@ -64,3 +64,5 @@ cp ns2/sample.db.in ns2/sample.db
 
 cp -f ns1/maxjournal.db.in ns1/maxjournal.db
 rm -f ns1/maxjournal.db.jnl
+
+cp -f ns5/local.db.in ns5/local.db

bin/tests/system/nsupdate/tests.sh

@@ -464,6 +464,44 @@ then
 echo "I:failed"; status=1
 fi
 
+n=`expr $n + 1`
+ret=0
+echo "I:check that 'update-policy local' works from localhost address ($n)"
+$NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END || ret=1
+server 10.53.0.5 5300
+local 127.0.0.1 5300
+update add fromlocal.local.nil. 600 A 1.2.3.4
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 && ret=1
+$DIG @10.53.0.5 -p 5300 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        fromlocal.local.nil. > dig.out.ns5.$n || ret=1
+grep fromlocal dig.out.ns5.$n > /dev/null 2>&1 || ret=1
+if test $ret -ne 0
+then
+echo "I:failed"; status=1
+fi
+
+n=`expr $n + 1`
+ret=0
+echo "I:check that 'update-policy local' fails from non-localhost address ($n)"
+$NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
+server 10.53.0.5 5300
+local 10.53.0.1 5300
+update add nonlocal.local.nil. 600 A 4.3.2.1
+send
+END
+grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+$DIG @10.53.0.5 -p 5300 \
+        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
+        nonlocal.local.nil. > dig.out.ns5.$n || ret=1
+grep nonlocal dig.out.ns5.$n > /dev/null 2>&1 && ret=1
+if test $ret -ne 0
+then
+echo "I:failed"; status=1
+fi
+
 n=`expr $n + 1`
 ret=0
 echo "I:check that changes to the DNSKEY RRset TTL do not have side effects ($n)"

doc/arm/Bv9ARM-book.xml

@@ -13016,38 +13016,52 @@ example.com. NS ns2.example.net.
 	      is present, it is a configuration error for the
 	      <command>allow-update</command> statement to be
 	      present.  The <command>update-policy</command> statement
-	      only examines the signer of a message; the source
+	      (except when set to <literal>local</literal>) only
+	      examines the signer of a message; the source
 	      address is not relevant.
 	    </para>
 	    <para>
-	      There is a pre-defined <command>update-policy</command>
-	      rule which can be switched on with the command
+	      A pre-defined <command>update-policy</command> rule can be
+	      switched on with the command
 	      <command>update-policy local;</command>.
 	      Switching on this rule in a zone causes
-	      <command>named</command> to generate a TSIG session
-	      key and place it in a file, and to allow that key
-	      to update the zone.  (By default, the file is
-	      <filename>/var/run/named/session.key</filename>, the key
-	      name is "local-ddns" and the key algorithm is HMAC-SHA256,
-	      but these values are configurable with the
+	      <command>named</command> to generate a TSIG session key and
+	      place it in a file. That key will then be allowed to update
+	      the zone, if the update request is sent from localhost.
+	      By default, the session key is stored in the file
+	      <filename>/var/run/named/session.key</filename>; the key name
+	      is "local-ddns" and the key algorithm is HMAC-SHA256.
+	      These values are configurable with the
 	      <command>session-keyfile</command>,
 	      <command>session-keyname</command> and
 	      <command>session-keyalg</command> options, respectively).
 	    </para>
 	    <para>
-	      A client running on the local system, and with appropriate
-	      permissions, may read that file and use the key to sign update
-	      requests.  The zone's update policy will be set to allow that
-	      key to change any record within the zone.  Assuming the
-	      key name is "local-ddns", this policy is equivalent to:
+	      A client on the local system, if it is run with appropriate
+	      permissions, may read the session key from the key file and
+	      use the key to sign update requests.  The zone's update
+	      policy will be set to allow that key to change any record
+	      within the zone.  Assuming the key name is "local-ddns",
+	      this policy is:
 	    </para>
 	    <programlisting>update-policy { grant local-ddns zonesub any; };
 	    </programlisting>
 	    <para>
-	      The command <command>nsupdate -l</command> sends update
-	      requests to localhost, and signs them using the session key.
+	      ...with an additional restriction that only clients
+	      connecting from the local system will be permitted to send
+	      updates.
+	    </para>
+	    <para>
+	      Note that only one session key is generated; all zones
+	      configured to use <command>update-policy local</command>
+	      will accept the same key.
+	    </para>
+	    <para>
+	      The command <command>nsupdate -l</command> implements this
+	      feature, sending requests to localhost and signing them using
+	      the key retrieved from the session key file.
 	    </para>
 	    <para>

doc/arm/notes.xml

@@ -471,6 +471,15 @@
 	  anchor is now a fatal configuration error. [RT #46155]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Previously, <command>update-policy local;</command> accepted
+	  updates from any source so long as they were signed by the
+	  locally-generated session key. This has been further restricted;
+	  updates are now only accepted from locally configured addresses.
+	  [RT #45492]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  The lightweight resolver daemon and library (<command>lwresd</command>

lib/dns/include/dns/ssu.h

@@ -6,8 +6,6 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-/* $Id: ssu.h,v 1.28 2011/01/06 23:47:00 tbox Exp $ */
-
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
 
@@ -15,26 +13,31 @@
 
 #include <isc/lang.h>
 
+#include <dns/acl.h>
 #include <dns/types.h>
 #include <dst/dst.h>
 
 ISC_LANG_BEGINDECLS
 
-#define DNS_SSUMATCHTYPE_NAME		0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN	1
-#define DNS_SSUMATCHTYPE_WILDCARD	2
-#define DNS_SSUMATCHTYPE_SELF		3
-#define DNS_SSUMATCHTYPE_SELFSUB	4
-#define DNS_SSUMATCHTYPE_SELFWILD	5
-#define DNS_SSUMATCHTYPE_SELFKRB5	6
-#define DNS_SSUMATCHTYPE_SELFMS		7
-#define DNS_SSUMATCHTYPE_SUBDOMAINMS	8
-#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
-#define DNS_SSUMATCHTYPE_TCPSELF	10
-#define DNS_SSUMATCHTYPE_6TO4SELF	11
-#define DNS_SSUMATCHTYPE_EXTERNAL	12
-#define DNS_SSUMATCHTYPE_DLZ		13
-#define DNS_SSUMATCHTYPE_MAX 		12  /* max value */
+typedef enum {
+	dns_ssumatchtype_name = 0,
+	dns_ssumatchtype_subdomain = 1,
+	dns_ssumatchtype_wildcard = 2,
+	dns_ssumatchtype_self	 = 3,
+	dns_ssumatchtype_selfsub = 4,
+	dns_ssumatchtype_selfwild = 5,
+	dns_ssumatchtype_selfkrb5 = 6,
+	dns_ssumatchtype_selfms	 = 7,
+	dns_ssumatchtype_subdomainms = 8,
+	dns_ssumatchtype_subdomainkrb5 = 9,
+	dns_ssumatchtype_tcpself = 10,
+	dns_ssumatchtype_6to4self = 11,
+	dns_ssumatchtype_external = 12,
+	dns_ssumatchtype_local = 13,
+	dns_ssumatchtype_max = 13,	/* max value */
+
+	dns_ssumatchtype_dlz = 14	/* intentionally higher than _max */
+} dns_ssumatchtype_t;
 
 isc_result_t
 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
@@ -56,7 +59,7 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
 		       dns_dlzdb_t *dlzdatabase);
 /*%<
  * Create an SSU table that contains a dlzdatabase pointer, and a
- * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
+ * single rule with matchtype dns_ssumatchtype_dlz. This type of SSU
  * table is used by writeable DLZ drivers to offload authorization for
  * updates to the driver.
  */
@@ -90,7 +93,7 @@ dns_ssutable_detach(dns_ssutable_t **tablep);
 
 isc_result_t
 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
-		     const dns_name_t *identity, unsigned int matchtype,
+		     const dns_name_t *identity, dns_ssumatchtype_t matchtype,
 		     const dns_name_t *name, unsigned int ntypes,
 		     dns_rdatatype_t *types);
 /*%<
@@ -123,7 +126,12 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
-			const dns_name_t *name, const isc_netaddr_t *tcpaddr,
+			const dns_name_t *name, const isc_netaddr_t *addr,
+			dns_rdatatype_t type, const dst_key_t *key);
+isc_boolean_t
+dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
+			const dns_name_t *name, const isc_netaddr_t *addr,
+			isc_boolean_t tcp, const dns_aclenv_t *env,
 			dns_rdatatype_t type, const dst_key_t *key);
 /*%<
  *	Checks that the attempted update of (name, type) is allowed according
@@ -131,18 +139,26 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
  *	no rules are matched, access is denied.
  *
  *	Notes:
- *		'tcpaddr' should only be set if the request received
- *		via TCP.  This provides a weak assurance that the
- *		request was not spoofed.  'tcpaddr' is to to validate
- *		DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF
- *		rules.
- *
- *		For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
+ *		In dns_ssutable_checkrules(), 'addr' should only be
+ *		set if the request received via TCP.  This provides a
+ *		weak assurance that the request was not spoofed.
+ *		'addr' is to to validate dns_ssumatchtype_tcpself
+ *		and dns_ssumatchtype_6to4self rules.
+ *
+ *		In dns_ssutable_checkrules2(), 'addr' can also be passed for
+ *		UDP requests and TCP is specified via the 'tcp' parameter.
+ *		In addition to dns_ssumatchtype_tcpself and
+ *		tcp_ssumatchtype_6to4self  rules, the address
+ *		also be used to check dns_ssumatchtype_local rules.
+ *		If 'addr' is set then 'env' must also be set so that
+ *		requests from non-localhost addresses can be rejected.
+ *
+ *		For dns_ssumatchtype_tcpself the addresses are mapped to
  *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
  *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
  *		Section 2.5, "IP6.ARPA Domain".
  *
- *		For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
+ *		For dns_ssumatchtype_6to4self, IPv4 address are converted
  *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
  *		the top	48 bits of the IPv6 address are mapped to the reverse
  *		name. This is independent of whether the most significant 16
@@ -151,8 +167,10 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
  *	Requires:
  *\li		'table' is a valid SSU table
  *\li		'signer' is NULL or a valid absolute name
- *\li		'tcpaddr' is NULL or a valid network address.
+ *\li		'addr' is NULL or a valid network address.
+ *\li		'aclenv' is NULL or a valid ACL environment.
  *\li		'name' is a valid absolute name
+ *\li		if 'addr' is not NULL, 'env' is not NULL.
  */
 
 

lib/dns/ssu.c

@@ -37,13 +37,14 @@
 
 struct dns_ssurule {
 	unsigned int magic;
-	isc_boolean_t grant;	/*%< is this a grant or a deny? */
-	unsigned int matchtype;	/*%< which type of pattern match? */
-	dns_name_t *identity;	/*%< the identity to match */
-	dns_name_t *name;	/*%< the name being updated */
-	unsigned int ntypes;	/*%< number of data types covered */
-	dns_rdatatype_t *types;	/*%< the data types.  Can include ANY, */
-				/*%< defaults to all but SIG,SOA,NS if NULL */
+	isc_boolean_t grant;		/*%< is this a grant or a deny? */
+	dns_ssumatchtype_t matchtype;	/*%< which type of pattern match? */
+	dns_name_t *identity;		/*%< the identity to match */
+	dns_name_t *name;		/*%< the name being updated */
+	unsigned int ntypes;		/*%< number of data types covered */
+	dns_rdatatype_t *types;		/*%< the data types.  Can include */
+					/*   ANY. if NULL, defaults to all */
+					/*   types except SIG, SOA, and NS */
 	ISC_LINK(dns_ssurule_t) link;
 };
 
@@ -150,7 +151,7 @@ dns_ssutable_detach(dns_ssutable_t **tablep) {
 
 isc_result_t
 dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
-		     const dns_name_t *identity, unsigned int matchtype,
+		     const dns_name_t *identity, dns_ssumatchtype_t matchtype,
 		     const dns_name_t *name, unsigned int ntypes,
 		     dns_rdatatype_t *types)
 {
@@ -161,8 +162,8 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 	REQUIRE(VALID_SSUTABLE(table));
 	REQUIRE(dns_name_isabsolute(identity));
 	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
-	if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
+	REQUIRE(matchtype <= dns_ssumatchtype_max);
+	if (matchtype == dns_ssumatchtype_wildcard)
 		REQUIRE(dns_name_iswildcard(name));
 	if (ntypes > 0)
 		REQUIRE(types != NULL);
@@ -341,6 +342,17 @@ isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
 			const dns_name_t *name, const isc_netaddr_t *tcpaddr,
 			dns_rdatatype_t type, const dst_key_t *key)
+{
+	return (dns_ssutable_checkrules2
+		(table, signer, name, tcpaddr,
+		 tcpaddr == NULL ? ISC_FALSE : ISC_TRUE,
+		 NULL, type, key));
+}
+isc_boolean_t
+dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
+			 const dns_name_t *name, const isc_netaddr_t *addr,
+			 isc_boolean_t tcp, const dns_aclenv_t *env,
+			 dns_rdatatype_t type, const dst_key_t *key)
 {
 	dns_ssurule_t *rule;
 	unsigned int i;
@@ -349,12 +361,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
 	dns_name_t *tcpself;
 	dns_name_t *stfself;
 	isc_result_t result;
+	int match;
 
 	REQUIRE(VALID_SSUTABLE(table));
 	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
 	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(addr == NULL || env != NULL);
 
-	if (signer == NULL && tcpaddr == NULL)
+	if (signer == NULL && addr == NULL)
 		return (ISC_FALSE);
 
 	for (rule = ISC_LIST_HEAD(table->rules);
@@ -362,12 +376,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
 	     rule = ISC_LIST_NEXT(rule, link))
 	{
 		switch (rule->matchtype) {
-		case DNS_SSUMATCHTYPE_NAME:
-		case DNS_SSUMATCHTYPE_SUBDOMAIN:
-		case DNS_SSUMATCHTYPE_WILDCARD:
-		case DNS_SSUMATCHTYPE_SELF:
-		case DNS_SSUMATCHTYPE_SELFSUB:
-		case DNS_SSUMATCHTYPE_SELFWILD:
+		case dns_ssumatchtype_name:
+		case dns_ssumatchtype_local:
+		case dns_ssumatchtype_subdomain:
+		case dns_ssumatchtype_wildcard:
+		case dns_ssumatchtype_self:
+		case dns_ssumatchtype_selfsub:
+		case dns_ssumatchtype_selfwild:
 			if (signer == NULL)
 				continue;
 			if (dns_name_iswildcard(rule->identity)) {
@@ -379,42 +394,59 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
 					continue;
 			}
 			break;
-		case DNS_SSUMATCHTYPE_SELFKRB5:
-		case DNS_SSUMATCHTYPE_SELFMS:
-		case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
-		case DNS_SSUMATCHTYPE_SUBDOMAINMS:
+		case dns_ssumatchtype_selfkrb5:
+		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_subdomainms:
 			if (signer == NULL)
 				continue;
 			break;
-		case DNS_SSUMATCHTYPE_TCPSELF:
-		case DNS_SSUMATCHTYPE_6TO4SELF:
-			if (tcpaddr == NULL)
+		case dns_ssumatchtype_tcpself:
+		case dns_ssumatchtype_6to4self:
+			if (!tcp || addr == NULL)
 				continue;
 			break;
+		case dns_ssumatchtype_external:
+		case dns_ssumatchtype_dlz:
+			break;
 		}
 
 		switch (rule->matchtype) {
-		case DNS_SSUMATCHTYPE_NAME:
+		case dns_ssumatchtype_name:
 			if (!dns_name_equal(name, rule->name))
 				continue;
 			break;
-		case DNS_SSUMATCHTYPE_SUBDOMAIN:
+		case dns_ssumatchtype_subdomain:
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
 			break;
-		case DNS_SSUMATCHTYPE_WILDCARD:
+		case dns_ssumatchtype_local:
+			if (addr == NULL) {
+				continue;
+			}
+			if (!dns_name_issubdomain(name, rule->name)) {
+
+				continue;
+			}
+			dns_acl_match(addr, NULL, env->localhost,
+				      NULL, &match, NULL);
+			if (match == 0) {
+				continue;
+			}
+			break;
+		case dns_ssumatchtype_wildcard:
 			if (!dns_name_matcheswildcard(name, rule->name))
 				continue;