TSIG SOA query fix (#9408)

* Use the TSIG keyring for the initial SOA request

Helps allow the use of keys in BIND ACLs to help certbot update the correct zone. Previously TSIG was only used for zone updates, rather than for both the authoritative SOA request and zone update.

* Update CHANGELOG.md

* Update AUTHORS.md

* Workaround for mypy failure due to dnspython stubs

As per https://github.com/certbot/certbot/pull/9408#issuecomment-1257868864

Co-authored-by: Alex Zorin <alex@zorin.id.au>

AUTHORS.md

@@ -210,6 +210,7 @@ Authors
 * [Peter Conrad](https://github.com/pconrad-fb)
 * [Peter Eckersley](https://github.com/pde)
 * [Peter Mosmans](https://github.com/PeterMosmans)
+* [Phil Martin](https://github.com/frillip)
 * [Philippe Langlois](https://github.com/langloisjp)
 * [Philipp Spitzer](https://github.com/spitza)
 * [Piero Steinger](https://github.com/Jadaw1n)

certbot-dns-rfc2136/certbot_dns_rfc2136/_internal/dns_rfc2136.py

@@ -216,6 +216,8 @@ class _RFC2136Client:
         request = dns.message.make_query(domain, dns.rdatatype.SOA, dns.rdataclass.IN)
         # Turn off Recursion Desired bit in query
         request.flags ^= dns.flags.RD
+        # Use our TSIG keyring
+        request.use_tsig(self.keyring, algorithm=self.algorithm) # type: ignore[attr-defined]
 
         try:
             try:

certbot/CHANGELOG.md

@@ -10,7 +10,7 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Changed
 
-*
+* DNS RFC2136 module now uses the TSIG key to check for an authoritative SOA record. Helps the use of split-horizon and multiple views in BIND9 using the key in an ACL to determine which view to use.
 
 ### Fixed