::arg().setSwitch("dnsupdate","Enable/Disable DNS update (RFC2136) support. Default is no.")="no";
::arg().setSwitch("write-pid","Write a PID file")="yes";
::arg().set("allow-dnsupdate-from","A global setting to allow DNS updates from these IP ranges.")="127.0.0.0/8,::1";
+ ::arg().set("allow-insecure-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later
::arg().setSwitch("forward-dnsupdate","A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.")="yes";
::arg().setSwitch("log-dns-details","If PDNS should log DNS non-erroneous details")="no";
::arg().setSwitch("log-dns-queries","If PDNS should log all incoming DNS queries")="no";
meta.clear();
if (B.getDomainMetadata(p->qdomain,"AXFR-MASTER-TSIG",meta) && meta.size() > 0) {
- if (!p->d_havetsig || meta[0] != p->getTSIGKeyname().toStringNoDot()) {
+ if (!p->d_havetsig) {
+ if (::arg().mustDo("allow-insecure-notify")) {
+ L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": permitting because allow-insecure-notify is turned on."<<endl;
+ } else {
+ L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": refused because allow-insecure-notify is turned off."<<endl;
+ }
+ } else if (meta[0] != p->getTSIGKeyname().toStringNoDot()) {
L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": expected TSIG key '"<<meta[0]<<", got '"<<p->getTSIGKeyname()<<"'"<<endl;
return RCode::Refused;
}
projects / pdns / commitdiff