::arg().set("launch","Which backends to launch and order to query them in")="";
::arg().setSwitch("disable-axfr","Disable zonetransfers but do allow TCP queries")="no";
::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="0.0.0.0/0,::/0";
+ ::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0";
::arg().set("slave-cycle-interval","Reschedule failed SOA serial checks once every .. seconds")="60";
::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")="";
for(int n=0; n < ::arg().asNum("retrieval-threads"); ++n)
pthread_create(&tid, 0, &retrieveLaunchhelper, this); // Starts CommunicatorClass::retrievalLoopThread()
- d_preventSelfNotification =::arg().mustDo("prevent-self-notification");
+ d_preventSelfNotification = ::arg().mustDo("prevent-self-notification");
+ d_onlyNotify.toMasks(::arg()["only-notify"]);
}
void CommunicatorClass::mainloop(void)
set<DomainInfo> d_tocheck;
vector<DNSPacket> d_potentialsupermasters;
bool d_preventSelfNotification;
+ NetmaskGroup d_onlyNotify;
+
};
#endif
</para>
</listitem>
</varlistentry>
-
+ <varlistentry>
+ <term>only-notify=...</term>
+ <listitem>
+ <para>
+ Only send AXFR NOTIFY to these IP addresses or netmasks. The default is to notify the world. The IP addresses or netmasks in <command>
+ also-notify</command> or ALSO-NOTIFY metadata always receive AXFR NOTIFY. Example (and default): <command>only-notify=0.0.0.0/0, ::/0</command>.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry><term>out-of-zone-additional-processing | --out-of-zone-additional-processing=yes | --out-of-zone-additional-processing=no</term>
<listitem><para>
Do out of zone additional processing. This means that if a malicious user adds a '.com' zone to your server, it is not used for
else
for(vector<string>::const_iterator k=nsips.begin();k!=nsips.end();++k) {
const ComboAddress caIp(*k, 53);
- if(!d_preventSelfNotification || !AddressIsUs(caIp))
- ips.insert(caIp.toStringWithPort());
+ if(!d_preventSelfNotification || !AddressIsUs(caIp)) {
+ if(!d_onlyNotify.match(&caIp))
+ L<<Logger::Info<<"Skiped notification of domain '"<<domain<<"' to "<<*j<<" because it does not match only-notify."<<endl;
+ else
+ ips.insert(caIp.toStringWithPort());
+ }
}
}
#
# no-shuffle=off
+#################################
+# only-notify Only send AXFR NOTIFY to these IP addresses or netmasks
+#
+# only-notify=0.0.0.0/0,::/0
+
#################################
# out-of-zone-additional-processing Do out of zone additional processing
#
projects / pdns / commitdiff