Use separate setting for supermaster and notify

This allows enforcing signed supermaster notifications,
but retains compability with possible external nameservers
that do not support signed notifications.

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 1532d5050648d8ea12fa93544a8370c8f6a2cbec..fb4195418b941a277b621f461c0a823fe9862d60 100644 (file)
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -56,7 +56,8 @@ void declareArguments()
   ::arg().setSwitch("dnsupdate","Enable/Disable DNS update (RFC2136) support. Default is no.")="no";
   ::arg().setSwitch("write-pid","Write a PID file")="yes";
   ::arg().set("allow-dnsupdate-from","A global setting to allow DNS updates from these IP ranges.")="127.0.0.0/8,::1";
-  ::arg().set("allow-insecure-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later
+  ::arg().set("allow-unsigned-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later
+  ::arg().set("allow-unsigned-supermaster", "Allow supermasters to create zones without TSIG signed NOTIFY")="yes";
   ::arg().setSwitch("forward-dnsupdate","A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.")="yes";
   ::arg().setSwitch("log-dns-details","If PDNS should log DNS non-erroneous details")="no";
   ::arg().setSwitch("log-dns-queries","If PDNS should log all incoming DNS queries")="no";

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 82fa1c5813fbf17dde549bfe954bb5be3510280d..c2b3b2679e6bcf6648172981df2a45e67a1dae54 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -809,6 +809,12 @@ int PacketHandler::trySuperMasterSynchronous(DNSPacket *p, const DNSName& tsigke
 
   string nameserver, account;
   DNSBackend *db;
+
+  if (!::arg().mustDo("allow-unsigned-supermaster") && tsigkeyname.empty()) {
+    L<<Logger::Error<<"Received unsigned NOTIFY for "<<p->qdomain<<" from potential supermaster "<<p->getRemote()<<". Refusing."<<endl;
+    return RCode::Refused;
+  }
+
   if(!B.superMasterBackend(p->getRemote(), p->qdomain, nsset, &nameserver, &account, &db)) {
     L<<Logger::Error<<"Unable to find backend willing to host "<<p->qdomain<<" for potential supermaster "<<p->getRemote()<<". Remote nameservers: "<<endl;
     for(const auto& rr: nsset) {
@@ -869,11 +875,12 @@ int PacketHandler::processNotify(DNSPacket *p)
   meta.clear();
   if (B.getDomainMetadata(p->qdomain,"AXFR-MASTER-TSIG",meta) && meta.size() > 0) {
     if (!p->d_havetsig) {
-     if (::arg().mustDo("allow-insecure-notify")) {
-       L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": permitting because allow-insecure-notify is turned on."<<endl;
-     } else {
-       L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": refused because allow-insecure-notify is turned off."<<endl;
-     }
+      if (::arg().mustDo("allow-unsigned-notify")) {
+        L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": permitted because allow-unsigned-notify";
+      } else {
+        L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": refused"<<endl;
+        return RCode::Refused;
+      }
     } else if (meta[0] != p->getTSIGKeyname().toStringNoDot()) {
       L<<Logger::Error<<"Received secure NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": expected TSIG key '"<<meta[0]<<", got '"<<p->getTSIGKeyname()<<"'"<<endl;
       return RCode::Refused;