From: Aki Tuomi Date: Tue, 11 Aug 2015 06:39:56 +0000 (+0300) Subject: Add allow-insecure-notify X-Git-Tag: dnsdist-1.0.0-alpha2~40^2~14 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2fa2a51ab480b3ed542b7f2f05274e3fc2d0b65c;p=pdns Add allow-insecure-notify --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 253c90f3b..1532d5050 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -56,6 +56,7 @@ void declareArguments() ::arg().setSwitch("dnsupdate","Enable/Disable DNS update (RFC2136) support. Default is no.")="no"; ::arg().setSwitch("write-pid","Write a PID file")="yes"; ::arg().set("allow-dnsupdate-from","A global setting to allow DNS updates from these IP ranges.")="127.0.0.0/8,::1"; + ::arg().set("allow-insecure-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later ::arg().setSwitch("forward-dnsupdate","A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.")="yes"; ::arg().setSwitch("log-dns-details","If PDNS should log DNS non-erroneous details")="no"; ::arg().setSwitch("log-dns-queries","If PDNS should log all incoming DNS queries")="no"; diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index ba4e774f8..f35c0d7c1 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -868,7 +868,13 @@ int PacketHandler::processNotify(DNSPacket *p) meta.clear(); if (B.getDomainMetadata(p->qdomain,"AXFR-MASTER-TSIG",meta) && meta.size() > 0) { - if (!p->d_havetsig || meta[0] != p->getTSIGKeyname().toStringNoDot()) { + if (!p->d_havetsig) { + if (::arg().mustDo("allow-insecure-notify")) { + L<qdomain<<" from "<getRemote()<<": permitting because allow-insecure-notify is turned on."<qdomain<<" from "<getRemote()<<": refused because allow-insecure-notify is turned off."<getTSIGKeyname().toStringNoDot()) { L<qdomain<<" from "<getRemote()<<": expected TSIG key '"<getTSIGKeyname()<<"'"<