From: Kees Monshouwer Date: Sat, 28 Dec 2013 16:16:09 +0000 (+0100) Subject: add only-notify option X-Git-Tag: rec-3.6.0-rc1~263^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=68bb0e57ef5fcab95578d391e30d660ccf32bc0f;p=pdns add only-notify option fixes #454 closes #778 partial fix #949 --- diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 0fd923b76..9d8d1f09a 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -92,6 +92,7 @@ void declareArguments() ::arg().set("launch","Which backends to launch and order to query them in")=""; ::arg().setSwitch("disable-axfr","Disable zonetransfers but do allow TCP queries")="no"; ::arg().set("allow-axfr-ips","Allow zonetransfers only to these subnets")="0.0.0.0/0,::/0"; + ::arg().set("only-notify", "Only send AXFR NOTIFY to these IP addresses or netmasks")="0.0.0.0/0,::/0"; ::arg().set("slave-cycle-interval","Reschedule failed SOA serial checks once every .. seconds")="60"; ::arg().set("tcp-control-address","If set, PowerDNS can be controlled over TCP on this address")=""; diff --git a/pdns/communicator.cc b/pdns/communicator.cc index c23c3a194..09323056e 100644 --- a/pdns/communicator.cc +++ b/pdns/communicator.cc @@ -62,7 +62,8 @@ void CommunicatorClass::go() for(int n=0; n < ::arg().asNum("retrieval-threads"); ++n) pthread_create(&tid, 0, &retrieveLaunchhelper, this); // Starts CommunicatorClass::retrievalLoopThread() - d_preventSelfNotification =::arg().mustDo("prevent-self-notification"); + d_preventSelfNotification = ::arg().mustDo("prevent-self-notification"); + d_onlyNotify.toMasks(::arg()["only-notify"]); } void CommunicatorClass::mainloop(void) diff --git a/pdns/communicator.hh b/pdns/communicator.hh index 1203ef267..8e1910f30 100644 --- a/pdns/communicator.hh +++ b/pdns/communicator.hh @@ -202,6 +202,8 @@ private: set d_tocheck; vector d_potentialsupermasters; bool d_preventSelfNotification; + NetmaskGroup d_onlyNotify; + }; #endif diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index a1e2a1375..224cf61c8 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -16055,7 +16055,15 @@ Tell PowerDNS to log all incoming DNS queries. This will lead to a lot of loggin - + + only-notify=... + + + Only send AXFR NOTIFY to these IP addresses or netmasks. The default is to notify the world. The IP addresses or netmasks in + also-notify or ALSO-NOTIFY metadata always receive AXFR NOTIFY. Example (and default): only-notify=0.0.0.0/0, ::/0. + + + out-of-zone-additional-processing | --out-of-zone-additional-processing=yes | --out-of-zone-additional-processing=no Do out of zone additional processing. This means that if a malicious user adds a '.com' zone to your server, it is not used for diff --git a/pdns/mastercommunicator.cc b/pdns/mastercommunicator.cc index a898cc00c..2b2e8b52a 100644 --- a/pdns/mastercommunicator.cc +++ b/pdns/mastercommunicator.cc @@ -59,8 +59,12 @@ void CommunicatorClass::queueNotifyDomain(const string &domain, DNSBackend *B) else for(vector::const_iterator k=nsips.begin();k!=nsips.end();++k) { const ComboAddress caIp(*k, 53); - if(!d_preventSelfNotification || !AddressIsUs(caIp)) - ips.insert(caIp.toStringWithPort()); + if(!d_preventSelfNotification || !AddressIsUs(caIp)) { + if(!d_onlyNotify.match(&caIp)) + L<