From 3497eb189b86b6c56038ff04a9f60fcb5ecf9f7e Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 20 Sep 2019 14:44:01 +0200
Subject: [PATCH] auth: prevent new database connections while sending notifies

---
 pdns/communicator.cc       |  4 ++--
 pdns/communicator.hh       |  6 +++---
 pdns/dynhandler.cc         |  4 ++--
 pdns/mastercommunicator.cc | 19 +++++++++----------
 pdns/rfc2136handler.cc     |  2 +-
 pdns/slavecommunicator.cc  |  2 +-
 pdns/ws-auth.cc            |  2 +-
 7 files changed, 19 insertions(+), 20 deletions(-)

diff --git a/pdns/communicator.cc b/pdns/communicator.cc
index b3b56ca64..816b48967 100644
--- a/pdns/communicator.cc
+++ b/pdns/communicator.cc
@@ -118,7 +118,7 @@ void CommunicatorClass::mainloop(void)
     for(;;) {
       slaveRefresh(&P);
       masterUpdateCheck(&P);
-      tick=doNotifications(); // this processes any notification acknowledgements and actually send out our own notifications
+      tick=doNotifications(&P); // this processes any notification acknowledgements and actually send out our own notifications
       
       tick = min (tick, d_tickinterval); 
       
@@ -145,7 +145,7 @@ void CommunicatorClass::mainloop(void)
           break; // something happened
         }
         // this gets executed at least once every second
-        doNotifications();
+        doNotifications(&P);
       }
     }
   }
diff --git a/pdns/communicator.hh b/pdns/communicator.hh
index e0b257582..353a26801 100644
--- a/pdns/communicator.hh
+++ b/pdns/communicator.hh
@@ -161,7 +161,7 @@ public:
     d_nsock6 = -1;
     d_preventSelfNotification = false;
   }
-  time_t doNotifications();    
+  time_t doNotifications(PacketHandler *P);
   void go();
   
   
@@ -173,7 +173,7 @@ public:
   void notify(const DNSName &domain, const string &ip);
   void mainloop();
   void retrievalLoopThread();
-  void sendNotification(int sock, const DNSName &domain, const ComboAddress& remote, uint16_t id);
+  void sendNotification(int sock, const DNSName &domain, const ComboAddress& remote, uint16_t id, UeberBackend* B);
 
   static void *launchhelper(void *p)
   {
@@ -185,7 +185,7 @@ public:
     static_cast<CommunicatorClass *>(p)->retrievalLoopThread();
     return 0;
   }
-  bool notifyDomain(const DNSName &domain);
+  bool notifyDomain(const DNSName &domain, UeberBackend* B);
 private:
   void loadArgsIntoSet(const char *listname, set<string> &listset);
   void makeNotifySockets();
diff --git a/pdns/dynhandler.cc b/pdns/dynhandler.cc
index bef847764..7541fdb65 100644
--- a/pdns/dynhandler.cc
+++ b/pdns/dynhandler.cc
@@ -301,7 +301,7 @@ string DLNotifyHandler(const vector<string>&parts, Utility::pid_t ppid)
     for (const auto& di : domains) {
       if (di.kind == DomainInfo::Master || di.kind == DomainInfo::Slave) { // MASTER and Slave if slave-renotify is enabled
         total++;
-        if(Communicator.notifyDomain(di.zone))
+        if(Communicator.notifyDomain(di.zone, &B))
           notified++;
       }
     }
@@ -316,7 +316,7 @@ string DLNotifyHandler(const vector<string>&parts, Utility::pid_t ppid)
     } catch (...) {
       return "Failed to parse domain as valid DNS name";
     }
-    if(!Communicator.notifyDomain(DNSName(parts[1])))
+    if(!Communicator.notifyDomain(DNSName(parts[1]), &B))
       return "Failed to add to the queue - see log";
     return "Added to queue";
   }
diff --git a/pdns/mastercommunicator.cc b/pdns/mastercommunicator.cc
index 1eef51563..03a25eafe 100644
--- a/pdns/mastercommunicator.cc
+++ b/pdns/mastercommunicator.cc
@@ -112,15 +112,14 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B)
 }
 
 
-bool CommunicatorClass::notifyDomain(const DNSName &domain)
+bool CommunicatorClass::notifyDomain(const DNSName &domain, UeberBackend* B)
 {
   DomainInfo di;
-  UeberBackend B;
-  if(!B.getDomainInfo(domain, di)) {
+  if(!B->getDomainInfo(domain, di)) {
     g_log<<Logger::Error<<"No such domain '"<<domain<<"' in our database"<<endl;
     return false;
   }
-  queueNotifyDomain(di, &B);
+  queueNotifyDomain(di, B);
   // call backend and tell them we sent out the notification - even though that is premature    
   di.backend->setNotified(di.id, di.serial);
 
@@ -166,8 +165,9 @@ void CommunicatorClass::masterUpdateCheck(PacketHandler *P)
   }
 }
 
-time_t CommunicatorClass::doNotifications()
+time_t CommunicatorClass::doNotifications(PacketHandler *P)
 {
+  UeberBackend *B=P->getBackend();
   ComboAddress from;
   Utility::socklen_t fromlen;
   char buffer[1500];
@@ -220,7 +220,7 @@ time_t CommunicatorClass::doNotifications()
         if(d_preventSelfNotification && AddressIsUs(remote))
           continue;
 
-        sendNotification(remote.sin4.sin_family == AF_INET ? d_nsock4 : d_nsock6, domain, remote, id);
+        sendNotification(remote.sin4.sin_family == AF_INET ? d_nsock4 : d_nsock6, domain, remote, id, B);
         drillHole(domain, ip);
       }
       catch(ResolverException &re) {
@@ -234,16 +234,15 @@ time_t CommunicatorClass::doNotifications()
   return d_nq.earliest();
 }
 
-void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const ComboAddress& remote, uint16_t id)
+void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const ComboAddress& remote, uint16_t id, UeberBackend *B)
 {
-  UeberBackend B;
   vector<string> meta;
   DNSName tsigkeyname;
   DNSName tsigalgorithm;
   string tsigsecret64;
   string tsigsecret;
 
-  if (::arg().mustDo("send-signed-notify") && B.getDomainMetadata(domain, "TSIG-ALLOW-AXFR", meta) && meta.size() > 0) {
+  if (::arg().mustDo("send-signed-notify") && B->getDomainMetadata(domain, "TSIG-ALLOW-AXFR", meta) && meta.size() > 0) {
     tsigkeyname = DNSName(meta[0]);
   }
 
@@ -253,7 +252,7 @@ void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const
   pw.getHeader()->aa = true; 
 
   if (tsigkeyname.empty() == false) {
-    if (!B.getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64)) {
+    if (!B->getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64)) {
       g_log<<Logger::Error<<"TSIG key '"<<tsigkeyname<<"' for domain '"<<domain<<"' not found"<<endl;
       return;
     }
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index f3e1b7919..778dc8558 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -1028,7 +1028,7 @@ int PacketHandler::processUpdate(DNSPacket *p) {
         vector<string> notify;
         B.getDomainMetadata(p->qdomain, "NOTIFY-DNSUPDATE", notify);
         if (!notify.empty() && notify.front() == "1") {
-          Communicator.notifyDomain(di.zone);
+          Communicator.notifyDomain(di.zone, &B);
         }
       }
 
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 1b7c126c1..c6b08fefc 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -613,7 +613,7 @@ void CommunicatorClass::suck(const DNSName &domain, const ComboAddress& remote)
       }
     }
     if(renotify)
-      notifyDomain(domain);
+      notifyDomain(domain, &B);
   }
   catch(DBException &re) {
     g_log<<Logger::Error<<"Unable to feed record during incoming AXFR of '" << domain<<"': "<<re.reason<<endl;
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index 69c4fa328..dfe15eb43 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1820,7 +1820,7 @@ static void apiServerZoneNotify(HttpRequest* req, HttpResponse* resp) {
     throw HttpNotFoundException();
   }
 
-  if(!Communicator.notifyDomain(zonename))
+  if(!Communicator.notifyDomain(zonename, &B))
     throw ApiException("Failed to add to the queue - see server log");
 
   resp->setSuccessResult("Notification queued");
-- 
2.40.0