From 7014a23d8437498a398d3644e4e05d6d1d82d216 Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Sun, 14 Jun 2015 21:08:43 +0300 Subject: [PATCH] Sign notifications with TSIG key associated with domain --- pdns/mastercommunicator.cc | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/pdns/mastercommunicator.cc b/pdns/mastercommunicator.cc index 189798685..7b4183b69 100644 --- a/pdns/mastercommunicator.cc +++ b/pdns/mastercommunicator.cc @@ -38,7 +38,7 @@ #include "dns.hh" #include "arguments.hh" #include "packetcache.hh" - +#include "base64.hh" #include "namespaces.hh" @@ -218,11 +218,37 @@ time_t CommunicatorClass::doNotifications() void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const ComboAddress& remote, uint16_t id) { + UeberBackend B; + vector meta; + string tsigkeyname; + string tsigalgorithm; + string tsigsecret64; + string tsigsecret; + + if (B.getDomainMetadata(domain, "TSIG-ALLOW-AXFR", meta) && meta.size() > 0) { + tsigkeyname = meta[0]; + } + vector packet; DNSPacketWriter pw(packet, domain, QType::SOA, 1, Opcode::Notify); pw.getHeader()->id = id; pw.getHeader()->aa = true; + if (tsigkeyname.empty() == false) { + B.getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64); + TSIGRecordContent trc; + if (tsigalgorithm == "hmac-md5") + trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int."; + else + trc.d_algoName = tsigalgorithm; + trc.d_time = time(0); + trc.d_fudge = 300; + trc.d_origID=ntohs(id); + trc.d_eRcode=0; + B64Decode(tsigsecret64, tsigsecret); + addTSIG(pw, &trc, tsigkeyname, tsigsecret, "", false); + } + if(sendto(sock, &packet[0], packet.size(), 0, (struct sockaddr*)(&remote), remote.getSocklen()) < 0) { throw ResolverException("Unable to send notify to "+remote.toStringWithPort()+": "+stringerror()); } -- 2.40.0