From 771bb0b0bb525706bb74604311de7e38fcb58615 Mon Sep 17 00:00:00 2001
From: Aki Tuomi <cmouse@cmouse.fi>
Date: Thu, 13 Aug 2015 09:44:17 +0300
Subject: [PATCH] Use separate setting for supermaster and notify

This allows enforcing signed supermaster notifications,
but retains compability with possible external nameservers
that do not support signed notifications.
---
 pdns/common_startup.cc |  3 ++-
 pdns/packethandler.cc  | 17 ++++++++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 1532d5050..fb4195418 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -56,7 +56,8 @@ void declareArguments()
   ::arg().setSwitch("dnsupdate","Enable/Disable DNS update (RFC2136) support. Default is no.")="no";
   ::arg().setSwitch("write-pid","Write a PID file")="yes";
   ::arg().set("allow-dnsupdate-from","A global setting to allow DNS updates from these IP ranges.")="127.0.0.0/8,::1";
-  ::arg().set("allow-insecure-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later
+  ::arg().set("allow-unsigned-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later
+  ::arg().set("allow-unsigned-supermaster", "Allow supermasters to create zones without TSIG signed NOTIFY")="yes";
   ::arg().setSwitch("forward-dnsupdate","A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.")="yes";
   ::arg().setSwitch("log-dns-details","If PDNS should log DNS non-erroneous details")="no";
   ::arg().setSwitch("log-dns-queries","If PDNS should log all incoming DNS queries")="no";
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 82fa1c581..c2b3b2679 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -809,6 +809,12 @@ int PacketHandler::trySuperMasterSynchronous(DNSPacket *p, const DNSName& tsigke
 
   string nameserver, account;
   DNSBackend *db;
+
+  if (!::arg().mustDo("allow-unsigned-supermaster") && tsigkeyname.empty()) {
+    L<<Logger::Error<<"Received unsigned NOTIFY for "<<p->qdomain<<" from potential supermaster "<<p->getRemote()<<". Refusing."<<endl;
+    return RCode::Refused;
+  }
+
   if(!B.superMasterBackend(p->getRemote(), p->qdomain, nsset, &nameserver, &account, &db)) {
     L<<Logger::Error<<"Unable to find backend willing to host "<<p->qdomain<<" for potential supermaster "<<p->getRemote()<<". Remote nameservers: "<<endl;
     for(const auto& rr: nsset) {
@@ -869,11 +875,12 @@ int PacketHandler::processNotify(DNSPacket *p)
   meta.clear();
   if (B.getDomainMetadata(p->qdomain,"AXFR-MASTER-TSIG",meta) && meta.size() > 0) {
     if (!p->d_havetsig) {
-     if (::arg().mustDo("allow-insecure-notify")) {
-       L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": permitting because allow-insecure-notify is turned on."<<endl;
-     } else {
-       L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": refused because allow-insecure-notify is turned off."<<endl;
-     }
+      if (::arg().mustDo("allow-unsigned-notify")) {
+        L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": permitted because allow-unsigned-notify";
+      } else {
+        L<<Logger::Warning<<"Received unsigned NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": refused"<<endl;
+        return RCode::Refused;
+      }
     } else if (meta[0] != p->getTSIGKeyname().toStringNoDot()) {
       L<<Logger::Error<<"Received secure NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": expected TSIG key '"<<meta[0]<<", got '"<<p->getTSIGKeyname()<<"'"<<endl;
       return RCode::Refused;
-- 
2.40.0