From ac340505338bd3b483c0e0e9bf1a6793dc4edfd7 Mon Sep 17 00:00:00 2001 From: Klaus Darilion Date: Tue, 31 Jul 2018 22:14:32 +0000 Subject: [PATCH] add option to send NOTIFYs without TSIG signature --- docs/settings.rst | 14 ++++++++++++++ pdns/common_startup.cc | 1 + pdns/mastercommunicator.cc | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/docs/settings.rst b/docs/settings.rst index a121cf155..263787faf 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -1249,6 +1249,20 @@ resolvers. Number of AXFR slave threads to start. +.. _setting-send-signed-notify: + +``send-signed-notify`` +---------- + +- Boolean +- Default: yes + +If yes, outgoing NOTIFYs will be signed if a TSIG key is configured for the zone. +If there are multiple TSIG keys configured for a domain, PowerDNS will use the +first one retrieved from the backend, which may not be the correct one for the +respective slave. Hence, in setups with mutliple slaves with different TSIG keys +it may be required to send NOTIFYs unsigned. + .. _setting-setgid: ``setgid`` diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc index 786a212a7..09e451ba0 100644 --- a/pdns/common_startup.cc +++ b/pdns/common_startup.cc @@ -74,6 +74,7 @@ void declareArguments() ::arg().setSwitch("dnsupdate","Enable/Disable DNS update (RFC2136) support. Default is no.")="no"; ::arg().setSwitch("write-pid","Write a PID file")="yes"; ::arg().set("allow-dnsupdate-from","A global setting to allow DNS updates from these IP ranges.")="127.0.0.0/8,::1"; + ::arg().setSwitch("send-signed-notify","Send TSIG secured NOTIFY if TSIG key is configured for a domain")="yes"; ::arg().set("allow-unsigned-notify","Allow unsigned notifications for TSIG secured domains")="yes"; //FIXME: change to 'no' later ::arg().set("allow-unsigned-supermaster", "Allow supermasters to create zones without TSIG signed NOTIFY")="yes"; ::arg().setSwitch("forward-dnsupdate","A global setting to allow DNS update packages that are for a Slave domain, to be forwarded to the master.")="yes"; diff --git a/pdns/mastercommunicator.cc b/pdns/mastercommunicator.cc index 17a4ff8ba..b5841132c 100644 --- a/pdns/mastercommunicator.cc +++ b/pdns/mastercommunicator.cc @@ -232,7 +232,7 @@ void CommunicatorClass::sendNotification(int sock, const DNSName& domain, const string tsigsecret64; string tsigsecret; - if (B.getDomainMetadata(domain, "TSIG-ALLOW-AXFR", meta) && meta.size() > 0) { + if (::arg().mustDo("send-signed-notify") && B.getDomainMetadata(domain, "TSIG-ALLOW-AXFR", meta) && meta.size() > 0) { tsigkeyname = DNSName(meta[0]); } -- 2.40.0