From b80139777ebd2e0dc14cfd88d30eed80cfc04054 Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 27 Feb 2018 22:58:34 +0100
Subject: [PATCH] auth: add 'supermaster' option to enable/disable supermaster
 support

---
 docs/modes-of-operation.rst                          |  1 +
 docs/settings.rst                                    | 12 ++++++++++++
 pdns/common_startup.cc                               |  1 +
 pdns/packethandler.cc                                | 10 +++++++---
 .../supermaster-signed/command                       |  2 +-
 .../supermaster-unsigned/command                     |  2 +-
 6 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index 365eab4b6..658b2bfd6 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -196,6 +196,7 @@ itself as a slave for that zone.
 Before a supermaster notification succeeds, the following conditions
 must be met:
 
+ - :ref:`setting-supermaster` support must be enabled
  - The supermaster must carry a SOA record for the notified domain
  - The supermaster IP must be present in the 'supermaster' table
  - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
diff --git a/docs/settings.rst b/docs/settings.rst
index 11ddba12f..6b26758d3 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1325,6 +1325,18 @@ This path will also contain the pidfile for this instance of PowerDNS
 called ``pdns.pid`` by default. See :ref:`setting-config-name`
 and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
 
+.. _setting-supermaster:
+
+``supermaster``
+------------
+
+-  Boolean
+-  Default: no
+
+.. versionadded:: 4.2.0
+
+Turn on supermaster support. See :ref:`supemaster-operation`.
+
 .. _setting-tcp-control-address:
 
 ``tcp-control-address``
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index f7a902ad4..63309857c 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -124,6 +124,7 @@ void declareArguments()
   
   ::arg().setSwitch("slave","Act as a slave")="no";
   ::arg().setSwitch("master","Act as a master")="no";
+  ::arg().setSwitch("supermaster", "Act as a supermaster")="no";
   ::arg().setSwitch("disable-axfr-rectify","Disable the rectify step during an outgoing AXFR. Only required for regression testing.")="no";
   ::arg().setSwitch("guardian","Run within a guardian process")="no";
   ::arg().setSwitch("prevent-self-notification","Don't send notifications to what we think is ourself")="yes";
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index b63f32c77..3f7acd272 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -836,8 +836,12 @@ int PacketHandler::processNotify(DNSPacket *p)
   //
   DomainInfo di;
   if(!B.getDomainInfo(p->qdomain, di, false) || !di.backend) {
-    g_log<<Logger::Warning<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative, trying supermaster"<<endl;
-    return trySuperMaster(p, p->getTSIGKeyname()); // FIXME a global 'off' switch for supermaster support will save some resources in setups without supermasters
+    if(::arg().mustDo("supermaster")) {
+      g_log<<Logger::Warning<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative, trying supermaster"<<endl;
+      return trySuperMaster(p, p->getTSIGKeyname());
+    }
+    g_log<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative (Refused)"<<endl;
+    return RCode::Refused;
   }
 
   if(::arg().contains("trusted-notification-proxy", p->getRemote().toString())) {
@@ -855,7 +859,7 @@ int PacketHandler::processNotify(DNSPacket *p)
     g_log<<Logger::Warning<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" which is not a master (Refused)"<<endl;
     return RCode::Refused;
   }
-    
+
   if(!s_forwardNotify.empty()) {
     set<string> forwardNotify(s_forwardNotify);
     for(set<string>::const_iterator j=forwardNotify.begin();j!=forwardNotify.end();++j) {
diff --git a/regression-tests.nobackend/supermaster-signed/command b/regression-tests.nobackend/supermaster-signed/command
index 5c88e5a2d..6eb46127f 100755
--- a/regression-tests.nobackend/supermaster-signed/command
+++ b/regression-tests.nobackend/supermaster-signed/command
@@ -94,7 +94,7 @@ start_slave()
 
         $RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
                 --config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6='' \
-                --slave --retrieval-threads=4 --slave=yes --query-local-address=127.0.0.2 \
+                --slave --retrieval-threads=4 --slave=yes --supermaster=yes --query-local-address=127.0.0.2 \
                 --slave-cycle-interval=300 --allow-unsigned-notify=no --allow-unsigned-supermaster=no &
 }
 
diff --git a/regression-tests.nobackend/supermaster-unsigned/command b/regression-tests.nobackend/supermaster-unsigned/command
index 1e9f0c7fa..86dde0392 100755
--- a/regression-tests.nobackend/supermaster-unsigned/command
+++ b/regression-tests.nobackend/supermaster-unsigned/command
@@ -85,7 +85,7 @@ start_slave()
 
         $RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
                 --config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6= \
-                --slave --retrieval-threads=4 --slave=yes --query-local-address=127.0.0.2 \
+                --slave --retrieval-threads=4 --slave=yes --supermaster=yes --query-local-address=127.0.0.2 \
                 --slave-cycle-interval=300 --dname-processing &
 }
 
-- 
2.40.0