diff --git a/CHANGELOG b/CHANGELOG index d6aa7ff..39b68a8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -29,6 +29,10 @@ version 2.80 have different parameters and avoids advertising the same prefix twice. Thanks to Luis Marsano for spotting this case. + Allow zone transfer in authoritative mode if auth-peer is specified, + even if auth-sec-servers is not. Thanks to Raphaƫl Halimi for + the suggestion. + version 2.79 Fix parsing of CNAME arguments, which are confused by extra spaces. diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 21069de..c7e6c88 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -817,7 +817,11 @@ authoritative zones as dnsmasq. Specify the addresses of secondary servers which are allowed to initiate zone transfer (AXFR) requests for zones for which dnsmasq is authoritative. If this option is not given, then AXFR requests will be -accepted from any secondary. +accepted from any secondary. Specifying +.B auth-peer +without +.B auth-sec-servers +enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq. .TP .B --conntrack Read the Linux connection track mark associated with incoming DNS diff --git a/src/auth.c b/src/auth.c index 6ad051d..c8b89b5 100644 --- a/src/auth.c +++ b/src/auth.c @@ -436,8 +436,9 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n if (sockaddr_isequal(peer_addr, &peers->addr)) break; - /* Refuse all AXFR unless --auth-sec-servers is set */ - if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server) + /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */ + if ((!daemon->secondary_forward_server && !daemon->auth_peers) || + (daemon->auth_peers && !peers)) { if (peer_addr->sa.sa_family == AF_INET) inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);