Zone-transfer peer restriction option.

2025-12-19 10:18:25 +00:00 · 2012-12-09 18:24:58 +00:00
parent e1ff419cf9
commit 496787677e
4 changed files with 53 additions and 9 deletions
--- a/src/auth.c
+++ b/src/auth.c
@@ -72,7 +72,7 @@ static int in_zone(struct auth_zone *zone, char *name, char **cut)
 }


-size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now) 
+size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t now, union mysockaddr *peer_addr) 
 {
  char *name = daemon->namebuff;
  unsigned char *p, *ansp;
@@ -357,6 +357,35 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	    }
      	  else if (qtype == T_AXFR)
 	    {
+	      if (daemon->auth_peers)
+		{
+		  struct iname *peers;
+		  
+		  if (peer_addr->sa.sa_family == AF_INET)
+		    peer_addr->in.sin_port = 0;
+#ifdef HAVE_IPV6
+		  else
+		    peer_addr->in6.sin6_port = 0; 
+#endif
+		  
+		  for (peers = daemon->auth_peers; peers; peers = peers->next)
+		    if (sockaddr_isequal(peer_addr, &peers->addr))
+		      break;
+		  
+		  if (!peers)
+		    {
+		      if (peer_addr->sa.sa_family == AF_INET)
+			inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
+#ifdef HAVE_IPV6
+		      else
+			inet_ntop(AF_INET6, &peer_addr->in6.sin6_addr, daemon->addrbuff, ADDRSTRLEN); 
+#endif
+		      
+		      my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
+		      return 0;
+		    }
+		}
+	      
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */
 	      axfr = 1;