From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Wed, 12 Jun 2019 18:10:37 +0000 (+0200)
Subject: backport superslave setting to 4.1.x, but default to yes
X-Git-Tag: auth-4.1.9^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F7922%2Fhead;p=thirdparty%2Fpdns.git

backport superslave setting to 4.1.x, but default to yes
---

diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst
index ab6a3007b0..e068c906a5 100644
--- a/docs/modes-of-operation.rst
+++ b/docs/modes-of-operation.rst
@@ -190,6 +190,7 @@ itself as a slave for that zone.
 Before a supermaster notification succeeds, the following conditions
 must be met:
 
+ - :ref:`setting-superslave` support must be enabled
  - The supermaster must carry a SOA record for the notified domain
  - The supermaster IP must be present in the 'supermaster' table
  - The set of NS records for the domain, as retrieved by the slave from the supermaster, must include the name that goes with the IP address in the supermaster table
diff --git a/docs/settings.rst b/docs/settings.rst
index a429bc9392..6eb093c446 100644
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -1327,6 +1327,20 @@ and :doc:`Virtual Hosting <guides/virtual-instances>` how this can differ.
 
 .. _setting-tcp-control-address:
 
+.. _setting-superslave:
+
+``superslave``
+---------------
+
+-  Boolean
+-  Default: yes
+
+.. versionadded:: 4.1.9
+  In versions before 4.1.9, this setting did not exist, it was not possible to disable
+  supermaster support.
+
+Turn on supermaster support. See :ref:`supermaster-operation`.
+
 ``tcp-control-address``
 -----------------------
 
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 463a3a33ed..6480a78c95 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -124,6 +124,7 @@ void declareArguments()
   
   ::arg().setSwitch("slave","Act as a slave")="no";
   ::arg().setSwitch("master","Act as a master")="no";
+  ::arg().setSwitch("superslave", "Act as a superslave")="yes";
   ::arg().setSwitch("disable-axfr-rectify","Disable the rectify step during an outgoing AXFR. Only required for regression testing.")="no";
   ::arg().setSwitch("guardian","Run within a guardian process")="no";
   ::arg().setSwitch("prevent-self-notification","Don't send notifications to what we think is ourself")="yes";
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index ce8ea39f53..5b8acd733f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -821,8 +821,12 @@ int PacketHandler::processNotify(DNSPacket *p)
   DomainInfo di;
   di.serial = 0;
   if(!B.getDomainInfo(p->qdomain, di) || !(db=di.backend)) {
-    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative"<<endl;
-    return trySuperMaster(p, p->getTSIGKeyname());
+    if(::arg().mustDo("superslave")) {
+      L<<Logger::Warning<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative"<<endl;
+      return trySuperMaster(p, p->getTSIGKeyname());
+    }
+    L<<Logger::Notice<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" for which we are not authoritative (Refused)"<<endl;
+    return RCode::Refused;
   }
 
   meta.clear();
diff --git a/regression-tests.nobackend/supermaster-signed/command b/regression-tests.nobackend/supermaster-signed/command
index 5c88e5a2df..ffb0da45c5 100755
--- a/regression-tests.nobackend/supermaster-signed/command
+++ b/regression-tests.nobackend/supermaster-signed/command
@@ -94,7 +94,7 @@ start_slave()
 
         $RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
                 --config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6='' \
-                --slave --retrieval-threads=4 --slave=yes --query-local-address=127.0.0.2 \
+                --slave --retrieval-threads=4 --slave=yes --superslave=yes --query-local-address=127.0.0.2 \
                 --slave-cycle-interval=300 --allow-unsigned-notify=no --allow-unsigned-supermaster=no &
 }
 
diff --git a/regression-tests.nobackend/supermaster-unsigned/command b/regression-tests.nobackend/supermaster-unsigned/command
index 1e9f0c7faa..6311fd2d01 100755
--- a/regression-tests.nobackend/supermaster-unsigned/command
+++ b/regression-tests.nobackend/supermaster-unsigned/command
@@ -85,7 +85,7 @@ start_slave()
 
         $RUNWRAPPER $PDNS2 --daemon=no --local-port=$slaveport --config-dir=. --module-dir=../regression-tests/modules \
                 --config-name=gsqlite3-slave --socket-dir=./ --no-shuffle --local-address=127.0.0.2 --local-ipv6= \
-                --slave --retrieval-threads=4 --slave=yes --query-local-address=127.0.0.2 \
+                --slave --retrieval-threads=4 --slave=yes --superslave=yes --query-local-address=127.0.0.2 \
                 --slave-cycle-interval=300 --dname-processing &
 }