Add dnsupdate-require-tsig config option

So zones without keys that are accessible based on IP can be closed off

diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc
index 0c9dc4b80ee4fa863fef6a9db74b68e2c480c506..797d21c3d720c270d34e6dc480a57e0ffd859985 100644 (file)
--- a/pdns/auth-main.cc
+++ b/pdns/auth-main.cc
@@ -161,6 +161,7 @@ static void declareArguments()
   ::arg().setSwitch("dnsupdate", "Enable/Disable DNS update (RFC2136) support. Default is no.") = "no";
   ::arg().setSwitch("write-pid", "Write a PID file") = "yes";
   ::arg().set("allow-dnsupdate-from", "A global setting to allow DNS updates from these IP ranges.") = "127.0.0.0/8,::1";
+  ::arg().setSwitch("dnsupdate-require-tsig", "Require TSIG secured DNS updates. Default is no.") = "no";
   ::arg().set("proxy-protocol-from", "A Proxy Protocol header is only allowed from these subnets, and is mandatory then too.") = "";
   ::arg().set("proxy-protocol-maximum-size", "The maximum size of a proxy protocol payload, including the TLV values") = "512";
   ::arg().setSwitch("send-signed-notify", "Send TSIG secured NOTIFY if TSIG key is configured for a zone") = "yes";

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 0144456b29dcad592662422495c4bc295cbdf126..9f38fffd2b62a5aa7cd8da5031657e1d4e43f059 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -726,6 +726,9 @@ int PacketHandler::processUpdate(DNSPacket& p) {
         g_log<<Logger::Error<<msgPrefix<<"TSIG key ("<<inputkey<<") required, but no matching key found in domainmetadata, tried "<<tsigKeys.size()<<". Sending REFUSED"<<endl;
         return RCode::Refused;
       }
+    } else if(::arg().mustDo("dnsupdate-require-tsig")) {
+      g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but domain is not secured with TSIG. Sending REFUSED"<<endl;
+      return RCode::Refused;
     }
 
     if (tsigKeys.size() == 0 && p.d_havetsig)