Add support for AXFR using GSS-TSIG

author Aki Tuomi <cmouse@cmouse.fi>

Thu, 21 May 2015 19:31:31 +0000 (22:31 +0300)

committer Aki Tuomi <cmouse@cmouse.fi>

Thu, 28 May 2015 14:42:23 +0000 (17:42 +0300)
author Aki Tuomi <cmouse@cmouse.fi>
Thu, 21 May 2015 19:31:31 +0000 (22:31 +0300)
committer Aki Tuomi <cmouse@cmouse.fi>
Thu, 28 May 2015 14:42:23 +0000 (17:42 +0300)
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc

index e6710b797df5568f2127c8c83437e7b1ea7ee76d..4ccf309c61b776fd2f5059deb58a89be43a70c39 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -418,7 +418,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
    if(q->d_havetsig) { // if you have one, it must be good
      TSIGRecordContent trc;
      string keyname, secret;
-    if(!checkForCorrectTSIG(q.get(), s_P->getBackend(), &keyname, &secret, &trc))
+    if(!checkForCorrectTSIG(q.get(), s_P->getBackend(), &keyname, &secret, &trc)) {
        return false;
      } else {
        getTSIGHashEnum(trc.d_algoName, q->d_tsig_algo);
@@ -432,15 +432,25 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
  
      DNSSECKeeper dk;
  
-    string algorithm=toLowerCanonic(trc.d_algoName);
-    if (algorithm == "hmac-md5.sig-alg.reg.int")
-      algorithm = "hmac-md5";
+    if (q->d_tsig_algo == TSIG_GSS) {
+      vector<string> princs;
+      s_P->getBackend()->getDomainMetadata(q->qdomain, "GSS-ALLOW-AXFR-PRINCIPAL", princs);
+      BOOST_FOREACH(const std::string& princ, princs) {
+        if (q->d_peer_principal == princ) {
+          L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: TSIG signed request with authorized principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig'"<<endl;
+          return true;
+        }
+      }
+      L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' denied: TSIG signed request with principal '"<<q->d_peer_principal<<"' and algorithm 'gss-tsig' is not permitted"<<endl;
+      return false;
+    }
+
      if(!dk.TSIGGrantsAccess(q->qdomain, keyname)) {
-      L<<Logger::Error<<"AXFR '"<<q->qdomain<<"' denied: key with name '"<<keyname<<"' and algorithm '"<<algorithm<<"' does not grant access to zone"<<endl;
+      L<<Logger::Error<<"AXFR '"<<q->qdomain<<"' denied: key with name '"<<keyname<<"' and algorithm '"<<getTSIGAlgoName(q->d_tsig_algo)<<"' does not grant access to zone"<<endl;
        return false;
      }
      else {
-      L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: TSIG signed request with authorized key '"<<keyname<<"' and algorithm '"<<algorithm<<"'"<<endl;
+      L<<Logger::Warning<<"AXFR of domain '"<<q->qdomain<<"' allowed: TSIG signed request with authorized key '"<<keyname<<"' and algorithm '"<<getTSIGAlgoName(q->d_tsig_algo)<<"'"<<endl;
        return true;
      }
    }
@@ -618,9 +628,11 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
      string algorithm=toLowerCanonic(trc.d_algoName);
      if (algorithm == "hmac-md5.sig-alg.reg.int")
        algorithm = "hmac-md5";
-    Lock l(&s_plock);
-    s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64);
-    B64Decode(tsig64, tsigsecret);
+    if (algorithm != "gss-tsig") {
+      Lock l(&s_plock);
+      s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64);
+      B64Decode(tsig64, tsigsecret);
+    }
    }
author	Aki Tuomi <cmouse@cmouse.fi>
	Thu, 21 May 2015 19:31:31 +0000 (22:31 +0300)
committer	Aki Tuomi <cmouse@cmouse.fi>
	Thu, 28 May 2015 14:42:23 +0000 (17:42 +0300)