From: Klaus Darilion Date: Wed, 6 Apr 2022 12:37:52 +0000 (+0000) Subject: new option 'ignore-errors' for setting 'outgoing-axfr-expand-alias' X-Git-Tag: rec-5.0.0-alpha1~163^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=833b07fe444663ba3cb0782a2c67d8a52abf2542;p=thirdparty%2Fpdns.git new option 'ignore-errors' for setting 'outgoing-axfr-expand-alias' If the ALIAS target can not be resolved during AXFR the AXFR will fail. To allow outgoing AXFR also if the ALIAS targets are broken set this setting to 'ignore-errors', but be warned, this will lead to inconsistent zones between Primary and Secondary name server. --- diff --git a/docs/guides/alias.rst b/docs/guides/alias.rst index 2efb6b63ba..b85762cbaa 100644 --- a/docs/guides/alias.rst +++ b/docs/guides/alias.rst @@ -34,6 +34,8 @@ When the authoritative server receives a query for the A-record for ``example.net``, it will resolve the A record for ``mywebapp.paas-provider.net`` and serve an answer for ``example.net`` with that A record. +If the ALIAS target can not be resolved (SERVFAIL) or does not exist +(NXDOMAIN) the authoritative server will answer SERVFAIL. When a zone containing ALIAS records is transferred over AXFR, the :ref:`setting-outgoing-axfr-expand-alias` @@ -42,6 +44,11 @@ default), ALIAS records are sent as-is (RRType 65401 and a DNSName in the RDATA) in the AXFR. When set to 'yes', PowerDNS will lookup the A and AAAA records of the name in the ALIAS-record and send the results in the AXFR. +If the ALIAS target can not be resolved during AXFR the AXFR will fail. +To allow outgoing AXFR also if the ALIAS targets are broken you can set +:ref:`setting-outgoing-axfr-expand-alias` to 'ignore-errors', but +be warned, this will lead to inconsistent zones between the Primary and +Secondary name servers. Set ``outgoing-axfr-expand-alias`` to 'yes' if your slaves don't understand ALIAS or should not look up the addresses themselves. Note @@ -62,5 +69,3 @@ Starting with the PowerDNS Authoritative Server 4.0.0, DNSSEC 'washing' of ALIAS records is supported on AXFR (**not** on live-signing). Set ``outgoing-axfr-expand-alias`` to 'yes' and enable DNSSEC for the zone on the master. PowerDNS will sign the A/AAAA records during the AXFR. - - diff --git a/docs/settings.rst b/docs/settings.rst index 32c8dde935..bff6068e96 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -1278,9 +1278,12 @@ To notify all IP addresses apart from the 192.168.0.0/24 subnet use the followin ``outgoing-axfr-expand-alias`` ------------------------------ -- Boolean +- One of ``no``, ``yes``, or ``ignore-errors``, String - Default: no +.. versionchanged:: 4.9.0 + Option `ignore-errors` added. + If this is enabled, ALIAS records are expanded (synthesized to their A/AAAA) during outgoing AXFR. This means slaves will not automatically follow changes in those A/AAAA records unless you AXFR regularly! @@ -1289,6 +1292,12 @@ If this is disabled (the default), ALIAS records are sent verbatim during outgoing AXFR. Note that if your slaves do not support ALIAS, they will return NODATA for A/AAAA queries for such names. +If the ALIAS target can not be resolved during AXFR the AXFR will fail. +To allow outgoing AXFR also if the ALIAS targets are broken set this +setting to `ignore-errors`. +Be warned, this will lead to inconsistent zones between Primary and +Secondary name servers. + .. _setting-overload-queue-length: ``overload-queue-length`` diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc index 5bf5e1ccf6..65170674b2 100644 --- a/pdns/auth-main.cc +++ b/pdns/auth-main.cc @@ -304,7 +304,7 @@ static void declareArguments() ::arg().set("security-poll-suffix", "Zone name from which to query security update notifications") = "secpoll.powerdns.com."; ::arg().setSwitch("expand-alias", "Expand ALIAS records") = "no"; - ::arg().setSwitch("outgoing-axfr-expand-alias", "Expand ALIAS records during outgoing AXFR") = "no"; + ::arg().set("outgoing-axfr-expand-alias", "Expand ALIAS records during outgoing AXFR") = "no"; ::arg().setSwitch("8bit-dns", "Allow 8bit dns queries") = "no"; #ifdef HAVE_LUA_RECORDS ::arg().setSwitch("enable-lua-records", "Process LUA records for all zones (metadata overrides this)") = "no"; diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index 12db956bb7..77ae0808f7 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -823,15 +823,24 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, } zrr.dr.d_name.makeUsLowerCase(); if(zrr.dr.d_name.isPartOf(target)) { - if (zrr.dr.d_type == QType::ALIAS && ::arg().mustDo("outgoing-axfr-expand-alias")) { + if (zrr.dr.d_type == QType::ALIAS && (::arg().mustDo("outgoing-axfr-expand-alias") || ::arg()["outgoing-axfr-expand-alias"] == "ignore-errors")) { vector ips; int ret1 = stubDoResolve(getRR(zrr.dr)->getContent(), QType::A, ips); int ret2 = stubDoResolve(getRR(zrr.dr)->getContent(), QType::AAAA, ips); - if(ret1 != RCode::NoError || ret2 != RCode::NoError) { - g_log<getZoneRepresentation()<<", aborting AXFR"<setRcode(RCode::ServFail); - sendPacket(outpacket,outsock); - return 0; + if (ret1 != RCode::NoError || ret2 != RCode::NoError) { + if (::arg()["outgoing-axfr-expand-alias"] != "ignore-errors") { + g_log<getZoneRepresentation()<<", aborting AXFR"<setRcode(RCode::ServFail); + sendPacket(outpacket,outsock); + return 0; + } else { + if (ret1 != RCode::NoError) { + g_log<getZoneRepresentation()<<", continuing AXFR"<getZoneRepresentation()<<", continuing AXFR"<