From dad0736b5d8749a5d42c60d04728fa7d2eeaacce Mon Sep 17 00:00:00 2001
From: Ralph Covelli <rcovelli@he.net>
Date: Tue, 25 Apr 2017 03:11:38 +0100
Subject: [PATCH] PowerDNS Forward-Notify Patch:

This patch will allow you to redirect inbound notifications to a proxy server.  It's intended use is in anycast environments where it might be necessary for a proxy server to preform the AXFR.

The configuration option "forward-notify" has been added to the pdns.conf parser. The option accepts multiple IPv4 and IPv6 address values.
---
 docs/markdown/authoritative/settings.md |  9 +++++++++
 pdns/common_startup.cc                  |  3 ++-
 pdns/communicator.cc                    | 13 +++++++++++++
 pdns/packethandler.cc                   | 16 ++++++++++++++--
 pdns/packethandler.hh                   |  1 +
 5 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/docs/markdown/authoritative/settings.md b/docs/markdown/authoritative/settings.md
index a1bb83ce85..4bfa49097f 100644
--- a/docs/markdown/authoritative/settings.md
+++ b/docs/markdown/authoritative/settings.md
@@ -361,6 +361,15 @@ If this is disabled (the default), ALIAS records will not expanded and the serve
 
 Forward DNS updates sent to a slave to the master.
 
+## `forward-notify`
+* IP addresses, separated by commas
+
+IP addresses to send received notifications to regardless of master or slave settings.
+
+Note: The intended use is in anycast environments where it might be necessary for a
+proxy server to preform the AXFR.  The usual checks are preformed before any received
+notification is forwarded.
+
 ## `guardian`
 * Boolean
 * Default: no
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 4089cee68c..1a44328977 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -159,6 +159,7 @@ void declareArguments()
 
   ::arg().set("trusted-notification-proxy", "IP address of incoming notification proxy")="";
   ::arg().set("slave-renotify", "If we should send out notifications for slaved updates")="no";
+  ::arg().set("forward-notify", "IP addresses to send received notifications to regardless of master or slave settings")="";
 
   ::arg().set("default-ttl","Seconds a result is valid if not set otherwise")="3600";
   ::arg().set("max-tcp-connections","Maximum number of TCP connections")="20";
@@ -545,7 +546,7 @@ void mainthread()
   if(::arg().mustDo("webserver") || ::arg().mustDo("api"))
     webserver.go();
 
-  if(::arg().mustDo("slave") || ::arg().mustDo("master"))
+  if(::arg().mustDo("slave") || ::arg().mustDo("master") || !::arg()["forward-notify"].empty())
     Communicator.go(); 
 
   if(!::arg()["experimental-lua-policy-script"].empty()){
diff --git a/pdns/communicator.cc b/pdns/communicator.cc
index 48f481dcf5..eff4f2bb74 100644
--- a/pdns/communicator.cc
+++ b/pdns/communicator.cc
@@ -92,6 +92,19 @@ void CommunicatorClass::go()
       exit(1);
     }
   }
+
+  vector<string> forwards;
+  stringtok(forwards, ::arg()["forward-notify"], ", \t");
+  for (vector<string>::const_iterator iter = forwards.begin(); iter != forwards.end(); ++iter) {
+    try {
+      ComboAddress caIp(*iter, 53);
+      PacketHandler::s_forwardNotify.insert(caIp.toStringWithPort());
+    }
+    catch(PDNSException &e) {
+      L<<Logger::Error<<"Unparseable IP in forward-notify. Error: "<<e.reason<<endl;
+      exit(1);
+    }
+  }
 }
 
 void CommunicatorClass::mainloop(void)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 3a9dc7a251..d90faa5471 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -53,6 +53,8 @@
  
 AtomicCounter PacketHandler::s_count;
 NetmaskGroup PacketHandler::s_allowNotifyFrom;
+set<string> PacketHandler::s_forwardNotify;
+
 extern string s_programname;
 
 PacketHandler::PacketHandler():B(s_programname), d_dk(&B)
@@ -831,7 +833,7 @@ int PacketHandler::processNotify(DNSPacket *p)
   */
   vector<string> meta;
 
-  if(!::arg().mustDo("slave")) {
+  if(!::arg().mustDo("slave") && s_forwardNotify.empty()) {
     L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<" but slave support is disabled in the configuration"<<endl;
     return RCode::NotImp;
   }
@@ -886,7 +888,17 @@ int PacketHandler::processNotify(DNSPacket *p)
     
   // ok, we've done our checks
   di.backend = 0;
-  Communicator.addSlaveCheckRequest(di, p->d_remote);
+
+  if(!s_forwardNotify.empty()) {
+    set<string> forwardNotify(s_forwardNotify);
+    for(set<string>::const_iterator j=forwardNotify.begin();j!=forwardNotify.end();++j) {
+      L<<Logger::Warning<<"Relaying notification of domain "<<p->qdomain<<" from "<<p->getRemote()<<" to "<<*j<<endl;
+      Communicator.notify(p->qdomain,*j);
+    }
+  }
+
+  if(::arg().mustDo("slave"))
+    Communicator.addSlaveCheckRequest(di, p->d_remote);
   return 0;
 }
 
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 77a4c37881..b2dcd3fd04 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -66,6 +66,7 @@ public:
 
   int trySuperMasterSynchronous(DNSPacket *p, const DNSName& tsigkeyname);
   static NetmaskGroup s_allowNotifyFrom;
+  static set<string> s_forwardNotify;
 
 private:
   int trySuperMaster(DNSPacket *p, const DNSName& tsigkeyname);
-- 
2.47.2