If the Lua DNS Update policy is enabled but fails to load, reject updates.

Previously, we would behave as if no such policy had been configured.

Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 76694830de1c7e219708f969799a08b4f82445f9..b126fea43c3ded9a40bffce52c7e0807a6332ed1 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -86,10 +86,12 @@ PacketHandler::PacketHandler():B(g_programname), d_dk(&B)
   fname = ::arg()["lua-dnsupdate-policy-script"];
   if (fname.empty())
   {
+    d_update_policy_is_lua = false;
     d_update_policy_lua = nullptr;
   }
   else
   {
+    d_update_policy_is_lua = true;
     try {
       d_update_policy_lua = std::make_unique<AuthLua4>();
       d_update_policy_lua->loadFile(fname);

diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 4ba29d115513c7aad401ddfa80b70448fb0e674d..283edf8e406f268986611462e08129ee763a07ca 100644 (file)
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -138,6 +138,7 @@ private:
   bool d_doExpandALIAS;
   bool d_doResolveAcrossZones;
   bool d_dnssec{false};
+  bool d_update_policy_is_lua{false};
   SOAData d_sd;
   std::unique_ptr<AuthLua4> d_pdl;
   std::unique_ptr<AuthLua4> d_update_policy_lua;

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 2a89473edab7ce64df90a5dc14351df914fa4be1..cbab935cb48799a0f8a96a307dd48237044614db 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -985,7 +985,13 @@ int PacketHandler::processUpdate(DNSPacket& packet)
   g_log << Logger::Info << ctx.msgPrefix << "Processing started." << endl;
 
   // if there is policy, we delegate all checks to it
-  if (this->d_update_policy_lua == nullptr) {
+  if (d_update_policy_is_lua) {
+    if (d_update_policy_lua == nullptr) {
+      // The policy failed to load earlier.
+      return RCode::Refused;
+    }
+  }
+  else {
     if (!isUpdateAllowed(B, ctx, packet)) {
       return RCode::Refused;
     }