From: Miod Vallat Date: Mon, 9 Feb 2026 09:41:40 +0000 (+0100) Subject: If the Lua DNS Update policy is enabled but fails to load, reject updates. X-Git-Tag: auth-5.1.0-alpha1~32^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=27989242cf4e1d94de6d7b8e517516756713efd2;p=thirdparty%2Fpdns.git If the Lua DNS Update policy is enabled but fails to load, reject updates. Previously, we would behave as if no such policy had been configured. Signed-off-by: Miod Vallat --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 76694830de..b126fea43c 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -86,10 +86,12 @@ PacketHandler::PacketHandler():B(g_programname), d_dk(&B) fname = ::arg()["lua-dnsupdate-policy-script"]; if (fname.empty()) { + d_update_policy_is_lua = false; d_update_policy_lua = nullptr; } else { + d_update_policy_is_lua = true; try { d_update_policy_lua = std::make_unique(); d_update_policy_lua->loadFile(fname); diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh index 4ba29d1155..283edf8e40 100644 --- a/pdns/packethandler.hh +++ b/pdns/packethandler.hh @@ -138,6 +138,7 @@ private: bool d_doExpandALIAS; bool d_doResolveAcrossZones; bool d_dnssec{false}; + bool d_update_policy_is_lua{false}; SOAData d_sd; std::unique_ptr d_pdl; std::unique_ptr d_update_policy_lua; diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index 2a89473eda..cbab935cb4 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -985,7 +985,13 @@ int PacketHandler::processUpdate(DNSPacket& packet) g_log << Logger::Info << ctx.msgPrefix << "Processing started." << endl; // if there is policy, we delegate all checks to it - if (this->d_update_policy_lua == nullptr) { + if (d_update_policy_is_lua) { + if (d_update_policy_lua == nullptr) { + // The policy failed to load earlier. + return RCode::Refused; + } + } + else { if (!isUpdateAllowed(B, ctx, packet)) { return RCode::Refused; }