[Pdns-users] [Patch] Using ACL for per-zone AXFR

Florent Lerat flow at k-ribou.com
Tue Oct 12 10:04:18 UTC 2010 

Hi everybody,

This is an updated version of an old patch posted by Derrik Pates based on an older one (details here : http://mailman.powerdns.com/pipermail/pdns-users/2006-March/003115.html ). I use it on pdns2.9.22-x-3.

With this patch, you can allow per-zone AXFR. In order to do this, you must create a new table in your database :

CREATE TABLE acls (
  acl_type enum('allow-axfr') NOT NULL default 'allow-axfr',
  acl_key varchar(64) NOT NULL default '',
  value varchar(64) NOT NULL default '',
  KEY type_key_index (acl_type,acl_key)
) TYPE=InnoDB;

acl_key contains the domain name
value contains the IPv4 address to allow

The patch can be found here : http://pastebin.com/rGeQaHEG

Or below this e-mail.

Florent

-------------------------------------------------------------------------------------------------------------------------------------------------------

diff -ru pdns-2.9.22.x/modules/gmysqlbackend/gmysqlbackend.cc pdns-2.9.22.x-3-acls-patched/modules/gmysqlbackend/gmysqlbackend.cc
--- pdns-2.9.22.x/modules/gmysqlbackend/gmysqlbackend.cc	2010-07-03 15:51:55.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/modules/gmysqlbackend/gmysqlbackend.cc	2010-10-08 15:27:15.177611077 +0200
@@ -74,6 +74,7 @@
     declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d");
     declare(suffix,"info-all-master-query","", "select id,name,master,last_check,notified_serial,type from domains where type='MASTER'");
     declare(suffix,"delete-zone-query","", "delete from records where domain_id=%d");
+    declare(suffix,"check-acl-query","", "select value from acls where acl_type='%s' and acl_key='%s'");
 
 
   }
diff -ru pdns-2.9.22.x/modules/gpgsqlbackend/gpgsqlbackend.cc pdns-2.9.22.x-3-acls-patched/modules/gpgsqlbackend/gpgsqlbackend.cc
--- pdns-2.9.22.x/modules/gpgsqlbackend/gpgsqlbackend.cc	2010-07-03 15:51:55.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/modules/gpgsqlbackend/gpgsqlbackend.cc	2010-10-08 15:27:43.889609460 +0200
@@ -74,7 +74,7 @@
     declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d");
     declare(suffix,"info-all-master-query","", "select id,name,master,last_check,notified_serial,type from domains where type='MASTER'");
     declare(suffix,"delete-zone-query","", "delete from records where domain_id=%d");
-
+    declare(suffix,"check-acl-query","", "select value from acls where acl_type='%s' and acl_key='%s'");
 
   }
   
diff -ru pdns-2.9.22.x/modules/gsqlitebackend/gsqlitebackend.cc pdns-2.9.22.x-3-acls-patched/modules/gsqlitebackend/gsqlitebackend.cc
--- pdns-2.9.22.x/modules/gsqlitebackend/gsqlitebackend.cc	2010-07-03 15:51:55.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/modules/gsqlitebackend/gsqlitebackend.cc	2010-10-08 15:28:09.506611340 +0200
@@ -75,6 +75,7 @@
     declare( suffix, "update-lastcheck-query", "", "update domains set last_check=%d where id=%d");
     declare( suffix, "info-all-master-query", "", "select id,name,master,last_check,notified_serial,type from domains where type='MASTER'");
     declare( suffix, "delete-zone-query", "", "delete from records where domain_id=%d");
+    declare( suffix, "check-acl-query", "", "select value from acls where acl_type='%s' and acl_key='%s'");
   }
   
   //! Constructs a new gSQLiteBackend object.
diff -ru pdns-2.9.22.x/pdns/backends/gsql/gsqlbackend.cc pdns-2.9.22.x-3-acls-patched/pdns/backends/gsql/gsqlbackend.cc
--- pdns-2.9.22.x/pdns/backends/gsql/gsqlbackend.cc	2010-07-03 21:11:02.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/pdns/backends/gsql/gsqlbackend.cc	2010-10-08 15:30:08.714608738 +0200
@@ -252,6 +252,8 @@
   d_UpdateLastCheckofZoneQuery=getArg("update-lastcheck-query");
   d_InfoOfAllMasterDomainsQuery=getArg("info-all-master-query");
   d_DeleteZoneQuery=getArg("delete-zone-query");
+  // Ajout ACL-acl VDU
+  d_CheckACLQuery=getArg("check-acl-query");
 }
 
 
@@ -357,6 +359,29 @@
   return false;
 }
 
+// Ajout ACL-acl VDU
+bool GSQLBackend::checkACL(const string &acl_type, const string &key, const string &value)
+{
+
+  string format;
+  char output[1024];
+  format = d_CheckACLQuery;
+  snprintf(output, sizeof(output)-1, format.c_str(), sqlEscape(acl_type).c_str(), sqlEscape(key).c_str());
+  try {
+    d_db->doQuery(output, d_result);
+  }
+  catch(SSqlException &e) {
+    throw AhuException("Database error trying to check ACL:"+acl_type+" with error: "+e.txtReason());
+  }
+  if(!d_result.empty()) {
+    for (int i = 0; i < d_result.size(); i++) {
+      if (d_result[i][0] == value)
+        return true;
+    }
+  }
+  return false; // default to false
+}
+
 bool GSQLBackend::createSlaveDomain(const string &ip, const string &domain, const string &account)
 {
   string format;
diff -ru pdns-2.9.22.x/pdns/backends/gsql/gsqlbackend.hh pdns-2.9.22.x-3-acls-patched/pdns/backends/gsql/gsqlbackend.hh
--- pdns-2.9.22.x/pdns/backends/gsql/gsqlbackend.hh	2010-07-03 15:51:55.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/pdns/backends/gsql/gsqlbackend.hh	2010-10-08 15:31:08.621608499 +0200
@@ -38,6 +38,8 @@
   void getUpdatedMasters(vector<DomainInfo> *updatedDomains);
   bool getDomainInfo(const string &domain, DomainInfo &di);
   void setNotified(uint32_t domain_id, uint32_t serial);
+  // Ajout ACL-acl VDU
+  bool checkACL(const string &acl_type, const string &key, const string &value);
 private:
   string d_qname;
   QType d_qtype;
@@ -65,6 +67,8 @@
   string d_UpdateSerialOfZoneQuery;
   string d_UpdateLastCheckofZoneQuery;
   string d_InfoOfAllMasterDomainsQuery;
-  string d_DeleteZoneQuery;		
+  string d_DeleteZoneQuery;
+  // Ajout ACL-acl VDU
+  string d_CheckACLQuery;
 
 };
diff -ru pdns-2.9.22.x/pdns/dnsbackend.hh pdns-2.9.22.x-3-acls-patched/pdns/dnsbackend.hh
--- pdns-2.9.22.x/pdns/dnsbackend.hh	2010-07-03 15:51:55.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/pdns/dnsbackend.hh	2010-10-08 15:32:09.406607497 +0200
@@ -165,6 +165,12 @@
   {
     return false;
   }
+  
+  // Ajout ACL-acl VDU
+  virtual bool checkACL(const string &acl_type, const string &key, const string &value)
+  {
+    return false;
+  }
 
 protected:
   bool mustDo(const string &key);
diff -ru pdns-2.9.22.x/pdns/tcpreceiver.cc pdns-2.9.22.x-3-acls-patched/pdns/tcpreceiver.cc
--- pdns-2.9.22.x/pdns/tcpreceiver.cc	2010-07-03 21:11:02.000000000 +0200
+++ pdns-2.9.22.x-3-acls-patched/pdns/tcpreceiver.cc	2010-10-08 15:33:22.402609216 +0200
@@ -351,6 +351,16 @@
 
   if( ::arg()["allow-axfr-ips"].empty() || d_ng.match( (ComboAddress *) &q->remote ) )
     return true;
+  
+  SOAData sd;
+  sd.db=(DNSBackend *)-1;
+  Lock l(&s_plock);
+  if(s_P->getBackend()->getSOA(q->qdomain,sd)) {
+    DNSBackend *B=sd.db;
+    if (B->checkACL(string("allow-axfr"), q->qdomain, q->getRemote())) {
+      return true;
+    }
+  }
 
   extern CommunicatorClass Communicator;

More information about the Pdns-users mailing list