[Pdns-users] [Pdns-dev] notifies
Maik Zumstrull
maik at zumstrull.net
Wed Jun 1 13:39:33 UTC 2011
[Crossposting to the ML in the hope this is interesting to others]
On Wed, Jun 1, 2011 at 15:23, Posner, Sebastian <s.posner at telekom.de> wrote:
> Maik Zumstrull wrote:
>
>> > I see that, at least with the rc, notifies are send to every address
>> > listed in allow-axfr-ips.
>> >
>> > It would help if there were separate lists for addresses which should
>> > get notifies and addresses which should be able to axfr but should not
>> > be notfied.
>>
>> This is possible with the ALSO-NOTIFY metadata and the
>> check-acl-query, which are inexcusably underdocumented.
>
> Some more hints on this would be great ;)
After compiling the list of IP addresses that should be notified the
usual way (known nameservers for the domain, known AXFR everything
hosts), pdns checks the domainmetadata table for entries for that zone
with kind = 'ALSO-NOTIFY'. Each entry is assumed to be an IP address
to notify in addition to the usual targets.
When someone requests AXFR, in addition to the global allow/deny
settings, the check-acl-query (default: "select value from acls where
acl_type='%s' and acl_key='%s'") is executed. acl_type is set to
"allow-axfr" and acl_key is the name of the zone that has been
requested. If the requesting IP address matches one of the selected
values, AXFR is permitted.
This is specific to the gsql-derived backends. For other backends,
check if and how they implement the alsoNotifies and checkACL calls.
More information about the Pdns-users
mailing list