[Pdns-users] Notify being ignored

David Jones djones at ena.com
Thu May 4 10:59:10 UTC 2017

From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> on behalf of Fabian A. Santiago <fsantiago at garbage-juice.com>
>On May 4, 2017 6:15:35 AM EDT, Remi Gacogne <remi.gacogne at powerdns.com> wrote:
>>On 05/04/2017 12:09 PM, Fabian A. Santiago wrote:
>>>> 'allow-notify-from' defaults to ',::/0', which allows 
>>>> everything. Of course additional checks are performed afterwards,
>>>> like checking if the configuration requires a valid TSIG signature,
>>>> whether we are authoritative for the domain, that we are not master
>>>> for it and that the notifications comes from a known master or a
>>>> super-master.
>>>> Regards,
>>> But aren't they saying that they have their slaves listed as
>>> supermasters but are still being ignored?
>>The 'allow-notify-from' check is performed first, and the other checks
>>are only performed if the source address of the NOTIFY message is
>>allowed. So if 'allow-notify-from' doesn't allow your slaves in the
>>first place, it won't work.

Thank you for explaining this.  So it's safe to leave it at the default
since other secondary checks are done?  Seems odd for me to
remove my list of IPs from the allow-notify-from to make this work.

Should the logic be for allowed NOTIFYs to be a combination of
allow-notify-from, supermasters, and masters to provide a total
list of allowed masters?  The current logic doesn't make sense if there
are secondary checks still happening when the allow-notify-from is
left at the default.  Why not combine the lists at startup and refresh
from the backend periodically?


More information about the Pdns-users mailing list