[Pdns-users] DNS Update with Lua policy script

[Dominik Menke]

Hello list,

I'm trying to implement a DNS update policy script in PDNS Auth 4.1.1-1 
(Ubuntu 18.04 LTS).

	# Enable DNS update, allow updates from everywhere, but restrict
	# changes via policy script
	dnsupdate=yes
	allow-dnsupdate-from=0.0.0.0/0,::/0
	lua-dnsupdate-policy-script=/etc/powerdns/dnsupdate-policy.lua

A problem (?) arises, when accessing the TSIG key name:

	function updatepolicy(input)
	  print(input:getTsigName())
	  return false
	end

using an nsupdate without key:

	$ nsupdate <<EOF
	server 127.0.0.53 53
	zone example.com
	update add example.com 300 A 127.0.0.1
	EOF
	update failed: SERVFAIL

which will throw an exception:

	UPDATE (37896) from 127.0.0.1 for example.com: Caught std:exception: 
Exception thrown by a callback function called by Lua; Sending ServFail!

I expected getTsigName() to return either nil or an empty string, and 
nsupdate to report REFUSED, not SERVFAIL.

Guarding the method call with pcall results in the same behaviour:

	function getTsigKeyName(input)
	  input:getTsigKey()
	end

	function updatepolicy(input)
	  local ok, val = pcall(getTsigKeyName, input)
	  print(ok, val)
	  return false
	end

Looking at the code [1], I'm not sure why accessing an already defined 
[2] class member throws an exception (but I'm no C++ developer)...

Is this normal? How do I get a REFUSED when the TSIG key is missing?

Thanks,
Dominik


[1]: https://github.com/PowerDNS/pdns/blob/rec-4.1.1/pdns/lua-auth4.cc#L215
[2]: https://github.com/PowerDNS/pdns/blob/rec-4.1.1/pdns/lua-auth4.cc#L277