[Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains?

Thu May 23 08:08:43 UTC 2019

Hi Sander,

Do you want this for a fixed set of “domain.com <http://domain.com/>” domains or for “any domain that is configured in pdns as a native domain”?

If the first, have a look at the LUA-AXFR-SCRIPT functionality. You define a (lua) script that gets executed after the AXFR has been done, but before the domain is committed to the backend. You could block the commit by returning an error. See my blog post https://www.frank.be/when-your-notify-wont-work/ <https://www.frank.be/when-your-notify-wont-work/> where I used the LUA-AXFR-SCRIPT functionality for a different use case.

However, this won’t prevent the domain from being written to the domains table in the backend, so you’d have to lab what happens in your version of pdns if you get the desired behaviour. Also note that you need to define the script on a per-domain level. So you’d need another mechanism to update the backend for each newly discovered domain. (Database trigger might help).

Another option would be to intercept the NOTIFYs with a script, check if the zone you receive the notify for matches the sub.domain.com <http://sub.domain.com/> regexp, query the pdns master for a SOA for domain.com <http://domain.com/>, then then either drop the notify, or pass it to your pdns instance.

Kind Regards,

Frank Louwers
PowerDNS Certified Consultant @ Kiwazo.be <http://kiwazo.be/>

> On 23 May 2019, at 07:54, sandermoors at telenet.be <mailto:sandermoors at telenet.be> wrote:
> 
> Hi,
> 
> We have a DirectAdmin server which internally is using a BIND nameserver. We also have a PowerDNS server which is acting as a master for domains configured as NATIVE and it's also acting as a slave for the domains added in DirectAdmin.
> This is done by configuring the IP address of the DirectAdmin server in the supermasters table. All workin as expected.
> 
> Now, we noticed that if we configure "domain.com <http://domain.com/>" as a NATIVE domain in PowerDNS it is still possible to configure "sub.domain.com <http://sub.domain.com/>" in DirectAdmin and powerdns will accept the subzone from the supermaster.
> This way users on our DirectAdmin server can break configurations for domains configured as NATIVE.
> 
> We need a way for PowerDNS to reject all *.domain.com <http://domain.com/> subzones from any supermaster if the main domain is configured as NATIVE.
> 
> Is there a way to do this?
> 
> Thanks
> 
> Sander
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com <mailto:Pdns-users at mailman.powerdns.com>
> https://mailman.powerdns.com/mailman/listinfo/pdns-users <https://mailman.powerdns.com/mailman/listinfo/pdns-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190523/a82a97b5/attachment.html>