[Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains?

sandermoors at telenet.be sandermoors at telenet.be
Thu May 23 08:20:31 UTC 2019

Hi Frank, 

Intercepting the NOTIFYs with a script sounds like a good idea but can this be done with PowerDNS? 
Or do you mean writing a custom script that acts a a notify proxy/filter? 


From: "pdns-users" <pdns-users at mailman.powerdns.com> 
To: "pdns-users" <pdns-users at mailman.powerdns.com> 
Sent: Thursday, May 23, 2019 10:08:43 AM 
Subject: Re: [Pdns-users] Postfix as master+slave. How to prevent supermasters from being able to create subzones for NATIVE domains? 

Hi Sander, 

Do you want this for a fixed set of “ [ http://domain.com/ | domain.com ] ” domains or for “any domain that is configured in pdns as a native domain”? 

If the first, have a look at the LUA-AXFR-SCRIPT functionality. You define a (lua) script that gets executed after the AXFR has been done, but before the domain is committed to the backend. You could block the commit by returning an error. See my blog post [ https://www.frank.be/when-your-notify-wont-work/ | https://www.frank.be/when-your-notify-wont-work/ ] where I used the LUA-AXFR-SCRIPT functionality for a different use case. 

However, this won’t prevent the domain from being written to the domains table in the backend, so you’d have to lab what happens in your version of pdns if you get the desired behaviour. Also note that you need to define the script on a per-domain level. So you’d need another mechanism to update the backend for each newly discovered domain. (Database trigger might help). 

Another option would be to intercept the NOTIFYs with a script, check if the zone you receive the notify for matches the [ http://sub.domain.com/ | sub.domain.com ] regexp, query the pdns master for a SOA for [ http://domain.com/ | domain.com ] , then then either drop the notify, or pass it to your pdns instance. 

Kind Regards, 

Frank Louwers 
PowerDNS Certified Consultant @ [ http://kiwazo.be/ | Kiwazo.be ] 

On 23 May 2019, at 07:54, [ mailto:sandermoors at telenet.be | sandermoors at telenet.be ] wrote: 


We have a DirectAdmin server which internally is using a BIND nameserver. We also have a PowerDNS server which is acting as a master for domains configured as NATIVE and it's also acting as a slave for the domains added in DirectAdmin. 
This is done by configuring the IP address of the DirectAdmin server in the supermasters table. All workin as expected. 

Now, we noticed that if we configure " [ http://domain.com/ | domain.com ] " as a NATIVE domain in PowerDNS it is still possible to configure " [ http://sub.domain.com/ | sub.domain.com ] " in DirectAdmin and powerdns will accept the subzone from the supermaster. 
This way users on our DirectAdmin server can break configurations for domains configured as NATIVE. 

We need a way for PowerDNS to reject all *. [ http://domain.com/ | domain.com ] subzones from any supermaster if the main domain is configured as NATIVE. 

Is there a way to do this? 


Pdns-users mailing list 
[ mailto:Pdns-users at mailman.powerdns.com | Pdns-users at mailman.powerdns.com ] 
[ https://mailman.powerdns.com/mailman/listinfo/pdns-users | https://mailman.powerdns.com/mailman/listinfo/pdns-users ] 

Pdns-users mailing list 
Pdns-users at mailman.powerdns.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190523/cc190382/attachment-0001.html>

More information about the Pdns-users mailing list