Don't do AXFR unless auth-sec-servers is set.

c6cb7407 · Simon Kelley · 333b2ceb · c6cb7407
Commit c6cb7407 authored Jan 07, 2013 by Simon Kelley
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 22 deletions

src/auth.c src/auth.c +20 -22

No files found.
--- a/src/auth.c
+++ b/src/auth.c
@@ -375,8 +375,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
 	    }
      	  else if (qtype == T_AXFR)
-	    {
-	      if (daemon->auth_peers)
 	    {
 	      struct iname *peers;
 	      
@@ -391,7 +389,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		if (sockaddr_isequal(peer_addr, &peers->addr))
 		  break;
 	      
-		  if (!peers)
+	      /* Refuse all AXFR unless --auth-sec-servers is set */
+	      if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server)
 		{
 		  if (peer_addr->sa.sa_family == AF_INET)
 		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
@@ -403,7 +402,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
 		  return 0;
 		}
-		}
 	       	      
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */