plugin/kubernetes: Only answer transfer requests for authoritative zones (#4802)

* check for zone match Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

plugin/kubernetes: Only answer transfer requests for authoritative zones (#4802)
* check for zone match Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
88d94dc1 · Chris O'Haver · GitHub · 5aae49ce · 88d94dc1 · 88d94dc1
Commit 88d94dc1 authored Aug 13, 2021 by Chris O'Haver Committed by GitHub Aug 13, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

plugin/kubernetes/xfr.go plugin/kubernetes/xfr.go +4 -0

plugin/kubernetes/xfr_test.go plugin/kubernetes/xfr_test.go +17 -0

No files found.
--- a/plugin/kubernetes/xfr.go
+++ b/plugin/kubernetes/xfr.go
@@ -18,6 +18,10 @@ import (
 // Transfer implements the transfer.Transfer interface.
 func (k *Kubernetes) Transfer(zone string, serial uint32) (<-chan []dns.RR, error) {
+	match := plugin.Zones(k.Zones).Matches(zone)
+	if match == "" {
+		return nil, transfer.ErrNotAuthoritative
+	}
 	// state is not used here, hence the empty request.Request{]
 	soa, err := plugin.SOA(context.TODO(), k, zone, request.Request{}, plugin.Options{})
 	if err != nil {

--- a/plugin/kubernetes/xfr_test.go
+++ b/plugin/kubernetes/xfr_test.go
@@ -5,9 +5,26 @@ import (
 	"strings"
 	"testing"
+	"github.com/coredns/coredns/plugin/transfer"
 	"github.com/miekg/dns"
 )
+func TestKubernetesTransferNonAuthZone(t *testing.T) {
+	k := New([]string{"cluster.local."})
+	k.APIConn = &APIConnServeTest{}
+	k.Namespaces = map[string]struct{}{"testns": {}, "kube-system": {}}
+	k.localIPs = []net.IP{net.ParseIP("10.0.0.10")}
+	dnsmsg := &dns.Msg{}
+	dnsmsg.SetAxfr("example.com")
+	_, err := k.Transfer("example.com", 0)
+	if err != transfer.ErrNotAuthoritative {
+		t.Error(err)
+	}
+}
 func TestKubernetesAXFR(t *testing.T) {
 	k := New([]string{"cluster.local."})
 	k.APIConn = &APIConnServeTest{}