Hi Frank, 

Intercepting the NOTIFYs with a script sounds like a good idea but can this be 
done with PowerDNS? 
Or do you mean writing a custom script that acts a a notify proxy/filter? 


From: "pdns-users" <pdns-users@mailman.powerdns.com> 
To: "pdns-users" <pdns-users@mailman.powerdns.com> 
Sent: Thursday, May 23, 2019 10:08:43 AM 
Subject: Re: [Pdns-users] Postfix as master+slave. How to prevent supermasters 
from being able to create subzones for NATIVE domains? 

Hi Sander, 

Do you want this for a fixed set of “ [ http://domain.com/ | domain.com ] ” 
domains or for “any domain that is configured in pdns as a native domain”? 

If the first, have a look at the LUA-AXFR-SCRIPT functionality. You define a 
(lua) script that gets executed after the AXFR has been done, but before the 
domain is committed to the backend. You could block the commit by returning an 
error. See my blog post [ https://www.frank.be/when-your-notify-wont-work/ | 
https://www.frank.be/when-your-notify-wont-work/ ] where I used the 
LUA-AXFR-SCRIPT functionality for a different use case. 

However, this won’t prevent the domain from being written to the domains table 
in the backend, so you’d have to lab what happens in your version of pdns if 
you get the desired behaviour. Also note that you need to define the script on 
a per-domain level. So you’d need another mechanism to update the backend for 
each newly discovered domain. (Database trigger might help). 

Another option would be to intercept the NOTIFYs with a script, check if the 
zone you receive the notify for matches the [ http://sub.domain.com/ | 
sub.domain.com ] regexp, query the pdns master for a SOA for [ 
http://domain.com/ | domain.com ] , then then either drop the notify, or pass 
it to your pdns instance. 

Kind Regards, 

Frank Louwers 
PowerDNS Certified Consultant @ [ http://kiwazo.be/ | Kiwazo.be ] 

On 23 May 2019, at 07:54, [ mailto:sandermo...@telenet.be | 
sandermo...@telenet.be ] wrote: 


We have a DirectAdmin server which internally is using a BIND nameserver. We 
also have a PowerDNS server which is acting as a master for domains configured 
as NATIVE and it's also acting as a slave for the domains added in DirectAdmin. 
This is done by configuring the IP address of the DirectAdmin server in the 
supermasters table. All workin as expected. 

Now, we noticed that if we configure " [ http://domain.com/ | domain.com ] " as 
a NATIVE domain in PowerDNS it is still possible to configure " [ 
http://sub.domain.com/ | sub.domain.com ] " in DirectAdmin and powerdns will 
accept the subzone from the supermaster. 
This way users on our DirectAdmin server can break configurations for domains 
configured as NATIVE. 

We need a way for PowerDNS to reject all *. [ http://domain.com/ | domain.com ] 
subzones from any supermaster if the main domain is configured as NATIVE. 

Is there a way to do this? 


Pdns-users mailing list 
[ mailto:Pdns-users@mailman.powerdns.com | Pdns-users@mailman.powerdns.com ] 
[ https://mailman.powerdns.com/mailman/listinfo/pdns-users | 
https://mailman.powerdns.com/mailman/listinfo/pdns-users ] 

Pdns-users mailing list 
Pdns-users mailing list

Reply via email to