[Crossposting to the ML in the hope this is interesting to others] On Wed, Jun 1, 2011 at 15:23, Posner, Sebastian <[email protected]> wrote: > Maik Zumstrull wrote: > >> > I see that, at least with the rc, notifies are send to every address >> > listed in allow-axfr-ips. >> > >> > It would help if there were separate lists for addresses which should >> > get notifies and addresses which should be able to axfr but should not >> > be notfied. >> >> This is possible with the ALSO-NOTIFY metadata and the >> check-acl-query, which are inexcusably underdocumented. > > Some more hints on this would be great ;)
After compiling the list of IP addresses that should be notified the usual way (known nameservers for the domain, known AXFR everything hosts), pdns checks the domainmetadata table for entries for that zone with kind = 'ALSO-NOTIFY'. Each entry is assumed to be an IP address to notify in addition to the usual targets. When someone requests AXFR, in addition to the global allow/deny settings, the check-acl-query (default: "select value from acls where acl_type='%s' and acl_key='%s'") is executed. acl_type is set to "allow-axfr" and acl_key is the name of the zone that has been requested. If the requesting IP address matches one of the selected values, AXFR is permitted. This is specific to the gsql-derived backends. For other backends, check if and how they implement the alsoNotifies and checkACL calls. _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
