From: Pdns-users <[email protected]> on behalf of Fabian A. Santiago <[email protected]> >On May 4, 2017 6:15:35 AM EDT, Remi Gacogne <[email protected]> wrote: >>On 05/04/2017 12:09 PM, Fabian A. Santiago wrote: >>>> 'allow-notify-from' defaults to '0.0.0.0/0,::/0', which allows >>>> everything. Of course additional checks are performed afterwards, >>>> like checking if the configuration requires a valid TSIG signature, >>>> whether we are authoritative for the domain, that we are not master >>>> for it and that the notifications comes from a known master or a >>>> super-master. >>>> >>>> Regards, >>> >>> But aren't they saying that they have their slaves listed as >>> supermasters but are still being ignored? >> >>The 'allow-notify-from' check is performed first, and the other checks >>are only performed if the source address of the NOTIFY message is >>allowed. So if 'allow-notify-from' doesn't allow your slaves in the >>first place, it won't work.
Thank you for explaining this. So it's safe to leave it at the default since other secondary checks are done? Seems odd for me to remove my list of IPs from the allow-notify-from to make this work. Should the logic be for allowed NOTIFYs to be a combination of allow-notify-from, supermasters, and masters to provide a total list of allowed masters? The current logic doesn't make sense if there are secondary checks still happening when the allow-notify-from is left at the default. Why not combine the lists at startup and refresh from the backend periodically? Dave _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
