diff --git a/src/knot/server/name-server.c b/src/knot/server/name-server.c index 2e4ab3a8b7f316831c320269bd3f226310524289..443185ac016943e7a07df7f159da2e2c79a05f6f 100644 --- a/src/knot/server/name-server.c +++ b/src/knot/server/name-server.c @@ -3050,6 +3050,13 @@ int ns_process_response(ns_nameserver_t *nameserver, sockaddr_t *from, return KNOT_EINVAL; } + /* Match against ACL to verify. */ + if (acl_match(zd->xfr_in.acl, from) == ACL_DENY) { + debug_ns("Unauthorized SOA response, will not start " + "XFR.\n"); + return KNOT_EINVAL; + } + /* Cancel EXPIRE timer. */ evsched_t *sched = nameserver->server->sched; event_t *expire_ev = zd->xfr_in.expire; diff --git a/src/knot/server/zones.c b/src/knot/server/zones.c index 6da0539efd68e68a65b29a20b7f601ceb0161ddc..7db3cececc686a8981c62a8871136e3130991ee7 100644 --- a/src/knot/server/zones.c +++ b/src/knot/server/zones.c @@ -763,6 +763,7 @@ static int zones_insert_zones(ns_nameserver_t *ns, /* Update ACLs. */ debug_zones("Updating zone ACLs.\n"); + zones_set_acl(&zd->xfr_in.acl, &z->acl.xfr_in); zones_set_acl(&zd->xfr_out, &z->acl.xfr_out); zones_set_acl(&zd->notify_in, &z->acl.notify_in); zones_set_acl(&zd->notify_out, &z->acl.notify_out); @@ -779,6 +780,10 @@ static int zones_insert_zones(ns_nameserver_t *ns, cfg_if->family, cfg_if->address, cfg_if->port); + + debug_zones("Using %s:%d as zone XFR master.\n", + cfg_if->address, + cfg_if->port); } /* Update events scheduled for zone. */ diff --git a/src/knot/server/zones.h b/src/knot/server/zones.h index ceb902f42e537bb106fe7a966636004f418d553a..56500358761238536b47b06ac53834db2b25c2ef 100644 --- a/src/knot/server/zones.h +++ b/src/knot/server/zones.h @@ -41,6 +41,7 @@ typedef struct zonedata_t /*! \brief XFR-IN scheduler. */ struct { list **ifaces; /*!< List of availabel interfaces. */ + acl_t *acl; /*!< ACL for xfr-in.*/ sockaddr_t master; /*!< Master server for xfr-in.*/ struct event_t *timer; /*!< Timer for REFRESH/RETRY. */ struct event_t *expire; /*!< Timer for REFRESH. */