openwrtv4/package/network/services/dnsmasq/patches/0013-Allow-zone-transfer-in-authoritative-mode-whenever-a.patch

From 090856c7e6d483bc4d7ec41f55208a9842769c45 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 2 Jun 2018 18:37:07 +0100
Subject: [PATCH 13/17] Allow zone transfer in authoritative mode whenever
 auth-peer is specified.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
---
 CHANGELOG     | 4 ++++
 man/dnsmasq.8 | 6 +++++-
 src/auth.c    | 5 +++--
 3 files changed, 12 insertions(+), 3 deletions(-)

--- a/CHANGELOG
+++ b/CHANGELOG
@@ -29,6 +29,10 @@ version 2.80
 	have different parameters and avoids advertising the same
 	prefix twice. Thanks to Luis Marsano for spotting this case.
 
+	Allow zone transfer in authoritative mode if auth-peer is specified,
+	even if auth-sec-servers is not. Thanks to Raphaël Halimi for
+	the suggestion.
+
 
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -817,7 +817,11 @@ authoritative zones as dnsmasq.
 Specify the addresses of secondary servers which are allowed to
 initiate zone transfer (AXFR) requests for zones for which dnsmasq is
 authoritative. If this option is not given, then AXFR requests will be
-accepted from any secondary. 
+accepted from any secondary. Specifying
+.B auth-peer
+without
+.B auth-sec-servers
+enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq.
 .TP 
 .B --conntrack
 Read the Linux connection track mark associated with incoming DNS
--- a/src/auth.c
+++ b/src/auth.c
@@ -436,8 +436,9 @@ size_t answer_auth(struct dns_header *he
 		if (sockaddr_isequal(peer_addr, &peers->addr))
 		  break;
 	      
-	      /* Refuse all AXFR unless --auth-sec-servers is set */
-	      if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server)
+	      /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */
+	      if ((!daemon->secondary_forward_server && !daemon->auth_peers) ||
+		  (daemon->auth_peers && !peers)) 
 		{
 		  if (peer_addr->sa.sa_family == AF_INET)
 		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
dnsmasq: bump to latest patches on 2.80rc2 Refresh patches and backport upstream to current HEAD: a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled. 51e4eee Fix address-dependent domains for IPv6. 05ff659 Fix stupid infinite loop introduced by preceding commit. db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface. 7dcca6c Warn about the impact of cache-size on performance. 090856c Allow zone transfer in authoritative mode whenever auth-peer is specified. cc5cc8f Sane error message when pcap file header is wrong. c488b68 Handle standard and contructed dhcp-ranges on the same interface. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> 2018-06-03 03:44:12 +00:00			`From 090856c7e6d483bc4d7ec41f55208a9842769c45 Mon Sep 17 00:00:00 2001`
			`From: Simon Kelley <simon@thekelleys.org.uk>`
			`Date: Sat, 2 Jun 2018 18:37:07 +0100`
			`Subject: [PATCH 13/17] Allow zone transfer in authoritative mode whenever`
			`auth-peer is specified.`

			`Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>`
			`---`
			`CHANGELOG \| 4 ++++`
			`man/dnsmasq.8 \| 6 +++++-`
			`src/auth.c \| 5 +++--`
			`3 files changed, 12 insertions(+), 3 deletions(-)`

			`--- a/CHANGELOG`
			`+++ b/CHANGELOG`
			`@@ -29,6 +29,10 @@ version 2.80`
			`have different parameters and avoids advertising the same`
			`prefix twice. Thanks to Luis Marsano for spotting this case.`

			`+ Allow zone transfer in authoritative mode if auth-peer is specified,`
			`+ even if auth-sec-servers is not. Thanks to Raphaël Halimi for`
			`+ the suggestion.`
			`+`

			`version 2.79`
			`Fix parsing of CNAME arguments, which are confused by extra spaces.`
			`--- a/man/dnsmasq.8`
			`+++ b/man/dnsmasq.8`
			`@@ -817,7 +817,11 @@ authoritative zones as dnsmasq.`
			`Specify the addresses of secondary servers which are allowed to`
			`initiate zone transfer (AXFR) requests for zones for which dnsmasq is`
			`authoritative. If this option is not given, then AXFR requests will be`
			`-accepted from any secondary.`
			`+accepted from any secondary. Specifying`
			`+.B auth-peer`
			`+without`
			`+.B auth-sec-servers`
			`+enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq.`
			`.TP`
			`.B --conntrack`
			`Read the Linux connection track mark associated with incoming DNS`
			`--- a/src/auth.c`
			`+++ b/src/auth.c`
			`@@ -436,8 +436,9 @@ size_t answer_auth(struct dns_header *he`
			`if (sockaddr_isequal(peer_addr, &peers->addr))`
			`break;`

			`- /* Refuse all AXFR unless --auth-sec-servers is set */`
			`- if ((!peers && daemon->auth_peers) \|\| !daemon->secondary_forward_server)`
			`+ /* Refuse all AXFR unless --auth-sec-servers or auth-peers is set */`
			`+ if ((!daemon->secondary_forward_server && !daemon->auth_peers) \|\|`
			`+ (daemon->auth_peers && !peers))`
			`{`
			`if (peer_addr->sa.sa_family == AF_INET)`
			`inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);`