plugin/kubernetes: Only answer transfer requests for authoritative zones (#4802)

* check for zone match

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

plugin/kubernetes/xfr.go

@@ -18,6 +18,10 @@ import (
 
 // Transfer implements the transfer.Transfer interface.
 func (k *Kubernetes) Transfer(zone string, serial uint32) (<-chan []dns.RR, error) {
+	match := plugin.Zones(k.Zones).Matches(zone)
+	if match == "" {
+		return nil, transfer.ErrNotAuthoritative
+	}
 	// state is not used here, hence the empty request.Request{]
 	soa, err := plugin.SOA(context.TODO(), k, zone, request.Request{}, plugin.Options{})
 	if err != nil {

plugin/kubernetes/xfr_test.go

@@ -5,9 +5,26 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/coredns/coredns/plugin/transfer"
+
 	"github.com/miekg/dns"
 )
 
+func TestKubernetesTransferNonAuthZone(t *testing.T) {
+	k := New([]string{"cluster.local."})
+	k.APIConn = &APIConnServeTest{}
+	k.Namespaces = map[string]struct{}{"testns": {}, "kube-system": {}}
+	k.localIPs = []net.IP{net.ParseIP("10.0.0.10")}
+
+	dnsmsg := &dns.Msg{}
+	dnsmsg.SetAxfr("example.com")
+
+	_, err := k.Transfer("example.com", 0)
+	if err != transfer.ErrNotAuthoritative {
+		t.Error(err)
+	}
+}
+
 func TestKubernetesAXFR(t *testing.T) {
 	k := New([]string{"cluster.local."})
 	k.APIConn = &APIConnServeTest{}