plugin/file: respond correctly to IXFR message (#3177)

* plugin/file: respond correctly to IXFR message Respond with a sing SOA record to an IXFR request if the SOA serials match. The added test fails on the current code with: ~~~ === RUN TestIxfrResponse --- FAIL: TestIxfrResponse (0.00s) secondary_test.go:122: Expected answer section with single RR FAIL exit status 1 ~~~ And obviously passes with the new code. This should cut down on the weird number of zone transfers that I was seeing. At some point IXFR support might be cool. Fixes: #3176 Signed-off-by: Miek Gieben <miek@miek.nl> * reuse code Signed-off-by: Miek Gieben <miek@miek.nl> * Sligtht tweaks Signed-off-by: Miek Gieben <miek@miek.nl>
2025-10-31 10:13:14 -04:00 · 2019-08-26 08:14:43 +00:00
parent e08d3335b0
commit d65cd709cd
2 changed files with 87 additions and 0 deletions
--- a/plugin/file/xfr.go
+++ b/plugin/file/xfr.go
@@ -26,6 +26,15 @@ func (x Xfr) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (in
 		return 0, plugin.Error(x.Name(), fmt.Errorf("xfr called with non transfer type: %d", state.QType()))
 	}

+	// For IXFR we take the SOA in the IXFR message (if there), compare it what we have and then decide to do an
+	// AXFR or just reply with one SOA message back.
+	if state.QType() == dns.TypeIXFR {
+		code, _ := x.ServeIxfr(ctx, w, r)
+		if plugin.ClientWrite(code) {
+			return code, nil
+		}
+	}
+
 	records := x.All()
 	if len(records) == 0 {
 		return dns.RcodeServerFailure, nil
@@ -63,4 +72,36 @@ func (x Xfr) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (in
 // Name implements the plugin.Handler interface.
 func (x Xfr) Name() string { return "xfr" }

+// ServeIxfr checks if we need to serve a simpler IXFR for the incoming message.
+// See RFC 1995 Section 3: "... and the authority section containing the SOA record of client's version of the zone."
+// and Section 2, paragraph 4 where we only need to echo the SOA record back.
+// This function must be called when the qtype is IXFR. It returns a plugin.ClientWrite(code) == false, when it didn't
+// write anything and we should perform an AXFR.
+func (x Xfr) ServeIxfr(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
+	if len(r.Ns) != 1 {
+		return dns.RcodeServerFailure, nil
+	}
+	soa, ok := r.Ns[0].(*dns.SOA)
+	if !ok {
+		return dns.RcodeServerFailure, nil
+	}
+
+	x.RLock()
+	if x.Apex.SOA == nil {
+		x.RUnlock()
+		return dns.RcodeServerFailure, nil
+	}
+	serial := x.Apex.SOA.Serial
+	x.RUnlock()
+
+	if soa.Serial == serial { // Section 2, para 4; echo SOA back. We have the same zone
+		m := new(dns.Msg)
+		m.SetReply(r)
+		m.Answer = []dns.RR{soa}
+		w.WriteMsg(m)
+		return 0, nil
+	}
+	return dns.RcodeServerFailure, nil
+}
+
 const transferLength = 1000 // Start a new envelop after message reaches this size in bytes. Intentionally small to test multi envelope parsing.