8.2.1-REL patch "global transfer-source"

Michael Handler handler-bind-workers at sub-rosa.com
Sun Jul 11 06:56:50 UTC 1999 

I wrote the following for 8.1.2-REL:

| When the xfer-source patch from "roy alcala" <roy at mci.net> was imported
| into the BIND sources, it was made into a per-zone option with no
| corresponding global option. There are production environments like ours
| where this doesn't make sense -- the machine has a an IP address on the
| LAN, and a virtual interface that is the published, public interface.
| All AXFRs and NOTIFYies should originate from the virtual interface,
| unless specifically overridden; it simplifies administration to have a
| global transfer-source option. The attached patch adds one.

The patch wasn't integrated at the time due to lack of a documentation
patch for myself. I've updated the patch for 8.2.1-REL and written the
documentation patch; both are attached.

-- 
handler at sub-rosa.com (Michael Handler)

the complete lack of evidence...
                          ...is the surest sign that the conspiracy is working


-- Attached file included as plaintext by Listar --

Index: bin/named/ns_config.c
===================================================================
RCS file: /usr/local/cvsroot/dns/bind/bin/named/ns_config.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ns_config.c	1999/07/11 04:47:09	1.1
+++ ns_config.c	1999/07/11 06:10:04	1.2
@@ -1101,6 +1101,7 @@
 	op->query_source.sin_family = AF_INET;
 	op->query_source.sin_addr.s_addr = htonl(INADDR_ANY);
 	op->query_source.sin_port = htons(0);		/* INPORT_ANY */
+	op->axfr_src.s_addr = 0;
 	op->blackhole_acl = NULL;
 	op->query_acl = NULL;
 	op->transfer_acl = NULL;
Index: bin/named/ns_defs.h
===================================================================
RCS file: /usr/local/cvsroot/dns/bind/bin/named/ns_defs.h,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ns_defs.h	1999/07/11 04:47:09	1.1
+++ ns_defs.h	1999/07/11 06:10:05	1.2
@@ -704,6 +704,7 @@
 	enum axfr_format transfer_format;
 	long max_transfer_time_in;
 	struct sockaddr_in query_source;
+	struct in_addr axfr_src;
 	ip_match_list query_acl;
 	ip_match_list recursion_acl;
 	ip_match_list transfer_acl;
Index: bin/named/ns_maint.c
===================================================================
RCS file: /usr/local/cvsroot/dns/bind/bin/named/ns_maint.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ns_maint.c	1999/07/11 04:47:09	1.1
+++ ns_maint.c	1999/07/11 06:10:05	1.2
@@ -672,9 +672,12 @@
 		sprintf(serial_str, "%u", zp->z_serial);
 		argv[argc++] = serial_str;
 	}
-	if (zp->z_axfr_src.s_addr != 0) {
+	if ((zp->z_axfr_src.s_addr != 0) ||
+		(server_options->axfr_src.s_addr != 0)) {
 		argv[argc++] = "-x";
-		argv[argc++] = strcpy(src_str, inet_ntoa(zp->z_axfr_src));
+		argv[argc++] = strcpy(src_str, inet_ntoa(
+			(zp->z_axfr_src.s_addr != 0) ? zp->z_axfr_src :
+			server_options->axfr_src));
 	}
 	argv[argc++] = "-C";
 	sprintf(class_str, "%d", zp->z_class);
Index: bin/named/ns_parser.y
===================================================================
RCS file: /usr/local/cvsroot/dns/bind/bin/named/ns_parser.y,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ns_parser.y	1999/07/11 04:47:09	1.1
+++ ns_parser.y	1999/07/11 06:10:05	1.2
@@ -434,6 +434,10 @@
 	}
 	'{' opt_forwarders_list '}'
 	| T_QUERY_SOURCE query_source
+	| T_TRANSFER_SOURCE maybe_wild_addr
+	{
+		current_options->axfr_src = $2;
+	}
 	| T_ALLOW_QUERY '{' address_match_list '}'
 	{
 		if (current_options->query_acl) {


-- Attached file included as plaintext by Listar --

Index: html/options.html
===================================================================
RCS file: /usr/local/cvsroot/dns/bind-doc/html/options.html,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 options.html
--- options.html	1999/07/11 04:50:06	1.1.1.1
+++ options.html	1999/07/11 06:39:57
@@ -48,6 +48,7 @@
   [ transfers-in  <VAR>number</VAR>; ]
   [ transfers-out <VAR>number</VAR>; ]
   [ transfers-per-ns <VAR>number</VAR>; ]
+  [ transfer-source <VAR><A HREF="docdef.html">ip_addr</A></VAR>; ]
   [ maintain-ixfr-base <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
   [ max-ixfr-log-size <VAR>number</VAR>; ]
   [ coresize <VAR><A HREF="docdef.html">size_spec</A></VAR> ; ]
@@ -448,6 +449,18 @@
 <CODE>transfers-per-ns</CODE> may be overridden on a per-server basis
 by using the <CODE>transfers</CODE> phrase of the <CODE>server</CODE>
 statement.
+
+<DT><CODE>transfer-source</CODE>
+<DD>
+<CODE>transfer-source</CODE> determines which local address will be bound
+to the TCP connection used to fetch all zones transferred inbound by the
+server. If not set, it defaults to a system controlled value which will
+usually be the address of the interface ``closest to'' the remote end.
+This address must appear in the remote end's <CODE>allow-transfer</CODE>
+option for the zone being transferred, if one is specified. This statement
+sets the <CODE>transfer-source</CODE> for all zones, but can be overridden
+on a per-zone basis by including a <CODE>transfer-source</CODE> statement
+within the zone block in the configuration file.
 </DL>
 
 <H4>Resource Limits</H4>

More information about the bind-workers mailing list