auth: Support for catalog zones custom properties

[rgacogne]

• Program: Authoritative
• Issue type: Feature request

Short description

BIND defines custom properties for ACL, primaries and TSIG settings: https://bind9.readthedocs.io/en/stable/chapter6.html#catalog-zone-custom-properties and I would like a way to do the same with PowerDNS.

Usecase

My use-case is simple: I want to provision the TSIG keys and ACL to use on the secondaries for the zones learned on the consumer via the catalog zone itself.

I gave it a shot in https://github.com/PowerDNS/pdns/pull/12772 but my implementation did not match the current design.

[insertjokehere]

This is something I am also interested in. In my setup, all zones require TSIG keys to AXFR - I can get a secondary to transfer the catalog zone by setting AXFR-MASTER-TSIG as normal, but then the actual zones don't transfer because PowerDNS doesn't use the TSIG key.

I can work around it by adding the secondaries' IP to allow-axfr-ips on the primary, but this seems not ideal. Did you find any other way to get zones provisioned through a catalog zone to get the settings you were after?

[rgacogne]

Not really, I have an ugly solution where a timer is regularly checking all zones to check if the expected meta-data is set, and setting it otherwise. It works well for my use-case but it's really sad to have to do this out-of-band.

[insertjokehere]

Playing about with this a bit more tonight I've got a workaround - its powerfully stupid, but it works; use a database trigger to set the domain metadata when a new row is added to the domains table. I'm using SQLite, but should be straightforward to adapt to PostgreSQL or MySQL:

CREATE TRIGGER set_tsig_key
  AFTER INSERT ON domains
  WHEN 
    new.type='SLAVE'
  BEGIN
    INSERT INTO domainmetadata (domain_id, kind, content) VALUES (new.id, 'AXFR-MASTER-TSIG', 'name-of-key-goes-here');
  END;