Feature-Request: allow-notify-from as per-zone setting

[mjaepel]

• Program: Authoritative
• Issue type: Feature request

Short description

There is a global setting for allow-notify-from in authoritative server settings. But it's not available as per-domain setting in domain metadata.
Please implement it there, too. So it should be consistent with allow-axfr-ips (global) / allow-axfr-from (per-zone)

Usecase

Some special dns setups use different servers / source ips for notifies and axfr. Currently the only way to allow this scenario is to configure the notify IPs globally. But so they could send notifies for all configured domains.
In multi-tenant / shared environments you wouldn't allow an other tenant to notify domains eachother. ;)

Description

It's so simple to explain. See above. :)

[Habbie]

In multi-tenant / shared environments you wouldn't allow an other tenant to notify domains eachother. ;)

This is a serious question: why not?

[mjaepel]

It's one way (of many) to start a DoS attack against DNS servers.
Other reason is that some customers want to control their notifys by their self and not by others. If you plan a big maintenance you want to schedule notifies by your own. It's crucial for success if you send the notify in the correct moment or any one else disrupt your maintenance with a single notify at the wrong time.

Another technically reason is the management of allowed notify ips. If you have thousands domains in one instance you will also have thousand different notify source ips. It's difficult to managed this in only one option.
It's much easier to managed per domain because there will be only a small count of notify ips per domain.

The feature is already implemented globally. So I hope we haven't discuss the sense of the feature itself.
So it would be nice when this feature is adjustable by domain like axfr.

[Habbie]

It's crucial for success if you send the notify in the correct moment or any one else disrupt your maintenance with a single notify at the wrong time.

This does not make sense. If this is true, you already had way bigger problems.

It's much easier to managed per domain because there will be only a small count of notify ips per domain.

But I like this reason.

I have put your request in the 'auth-helpneeded' milestone, which means that we think it's a decent idea, but will not put it on the roadmap for now. If somebody submits a good patch for it, we will merge it.

[aj-gh]

+1
Having this as zone metadata would allow it to be manipulated by non-admins via the API instead of having to add potentially untrusted third party IP addresses into global configuration. Luckily that setup is quite rare otherwise that list might become huge.
As a workaround the notify IP could be added as additional primary but that has the drawback that about a half of all SOA checks will fail unless that IP is also responding to these checks (which is likely not the case otherwise it could be a real primary in the first place).