From 6d0f7f595c669804ae7055986f58af508ef809bd Mon Sep 17 00:00:00 2001
From: Miod Vallat <miod.vallat@open-xchange.com>
Date: Fri, 7 Feb 2025 15:23:59 +0100
Subject: [PATCH] Do not allow dangerous operations on secondary zones unless
 --force.

This applies to: add-record, delete-rrset, edit-zone, increase-serial,
rectify-zone and replace-rrset.

Fixes #11392, #15130
---
 pdns/pdnsutil.cc | 71 +++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 64 insertions(+), 7 deletions(-)

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index d3b1700bcd85..e509344b1aa7 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -61,6 +61,7 @@ string g_programname="pdns";
 
 namespace {
   bool g_verbose;
+  bool g_force;
 }
 
 ArgvMap &arg()
@@ -264,16 +265,24 @@ static bool rectifyAllZones(DNSSECKeeper &dk, bool quiet = false)
   bool result = true;
 
   B.getAllDomains(&domainInfo, false, false);
+  size_t processed{0};
   for(const DomainInfo& di :  domainInfo) {
+    if (di.isSecondaryType() && !g_force) {
+      if (!quiet) {
+        cout << "Skipping non-primary '" << di.zone << "' (use --force to act on it)" << endl;
+      }
+      continue;
+    }
     if (!quiet) {
-      cerr<<"Rectifying "<<di.zone<<": ";
+      cout << "Rectifying " << di.zone << ": ";
     }
+    processed++;
     if (!rectifyZone(dk, di.zone, quiet)) {
       result = false;
     }
   }
   if (!quiet) {
-    cout<<"Rectified "<<domainInfo.size()<<" zones."<<endl;
+    cout << "Rectified " << processed << " zones." << endl;
   }
   return result;
 }
@@ -945,6 +954,15 @@ static int increaseSerial(const DNSName& zone, DNSSECKeeper &dk)
     return -1;
   }
 
+  DomainInfo info;
+  if (!B.getDomainInfo(zone, info, false)) {
+    cout << "[Warning] Unable to get zone information for zone '" << zone << "'" << endl;
+    cout << "Hopefully you know what you are doing and this is a primary zone." << endl;
+  }
+  if (info.isSecondaryType() && !g_force) {
+    throw PDNSException("Operation on a non-primary zone is not allowed unless --force");
+  }
+
   string soaEditKind;
   dk.getSoaEdit(zone, soaEditKind);
 
@@ -1204,6 +1222,28 @@ static int editZone(const DNSName &zone, const PDNSColors& col) {
     return EXIT_FAILURE;
   }
 
+  if (isatty(STDIN_FILENO) == 0) {
+    cerr << "edit-zone requires a terminal" << endl;
+    return EXIT_FAILURE;
+  }
+
+  if (di.isSecondaryType() && !g_force) {
+    cout << "Zone '" << zone << "' is not a primary zone." << endl;
+    while (true) {
+      cout << "Edit the zone anyway? (N/y) " << std::flush;
+      int resp = read1char();
+      if (resp != '\n') {
+        cout << endl;
+      }
+      if (resp == 'y' || resp == 'Y') {
+        break;
+      }
+      if (resp == 'n' || resp == 'N' || resp == '\n') {
+        return EXIT_FAILURE;
+      }
+    }
+  }
+
   /* ensure that the temporary file will only
      be accessible by the current user, not even
      by other users in the same group, and certainly
@@ -1596,6 +1636,9 @@ static int addOrReplaceRecord(bool addOrReplace, const vector<string>& cmds) {
     cerr << "Zone '" << zone << "' does not exist" << endl;
     return EXIT_FAILURE;
   }
+  if (di.isSecondaryType() && !g_force) {
+    throw PDNSException("Operation on a non-primary zone is not allowed unless --force");
+  }
   rr.auth = true;
   rr.domain_id = di.id;
   rr.qname = name;
@@ -1718,6 +1761,9 @@ static int deleteRRSet(const std::string& zone_, const std::string& name_, const
     cerr << "Zone '" << zone << "' does not exist" << endl;
     return EXIT_FAILURE;
   }
+  if (di.isSecondaryType() && !g_force) {
+    throw PDNSException("Operation on a non-primary zone is not allowed unless --force");
+  }
 
   DNSName name;
   if(name_=="@")
@@ -2296,9 +2342,8 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
-  if (di.kind == DomainInfo::Secondary) {
-    cerr << "Warning! This is a secondary zone! If this was a mistake, please run" << endl;
-    cerr<<"pdnsutil disable-dnssec "<<zone<<" right now!"<<endl;
+  if (di.isSecondaryType() && !g_force) {
+    throw PDNSException("Operation on a non-primary zone is not allowed unless --force");
   }
 
   if (!k_algo.empty()) { // Add a KSK
@@ -2343,7 +2388,7 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
-  // rectifyZone(dk, zone);
+  // rectifyZone(dk, zone); // should not be attempted on non-primary!
   // showZone(dk, zone);
   cout<<"Zone "<<zone<<" secured"<<endl;
   return true;
@@ -2673,10 +2718,21 @@ static int rectifyZone(vector<string>& cmds)
     cerr << "Syntax: pdnsutil rectify-zone ZONE [ZONE..]"<<endl;
     return 0;
   }
+  UtilBackend B("default"); // NOLINT(readability-identifier-length)
   DNSSECKeeper dk; //NOLINT(readability-identifier-length)
   int exitCode = 0;
   for(unsigned int n = 1; n < cmds.size(); ++n) { // NOLINT(readability-identifier-length)
-    if (!rectifyZone(dk, DNSName(cmds.at(n)))) {
+    DNSName zone(cmds.at(n));
+    DomainInfo info;
+    if (!B.getDomainInfo(zone, info, false)) {
+      exitCode = 1;
+      continue;
+    }
+    if (info.isSecondaryType() && !g_force) {
+      cout << "Skipping non-primary zone '" << zone << "' (use --force to act on it)" << endl;
+      continue;
+    }
+    if (!rectifyZone(dk, zone)) {
       exitCode = 1;
     }
   }
@@ -4582,6 +4638,7 @@ try
   }
 
   g_verbose = g_vm.count("verbose") != 0;
+  g_force = g_vm.count("force") != 0;
 
   if (g_vm.count("version") != 0) {
     cout<<"pdnsutil "<<VERSION<<endl;