Do not allow inappropriate operations on secondary zones.

These are: add-record, delete-rrset, increase-serial, rectify-zone,
replace-rrset.

Fixes #15130

pdns/pdnsutil.cc

@@ -186,6 +186,8 @@ class UtilBackend : public UeberBackend
   UtilBackend& operator=(const UtilBackend&) = delete;
   UtilBackend& operator=(UtilBackend&&) = delete;
   ~UtilBackend();
+
+  bool getPrimaryDomainInfo(const DNSName& zone, DomainInfo& info, bool getSerial = true);
 };
 
 UtilBackend::~UtilBackend()
@@ -197,6 +199,19 @@ UtilBackend::~UtilBackend()
   }
 }
 
+// This is similar to getDomainInfo, but will throw an exception if the
+// domain is not a primary.
+bool UtilBackend::getPrimaryDomainInfo(const DNSName& zone, DomainInfo& info, bool getSerial)
+{
+  bool ret = getDomainInfo(zone, info, getSerial);
+  if (ret) {
+    if (info.isSecondaryType()) {
+      throw PDNSException("Operation on a non-primary zone is not allowed");
+    }
+  }
+  return ret;
+}
+
 static bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone, bool quiet = false, bool rectifyTransaction = true)
 {
   string output;
@@ -264,16 +279,24 @@ static bool rectifyAllZones(DNSSECKeeper &dk, bool quiet = false)
   bool result = true;
 
   B.getAllDomains(&domainInfo, false, false);
+  size_t processed{0};
   for(const DomainInfo& di :  domainInfo) {
+    if (di.isSecondaryType()) {
+      if (!quiet) {
+        cerr<<"Skipping non-primary "<<di.zone<<endl;
+      }
+      continue;
+    }
     if (!quiet) {
       cerr<<"Rectifying "<<di.zone<<": ";
     }
+    processed++;
     if (!rectifyZone(dk, di.zone, quiet)) {
       result = false;
     }
   }
   if (!quiet) {
-    cout<<"Rectified "<<domainInfo.size()<<" zones."<<endl;
+    cout<<"Rectified "<<processed<<" zones."<<endl;
   }
   return result;
 }
@@ -945,6 +968,12 @@ static int increaseSerial(const DNSName& zone, DNSSECKeeper &dk)
     return -1;
   }
 
+  DomainInfo info;
+  if (!B.getPrimaryDomainInfo(zone, info, false)) {
+    cout << "[Warning] Unable to get zone information for zone '" << zone << "'" << endl;
+    cout << "Hopefully you know what you are doing and this is a primary zone." << endl;
+  }
+
   string soaEditKind;
   dk.getSoaEdit(zone, soaEditKind);
 
@@ -1592,7 +1621,7 @@ static int addOrReplaceRecord(bool addOrReplace, const vector<string>& cmds) {
 
   UtilBackend B; //NOLINT(readability-identifier-length)
   DomainInfo di;
-  if(!B.getDomainInfo(zone, di)) {
+  if(!B.getPrimaryDomainInfo(zone, di)) {
     cerr << "Zone '" << zone << "' does not exist" << endl;
     return EXIT_FAILURE;
   }
@@ -1714,7 +1743,7 @@ static int deleteRRSet(const std::string& zone_, const std::string& name_, const
   UtilBackend B; //NOLINT(readability-identifier-length)
   DomainInfo di;
   DNSName zone(zone_);
-  if(!B.getDomainInfo(zone, di)) {
+  if(!B.getPrimaryDomainInfo(zone, di)) {
     cerr << "Zone '" << zone << "' does not exist" << endl;
     return EXIT_FAILURE;
   }
@@ -2343,7 +2372,7 @@ static bool secureZone(DNSSECKeeper& dk, const DNSName& zone)
     return false;
   }
 
-  // rectifyZone(dk, zone);
+  // rectifyZone(dk, zone); // should not be attempted on non-primary!
   // showZone(dk, zone);
   cout<<"Zone "<<zone<<" secured"<<endl;
   return true;
@@ -2673,10 +2702,21 @@ static int rectifyZone(vector<string>& cmds)
     cerr << "Syntax: pdnsutil rectify-zone ZONE [ZONE..]"<<endl;
     return 0;
   }
+  UtilBackend B("default"); // NOLINT(readability-identifier-length)
   DNSSECKeeper dk; //NOLINT(readability-identifier-length)
   int exitCode = 0;
   for(unsigned int n = 1; n < cmds.size(); ++n) { // NOLINT(readability-identifier-length)
-    if (!rectifyZone(dk, DNSName(cmds.at(n)))) {
+    DNSName zone(cmds.at(n));
+    DomainInfo info;
+    if (!B.getDomainInfo(zone, info, false)) {
+      exitCode = 1;
+      continue;
+    }
+    if (info.isSecondaryType()) {
+      cout << "Skipping non-primary zone '" << zone << "'" << endl;
+      continue;
+    }
+    if (!rectifyZone(dk, zone)) {
       exitCode = 1;
     }
   }