transfer: reply with refused (#4510)

* transfer: reply with refused

When the *transfer* plugin is not loaded and of the handlers will still
see the AXFR/IXFR request because it is not intercepted.

They need to reply with REFUSED in that case. Update file, auto and k8s
to do this. Add testcase in the file plugin.

Ideally *erratic* should be moved over as well, but maybe that's
*erratic*

This is a bug fix.

Signed-off-by: Miek Gieben <miek@miek.nl>

* import path

Signed-off-by: Miek Gieben <miek@miek.nl>

1 files changed, 2 insertions, 0 deletions

diff --git a/plugin/kubernetes/handler.go b/plugin/kubernetes/handler.go
index 57e9ac528..0bf4b12af 100644
--- a/plugin/kubernetes/handler.go
+++ b/plugin/kubernetes/handler.go
@@ -44,6 +44,8 @@ func (k Kubernetes) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.M
 		records, extra, err = plugin.SRV(ctx, &k, zone, state, plugin.Options{})
 	case dns.TypeSOA:
 		records, err = plugin.SOA(ctx, &k, zone, state, plugin.Options{})
+	case dns.TypeAXFR, dns.TypeIXFR:
+		return dns.RcodeRefused, nil
 	case dns.TypeNS:
 		if state.Name() == zone {
 			records, extra, err = plugin.NS(ctx, &k, zone, state, plugin.Options{})