plugin/kubernetes: Only answer transfer requests for authoritative zones (#4802)

* check for zone match

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

2 files changed, 21 insertions, 0 deletions

diff --git a/plugin/kubernetes/xfr.go b/plugin/kubernetes/xfr.go
index b82c4d144..38899acf0 100644
--- a/plugin/kubernetes/xfr.go
+++ b/plugin/kubernetes/xfr.go
@@ -18,6 +18,10 @@ import (
 
 // Transfer implements the transfer.Transfer interface.
 func (k *Kubernetes) Transfer(zone string, serial uint32) (<-chan []dns.RR, error) {
+	match := plugin.Zones(k.Zones).Matches(zone)
+	if match == "" {
+		return nil, transfer.ErrNotAuthoritative
+	}
 	// state is not used here, hence the empty request.Request{]
 	soa, err := plugin.SOA(context.TODO(), k, zone, request.Request{}, plugin.Options{})
 	if err != nil {
diff --git a/plugin/kubernetes/xfr_test.go b/plugin/kubernetes/xfr_test.go
index 45044463b..61e5d0af6 100644
--- a/plugin/kubernetes/xfr_test.go
+++ b/plugin/kubernetes/xfr_test.go
@@ -5,9 +5,26 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/coredns/coredns/plugin/transfer"
+
 	"github.com/miekg/dns"
 )
 
+func TestKubernetesTransferNonAuthZone(t *testing.T) {
+	k := New([]string{"cluster.local."})
+	k.APIConn = &APIConnServeTest{}
+	k.Namespaces = map[string]struct{}{"testns": {}, "kube-system": {}}
+	k.localIPs = []net.IP{net.ParseIP("10.0.0.10")}
+
+	dnsmsg := &dns.Msg{}
+	dnsmsg.SetAxfr("example.com")
+
+	_, err := k.Transfer("example.com", 0)
+	if err != transfer.ErrNotAuthoritative {
+		t.Error(err)
+	}
+}
+
 func TestKubernetesAXFR(t *testing.T) {
 	k := New([]string{"cluster.local."})
 	k.APIConn = &APIConnServeTest{}