pdns icon indicating copy to clipboard operation
pdns copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS

Extract AXFR_ACL from documentation of `ALLOW-AXFR-FROM`

Open imme-emosol opened this issue 4 months ago • 0 comments

  • Program: Authoritative
  • Issue type: Feature request

Short description

Extract AXFR_ACL from documentation of ALLOW-AXFR-FROM

Usecase

Figure out value(s) that can be configured for ALLOW-AXFR-FROM.

Description

Suggestion to:

  • extract ACL from the ALLOW-AXFR-FROM,
  • rename ACL to AXFR_ACL (assuming that is its only application),
  • rename subnet to netblock (given that a single ip is not a subnet),
  • reword 'slaves' to 'secondaries/slaves',
  • reword 'magical value' to 'value' for 'AUTO-NS',
  • document the overwriting effect of pdnsutil set-meta .. (assumed that it does).

A suggestion in (manual) diff-form, compared to the relevant part in the current documentation on https://doc.powerdns.com/authoritative/domainmetadata.html#allow-axfr-from .

ALLOW-AXFR-FROM

- Per-zone AXFR ACLs can be stored in the domainmetadata table.
+ Access control lists for Zone Transfer (AXFR ACL) can be stored in the domainmetadata table per-Zone.
+ Calling `pdnsutil set-meta <Zone> ALLOW-AXFR-FROM <AXFR_ACLs>` will overwrite the current entry.

Example:

- pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
+ pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM <AXFR_ACL#1> <AXFR_ACL#2 etc>

To disallow all IP’s, except those explicitly allowed by domainmetadata records, add allow-axfr-ips= to pdns.conf.

+ AXFR_ACL
+
+ The text AUTO-NS or a single IP optionally affixed with `/<mask>`, comparable to CIDR-notation.
+
- Each ACL specifies one subnet (v4 or v6), or the magical value ‘AUTO-NS’ that tries to allow all potential slaves in.
+ Each AXFR_ACL specifies one netblock (v4 or v6), or the value ‘AUTO-NS’ that tries to allow all potential secondaries/slaves in.
+
+ Examples:
+
+ AUTO-NS
+ 2001:db8::/48

- Each ACL has its own row in the database:
+ Each AXFR_ACL has its own row in the database:

sql> select id from domains where name='example.com';
7
- sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
+ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#1>');
- sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
+ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#2>');

Without the diff.

ALLOW-AXFR-FROM

Access control lists for Zone Transfer (AXFR ACL) can be stored in the domainmetadata table per-Zone. Calling pdnsutil set-meta <Zone> ALLOW-AXFR-FROM <AXFR_ACLs> will overwrite the current entry.

Example:

pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM <AXFR_ACL#1> <AXFR_ACL#2 etc.>

To disallow all IP’s, except those explicitly allowed by domainmetadata records, add allow-axfr-ips= to pdns.conf.

AXFR_ACL

Each AXFR_ACL specifies one netblock (v4 or v6), or the value ‘AUTO-NS’ that tries to allow all potential secondaries/slaves in.

Each AXFR_ACL has its own row in the database:

sql> select id from domains where name='example.com'; 7 sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#1>'); sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#2>');

imme-emosol avatar Mar 21 '24 13:03 imme-emosol