pdns
pdns copied to clipboard
Extract AXFR_ACL from documentation of `ALLOW-AXFR-FROM`
- Program: Authoritative
- Issue type: Feature request
Short description
Extract AXFR_ACL from documentation of ALLOW-AXFR-FROM
Usecase
Figure out value(s) that can be configured for ALLOW-AXFR-FROM
.
Description
Suggestion to:
- extract ACL from the
ALLOW-AXFR-FROM
, - rename ACL to AXFR_ACL (assuming that is its only application),
- rename subnet to netblock (given that a single ip is not a subnet),
- reword 'slaves' to 'secondaries/slaves',
- reword 'magical value' to 'value' for 'AUTO-NS',
- document the overwriting effect of
pdnsutil set-meta ..
(assumed that it does).
A suggestion in (manual) diff-form, compared to the relevant part in the current documentation on https://doc.powerdns.com/authoritative/domainmetadata.html#allow-axfr-from .
ALLOW-AXFR-FROM
- Per-zone AXFR ACLs can be stored in the domainmetadata table.
+ Access control lists for Zone Transfer (AXFR ACL) can be stored in the domainmetadata table per-Zone.
+ Calling `pdnsutil set-meta <Zone> ALLOW-AXFR-FROM <AXFR_ACLs>` will overwrite the current entry.
Example:
- pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
+ pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM <AXFR_ACL#1> <AXFR_ACL#2 etc>
To disallow all IP’s, except those explicitly allowed by domainmetadata records, add allow-axfr-ips= to pdns.conf.
+ AXFR_ACL
+
+ The text AUTO-NS or a single IP optionally affixed with `/<mask>`, comparable to CIDR-notation.
+
- Each ACL specifies one subnet (v4 or v6), or the magical value ‘AUTO-NS’ that tries to allow all potential slaves in.
+ Each AXFR_ACL specifies one netblock (v4 or v6), or the value ‘AUTO-NS’ that tries to allow all potential secondaries/slaves in.
+
+ Examples:
+
+ AUTO-NS
+ 2001:db8::/48
- Each ACL has its own row in the database:
+ Each AXFR_ACL has its own row in the database:
sql> select id from domains where name='example.com';
7
- sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
+ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#1>');
- sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');
+ sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#2>');
Without the diff.
ALLOW-AXFR-FROM
Access control lists for Zone Transfer (AXFR ACL) can be stored in the domainmetadata table per-Zone. Calling
pdnsutil set-meta <Zone> ALLOW-AXFR-FROM <AXFR_ACLs>
will overwrite the current entry.Example:
pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM <AXFR_ACL#1> <AXFR_ACL#2 etc.>
To disallow all IP’s, except those explicitly allowed by domainmetadata records, add allow-axfr-ips= to pdns.conf.
AXFR_ACL
Each AXFR_ACL specifies one netblock (v4 or v6), or the value ‘AUTO-NS’ that tries to allow all potential secondaries/slaves in.
Each AXFR_ACL has its own row in the database:
sql> select id from domains where name='example.com'; 7 sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#1>'); sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','<AXFR_ACL#2>');