Unverified Commit 3c1c5600 authored by mrobbetts's avatar mrobbetts Committed by GitHub
Browse files

bind: replace hard-coded `allow-query` zone setting with a real zone parameter. (#224776)

parent 8d474038

nixos/doc/manual/release-notes/rl-2305.section.md

+2 −0
Original line number Diff line number Diff line
@@ -385,6 +385,8 @@ In addition to numerous new and upgraded packages, this release has the followin 


- Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release.



- The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility).



## Detailed migration information {#sec-release-23.05-migration}



### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire}

nixos/modules/services/networking/bind.nix

+16 −3
Original line number Diff line number Diff line
@@ -36,6 +36,17 @@ let 
        description = lib.mdDoc "Addresses who may request zone transfers.";

        default = [ ];

      };

      allowQuery = mkOption {

        type = types.listOf types.str;

        description = lib.mdDoc ''

          List of address ranges allowed to query this zone. Instead of the address(es), this may instead

          contain the single string "any".



          NOTE: This overrides the global-level `allow-query` setting, which is set to the contents

          of `cachenetworks`.

        '';

        default = [ "any" ];

      };

      extraConfig = mkOption {

        type = types.str;

        description = lib.mdDoc "Extra zone config to be appended at the end of the zone section.";
@@ -69,7 +80,7 @@ let 
      ${cfg.extraConfig}



      ${ concatMapStrings

          ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }:

          ({ name, file, master ? true, slaves ? [], masters ? [], allowQuery ? [], extraConfig ? "" }:

            ''

              zone "${name}" {

                type ${if master then "master" else "slave"};
@@ -87,7 +98,7 @@ let 
                     };

                   ''

                }

                allow-query { any; };

                allow-query { ${concatMapStrings (ip: "${ip}; ") allowQuery}};

                ${extraConfig}

              };

            '')
@@ -120,7 +131,9 @@ in 
        description = lib.mdDoc ''

          What networks are allowed to use us as a resolver.  Note

          that this is for recursive queries -- all networks are

          allowed to query zones configured with the `zones` option.

          allowed to query zones configured with the `zones` option

          by default (although this may be overridden within each

          zone's configuration, via the `allowQuery` option).

          It is recommended that you limit cacheNetworks to avoid your

          server being used for DNS amplification attacks.

        '';