From 26fbd1adbe13cbe7205a16e8c0eca9ba99139642 Mon Sep 17 00:00:00 2001
From: TobTobXX <git@tobtobxx.net>
Date: Mon, 19 Aug 2024 16:07:59 +0200
Subject: [PATCH] nixos/bind: Fix cacheNetworks option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

services.bind.cacheNetworks should only apply to recursive queryies, as
per the option documentation:
> Note that this is for recursive queries – all networks are allowed to
> query zones configured with the zones option by default [...].

This would correspond to the `allow-query-cache` option in named.conf,
as per the BIND docs[1]:
> Specifies which hosts (an IP address list) can access this server’s
> cache and thus effectively controls recursion.

And not `allow-query`, which restricts all requests (including requests
where the server has authority) [2]:
> Specifies which hosts (an IP address list) are allowed to send queries
> to this resolver.
> [...]
> Note:
> `allow-query-cache` is used to specify access to the cache.

[1]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query-cache
[2]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query
---
 nixos/doc/manual/release-notes/rl-2411.section.md | 4 +++-
 nixos/modules/services/networking/bind.nix        | 5 +----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 4a6bf60a6c24..ab018c6ac5aa 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -900,7 +900,9 @@
 
 - `freecad` now supports addons and custom configuration in nix-way, which can be used by calling `freecad.customize`.
 
-## Detailed Migration Information {#sec-release-24.11-migration}
+- `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.
+
+## Detailed migration information {#sec-release-24.11-migration}
 
 ### `sound` options removal {#sec-release-24.11-migration-sound}
 
diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
index 6079062db6c3..41c099cd130c 100644
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@@ -38,9 +38,6 @@ let
         description = ''
           List of address ranges allowed to query this zone. Instead of the address(es), this may instead
           contain the single string "any".
-
-          NOTE: This overrides the global-level `allow-query` setting, which is set to the contents
-          of `cachenetworks`.
         '';
         default = [ "any" ];
       };
@@ -65,7 +62,7 @@ let
       options {
         listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
         listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
-        allow-query { cachenetworks; };
+        allow-query-cache { cachenetworks; };
         blackhole { badnetworks; };
         forward ${cfg.forward};
         forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };