qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/bind: Fix cacheNetworks option

Browse Source 
services.bind.cacheNetworks should only apply to recursive queryies, as
per the option documentation:
> Note that this is for recursive queries – all networks are allowed to
> query zones configured with the zones option by default [...].

This would correspond to the `allow-query-cache` option in named.conf,
as per the BIND docs[1]:
> Specifies which hosts (an IP address list) can access this server’s
> cache and thus effectively controls recursion.

And not `allow-query`, which restricts all requests (including requests
where the server has authority) [2]:
> Specifies which hosts (an IP address list) are allowed to send queries
> to this resolver.
> [...]
> Note:
> `allow-query-cache` is used to specify access to the cache.

[1]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query-cache
[2]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query
This commit is contained in:
TobTobXX 2024-08-19 16:07:59 +02:00
parent f17c1d575a
commit 26fbd1adbe
No known key found for this signature in database
GPG Key ID: 296BD5C23B2F830E
2 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -900,7 +900,9 @@
- `freecad` now supports addons and custom configuration in nix-way, which can be used by calling `freecad.customize`. - `freecad` now supports addons and custom configuration in nix-way, which can be used by calling `freecad.customize`.
## Detailed Migration Information {#sec-release-24.11-migration} - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.
## Detailed migration information {#sec-release-24.11-migration}
### `sound` options removal {#sec-release-24.11-migration-sound} ### `sound` options removal {#sec-release-24.11-migration-sound}

5
nixos/modules/services/networking/bind.nix
View File

@ -38,9 +38,6 @@ let
description = '' description = ''
List of address ranges allowed to query this zone. Instead of the address(es), this may instead List of address ranges allowed to query this zone. Instead of the address(es), this may instead
contain the single string "any". contain the single string "any".
NOTE: This overrides the global-level `allow-query` setting, which is set to the contents
of `cachenetworks`.
''; '';
default = [ "any" ]; default = [ "any" ];
}; };
@ -65,7 +62,7 @@ let
options { options {
listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} }; listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} }; listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
allow-query { cachenetworks; }; allow-query-cache { cachenetworks; };
blackhole { badnetworks; }; blackhole { badnetworks; };
forward ${cfg.forward}; forward ${cfg.forward};
forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} }; forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };