Clarify allow-axfr-ips behaviour in combination with TSIG

author Frank Louwers <frank@louwers.be>

Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)

committer Frank Louwers <frank@louwers.be>

Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)
author Frank Louwers <frank@louwers.be>
Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)
committer Frank Louwers <frank@louwers.be>
Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)
diff --git a/docs/settings.rst b/docs/settings.rst

index 8de9398fbc311e22e5a5bab4630c67eb732a7b9c..356de1024981ebfc6ec50abcf0aedb2116ff6b73 100644 (file)
--- a/docs/settings.rst
+++ b/docs/settings.rst
@@ -35,7 +35,12 @@ Allow 8 bit DNS queries.
  -  Default: 127.0.0.0/8,::1
  
  If set, only these IP addresses or netmasks will be able to perform
-AXFR.
+AXFR without TSIG.
+
+.. warning::
+   This setting only applies to AXFR without TSIG keys. If you allow a TSIG key to perform an AXFR,
+   this setting will not be checked for that transfer, and the client will be able to perform the AXFR
+   from everywhere.
  
  .. _setting-allow-dnsupdate-from:
  
diff --git a/docs/tsig.rst b/docs/tsig.rst

index 0716c9487e0ffee0bd5db71b97e87d28d4b7a881..91ffaa7e7a267be30528cead5642c2feeba7335a 100644 (file)
--- a/docs/tsig.rst
+++ b/docs/tsig.rst
@@ -33,6 +33,10 @@ with the key name in the content field. For example::
  
      $ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
  
+.. warning::
+  Any host with the correct TSIG key will be able to perform the AXFR, even
+  if the host is not within the define ``allow-axfr-ips`` ranges.
+
  Another way of importing and activating TSIG keys into the database is using
  :doc:`pdnsutil <manpages/pdnsutil.1>`:
author	Frank Louwers <frank@louwers.be>
	Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)
committer	Frank Louwers <frank@louwers.be>
	Fri, 29 May 2020 13:37:58 +0000 (15:37 +0200)
docs/settings.rst		patch \| blob \| blame \| history
docs/tsig.rst		patch \| blob \| blame \| history