Some things you should do when handling untrusted zone files.

diff --git a/docs/lua-records/index.rst b/docs/lua-records/index.rst
index dbde1185c2f3a01b8e5da300bb63c19e812ce580..dad201f082c6adf8fbaa5c66a1bf4d017b601ac4 100644 (file)
--- a/docs/lua-records/index.rst
+++ b/docs/lua-records/index.rst
@@ -177,6 +177,8 @@ separate records. The full example from above can also be written as::
                                   "return ifurlup('https://www.lua.org/',        "
                                   "{EUips, USAips}, settings)                    " )
 
+.. _lua-details-security:
+
 Details & Security
 ------------------
 LUA records are synthesized on query. They can also be transferred via AXFR

diff --git a/docs/security.rst b/docs/security.rst
index d6428d8d701809dfc97074da9d9fe344f0b5517d..48da313aa3a815a9123e5e1b9184d249796e84b1 100644 (file)
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -60,3 +60,19 @@ Separation will enhance your database security highly. Recommended.
 .. _securitypolling:
 
 .. include:: common/secpoll.rst
+
+Trusting zone files
+-------------------
+In some scenarios the PowerDNS server must handle zone files coming from an untrusted third party.
+For these cases, it is recommended to take extra protective measures in addition to the measures above:
+
+- Set :ref:`setting-max-generate-steps` to a low number, this will limit the amount of resources used by rogue ``$GENERATE`` templates.
+- Set :ref:`setting-max-include-depth` to ``0``, this will disallow the ``$INCLUDE`` directive, avoiding problems with include loops and related issues.
+- Set :ref:`setting-enable-lua-records` to ``no``, this will disable :ref:`Lua Records<lua-details-security>`.
+
+Depending on your specific requirements, it might be good perform checks on zone files before loading the zone into PowerDNS to:
+
+- Enforce reasonable ``TTL`` values.
+- Enforce reasonable values in the ``SOA`` records.
+- Validate delegations.
+