From: Evil Eye Date: Wed, 24 Jan 2024 14:40:42 +0000 (+0000) Subject: Add dnsupdate-require-tsig config option X-Git-Tag: rec-5.1.0-alpha1~88^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=006dac608959cafb1a5897e3d5c3030e081f4663;p=thirdparty%2Fpdns.git Add dnsupdate-require-tsig config option So zones without keys that are accessible based on IP can be closed off --- diff --git a/pdns/auth-main.cc b/pdns/auth-main.cc index 0c9dc4b80e..797d21c3d7 100644 --- a/pdns/auth-main.cc +++ b/pdns/auth-main.cc @@ -161,6 +161,7 @@ static void declareArguments() ::arg().setSwitch("dnsupdate", "Enable/Disable DNS update (RFC2136) support. Default is no.") = "no"; ::arg().setSwitch("write-pid", "Write a PID file") = "yes"; ::arg().set("allow-dnsupdate-from", "A global setting to allow DNS updates from these IP ranges.") = "127.0.0.0/8,::1"; + ::arg().setSwitch("dnsupdate-require-tsig", "Require TSIG secured DNS updates. Default is no.") = "no"; ::arg().set("proxy-protocol-from", "A Proxy Protocol header is only allowed from these subnets, and is mandatory then too.") = ""; ::arg().set("proxy-protocol-maximum-size", "The maximum size of a proxy protocol payload, including the TLV values") = "512"; ::arg().setSwitch("send-signed-notify", "Send TSIG secured NOTIFY if TSIG key is configured for a zone") = "yes"; diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index 0144456b29..9f38fffd2b 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -726,6 +726,9 @@ int PacketHandler::processUpdate(DNSPacket& p) { g_log<