From: Frank Louwers Date: Fri, 29 May 2020 13:37:58 +0000 (+0200) Subject: Clarify allow-axfr-ips behaviour in combination with TSIG X-Git-Tag: dnsdist-1.5.0-rc3~28^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=628cefe500ba6797d20502f5ec672ea2fba6afc3;p=thirdparty%2Fpdns.git Clarify allow-axfr-ips behaviour in combination with TSIG --- diff --git a/docs/settings.rst b/docs/settings.rst index 8de9398fbc..356de10249 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -35,7 +35,12 @@ Allow 8 bit DNS queries. - Default: 127.0.0.0/8,::1 If set, only these IP addresses or netmasks will be able to perform -AXFR. +AXFR without TSIG. + +.. warning:: + This setting only applies to AXFR without TSIG keys. If you allow a TSIG key to perform an AXFR, + this setting will not be checked for that transfer, and the client will be able to perform the AXFR + from everywhere. .. _setting-allow-dnsupdate-from: diff --git a/docs/tsig.rst b/docs/tsig.rst index 0716c9487e..91ffaa7e7a 100644 --- a/docs/tsig.rst +++ b/docs/tsig.rst @@ -33,6 +33,10 @@ with the key name in the content field. For example:: $ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' +.. warning:: + Any host with the correct TSIG key will be able to perform the AXFR, even + if the host is not within the define ``allow-axfr-ips`` ranges. + Another way of importing and activating TSIG keys into the database is using :doc:`pdnsutil `: