From: Otto Date: Wed, 27 Oct 2021 07:02:30 +0000 (+0200) Subject: Some things you should do when handling untrusted zone files. X-Git-Tag: rec-4.6.0-beta1~18^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=74bfff0e012008316bc3e8c989b1c8ce4dfda5dc;p=thirdparty%2Fpdns.git Some things you should do when handling untrusted zone files. --- diff --git a/docs/lua-records/index.rst b/docs/lua-records/index.rst index dbde1185c2..dad201f082 100644 --- a/docs/lua-records/index.rst +++ b/docs/lua-records/index.rst @@ -177,6 +177,8 @@ separate records. The full example from above can also be written as:: "return ifurlup('https://www.lua.org/', " "{EUips, USAips}, settings) " ) +.. _lua-details-security: + Details & Security ------------------ LUA records are synthesized on query. They can also be transferred via AXFR diff --git a/docs/security.rst b/docs/security.rst index d6428d8d70..48da313aa3 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -60,3 +60,19 @@ Separation will enhance your database security highly. Recommended. .. _securitypolling: .. include:: common/secpoll.rst + +Trusting zone files +------------------- +In some scenarios the PowerDNS server must handle zone files coming from an untrusted third party. +For these cases, it is recommended to take extra protective measures in addition to the measures above: + +- Set :ref:`setting-max-generate-steps` to a low number, this will limit the amount of resources used by rogue ``$GENERATE`` templates. +- Set :ref:`setting-max-include-depth` to ``0``, this will disallow the ``$INCLUDE`` directive, avoiding problems with include loops and related issues. +- Set :ref:`setting-enable-lua-records` to ``no``, this will disable :ref:`Lua Records`. + +Depending on your specific requirements, it might be good perform checks on zone files before loading the zone into PowerDNS to: + +- Enforce reasonable ``TTL`` values. +- Enforce reasonable values in the ``SOA`` records. +- Validate delegations. +