From 628cefe500ba6797d20502f5ec672ea2fba6afc3 Mon Sep 17 00:00:00 2001 From: Frank Louwers Date: Fri, 29 May 2020 15:37:58 +0200 Subject: [PATCH] Clarify allow-axfr-ips behaviour in combination with TSIG --- docs/settings.rst | 7 ++++++- docs/tsig.rst | 4 ++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/settings.rst b/docs/settings.rst index 8de9398fbc..356de10249 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -35,7 +35,12 @@ Allow 8 bit DNS queries. - Default: 127.0.0.0/8,::1 If set, only these IP addresses or netmasks will be able to perform -AXFR. +AXFR without TSIG. + +.. warning:: + This setting only applies to AXFR without TSIG keys. If you allow a TSIG key to perform an AXFR, + this setting will not be checked for that transfer, and the client will be able to perform the AXFR + from everywhere. .. _setting-allow-dnsupdate-from: diff --git a/docs/tsig.rst b/docs/tsig.rst index 0716c9487e..91ffaa7e7a 100644 --- a/docs/tsig.rst +++ b/docs/tsig.rst @@ -33,6 +33,10 @@ with the key name in the content field. For example:: $ dig -t axfr powerdnssec.org @127.0.0.1 -y 'test:kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' +.. warning:: + Any host with the correct TSIG key will be able to perform the AXFR, even + if the host is not within the define ``allow-axfr-ips`` ranges. + Another way of importing and activating TSIG keys into the database is using :doc:`pdnsutil `: -- 2.47.2