From 74bfff0e012008316bc3e8c989b1c8ce4dfda5dc Mon Sep 17 00:00:00 2001 From: Otto Date: Wed, 27 Oct 2021 09:02:30 +0200 Subject: [PATCH] Some things you should do when handling untrusted zone files. --- docs/lua-records/index.rst | 2 ++ docs/security.rst | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/lua-records/index.rst b/docs/lua-records/index.rst index dbde1185c2..dad201f082 100644 --- a/docs/lua-records/index.rst +++ b/docs/lua-records/index.rst @@ -177,6 +177,8 @@ separate records. The full example from above can also be written as:: "return ifurlup('https://www.lua.org/', " "{EUips, USAips}, settings) " ) +.. _lua-details-security: + Details & Security ------------------ LUA records are synthesized on query. They can also be transferred via AXFR diff --git a/docs/security.rst b/docs/security.rst index d6428d8d70..48da313aa3 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -60,3 +60,19 @@ Separation will enhance your database security highly. Recommended. .. _securitypolling: .. include:: common/secpoll.rst + +Trusting zone files +------------------- +In some scenarios the PowerDNS server must handle zone files coming from an untrusted third party. +For these cases, it is recommended to take extra protective measures in addition to the measures above: + +- Set :ref:`setting-max-generate-steps` to a low number, this will limit the amount of resources used by rogue ``$GENERATE`` templates. +- Set :ref:`setting-max-include-depth` to ``0``, this will disallow the ``$INCLUDE`` directive, avoiding problems with include loops and related issues. +- Set :ref:`setting-enable-lua-records` to ``no``, this will disable :ref:`Lua Records`. + +Depending on your specific requirements, it might be good perform checks on zone files before loading the zone into PowerDNS to: + +- Enforce reasonable ``TTL`` values. +- Enforce reasonable values in the ``SOA`` records. +- Validate delegations. + -- 2.47.2