/*
* Configure default allow-update and allow-update-forwarding ACLs,
- * so they can be inherited by zones. (Note these cannot be set at
- * options/view level.)
+ * so they can be inherited by zones. (XXX: These are not
+ * read from the options/view level here. However, they may be
+ * read from there in zoneconf.c:configure_zone_acl() later.)
*/
if (view->updateacl == NULL) {
CHECK(configure_view_acl(NULL, NULL, named_g_config,
* information regarding copyright ownership.
*/
-view {
+view one {
allow-update-forwarding { any; };
};
* information regarding copyright ownership.
*/
-view {
+view one {
allow-update { any; };
};
When set in the <command>zone</command> statement for
a master zone, specifies which hosts are allowed to
submit Dynamic DNS updates to that zone. The default
- is to deny updates from all hosts. This can only
- be set at the <command>zone</command> level, not in
- <command>options</command> or <command>view</command>.
+ is to deny updates from all hosts.
</para>
<para>
Note that allowing updates based on the
requestor's IP address is insecure; see
<xref linkend="dynamic_update_security"/> for details.
</para>
+ <para>
+ In general this option should only be set at the
+ <command>zone</command> level. While a default
+ value can be set at the <command>options</command> or
+ <command>view</command> level and inherited by zones,
+ this could lead to some zones unintentionally allowing
+ updates.
+ </para>
</listitem>
</varlistentry>
submit Dynamic DNS updates and have them be forwarded
to the master. The default is
<userinput>{ none; }</userinput>, which means that no
- update forwarding will be performed. This can only be
- set at the <command>zone</command> level, not in
- <command>options</command> or <command>view</command>.
+ update forwarding will be performed.
</para>
<para>
To enable update forwarding, specify
on insecure IP-address-based access control; see
<xref linkend="dynamic_update_security"/> for more details.
</para>
+ <para>
+ In general this option should only be set at the
+ <command>zone</command> level. While a default
+ value can be set at the <command>options</command> or
+ <command>view</command> level and inherited by zones,
+ this can lead to some zones unintentionally forwarding
+ updates.
+ </para>
</listitem>
</varlistentry>
return (result);
}
-static isc_result_t
-check_non_viewacls(const cfg_obj_t *voptions, const cfg_obj_t *config,
- isc_log_t *logctx)
-{
- const cfg_obj_t *aclobj = NULL;
- const cfg_obj_t *options;
- const char *where = NULL;
- int i;
-
- static const char *acls[] = {
- "allow-update", "allow-update-forwarding", NULL
- };
-
- for (i = 0; acls[i] != NULL; i++) {
- if (voptions != NULL && aclobj == NULL) {
- cfg_map_get(voptions, acls[i], &aclobj);
- where = "view";
- }
- if (config != NULL && aclobj == NULL) {
- options = NULL;
- cfg_map_get(config, "options", &options);
- if (options != NULL) {
- cfg_map_get(options, acls[i], &aclobj);
- where = "options";
- }
- }
- if (aclobj != NULL) {
- cfg_obj_log(aclobj, logctx, ISC_LOG_ERROR,
- "'%s' can only be set per-zone, "
- "not in '%s'", acls[i], where);
- return (ISC_R_FAILURE);
- }
- }
-
- return (ISC_R_SUCCESS);
-}
-
static const unsigned char zeros[16];
static isc_result_t
if (tresult != ISC_R_SUCCESS)
result = tresult;
- tresult = check_non_viewacls(voptions, config, logctx);
- if (tresult != ISC_R_SUCCESS) {
- result = tresult;
- }
-
tresult = check_recursionacls(actx, voptions, viewname,
config, logctx, mctx);
if (tresult != ISC_R_SUCCESS)
projects / thirdparty / bind9.git / commitdiff
