From 860579022532ee4133fc74e8f916cb40dc3ea239 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 24 Feb 2012 09:30:39 +0100 Subject: Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 --- ipaserver/install/bindinstance.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'ipaserver/install/bindinstance.py') diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2fa12565..9dc12e27 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -214,7 +214,9 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None, ns_ip_addres idnssoarname=unicode(zonemgr), ip_address=unicode(ns_ip_address), idnsallowdynupdate=True, - idnsupdatepolicy=unicode(update_policy)) + idnsupdatepolicy=unicode(update_policy), + idnsallowquery=u'any', + idnsallowtransfer=u'none',) except (errors.DuplicateEntry, errors.EmptyModlist): pass @@ -252,7 +254,9 @@ def add_reverse_zone(zone, ns_hostname=None, ns_ip_address=None, idnssoamname=unicode(ns_main+'.'), idnsallowdynupdate=True, ip_address=unicode(ns_ip_address), - idnsupdatepolicy=unicode(update_policy)) + idnsupdatepolicy=unicode(update_policy), + idnsallowquery=u'any', + idnsallowtransfer=u'none',) except (errors.DuplicateEntry, errors.EmptyModlist): pass -- cgit