bind: replace hard-coded `allow-query` zone setting with a real zone parameter. (#224776)

pyrox.dev / nixpkgs

fork atom

lol

fork atom

authored by

mrobbetts and committed by

GitHub 3 years ago 3c1c5600 8d474038

+18 -3

2 changed files

expand all

nixos

doc

manual

release-notes

rl-2305.section.md

modules

services

networking

bind.nix

nixos/doc/manual/release-notes/rl-2305.section.md

··· 385 385 386 386 - Lisp gained a [manual section](https://nixos.org/manual/nixpkgs/stable/#lisp), documenting a new and backwards incompatible interface. The previous interface will be removed in a future release. 387 387 388 + - The `bind` module now allows the per-zone `allow-query` setting to be configured (previously it was hard-coded to `any`; it still defaults to `any` to retain compatibility). 389 + 388 390 ## Detailed migration information {#sec-release-23.05-migration} 389 391 390 392 ### Pipewire configuration overrides {#sec-release-23.05-migration-pipewire}

+16 -3

nixos/modules/services/networking/bind.nix

··· 36 36 description = lib.mdDoc "Addresses who may request zone transfers."; 37 37 default = [ ]; 38 38 }; 39 + allowQuery = mkOption { 40 + type = types.listOf types.str; 41 + description = lib.mdDoc '' 42 + List of address ranges allowed to query this zone. Instead of the address(es), this may instead 43 + contain the single string "any". 44 + 45 + NOTE: This overrides the global-level `allow-query` setting, which is set to the contents 46 + of `cachenetworks`. 47 + ''; 48 + default = [ "any" ]; 49 + }; 39 50 extraConfig = mkOption { 40 51 type = types.str; 41 52 description = lib.mdDoc "Extra zone config to be appended at the end of the zone section."; ··· 69 80 ${cfg.extraConfig} 70 81 71 82 ${ concatMapStrings 72 - ({ name, file, master ? true, slaves ? [], masters ? [], extraConfig ? "" }: 83 + ({ name, file, master ? true, slaves ? [], masters ? [], allowQuery ? [], extraConfig ? "" }: 73 84 '' 74 85 zone "${name}" { 75 86 type ${if master then "master" else "slave"}; ··· 87 98 }; 88 99 '' 89 100 } 90 - allow-query { any; }; 101 + allow-query { ${concatMapStrings (ip: "${ip}; ") allowQuery}}; 91 102 ${extraConfig} 92 103 }; 93 104 '') ··· 120 131 description = lib.mdDoc '' 121 132 What networks are allowed to use us as a resolver. Note 122 133 that this is for recursive queries -- all networks are 123 - allowed to query zones configured with the `zones` option. 134 + allowed to query zones configured with the `zones` option 135 + by default (although this may be overridden within each 136 + zone's configuration, via the `allowQuery` option). 124 137 It is recommended that you limit cacheNetworks to avoid your 125 138 server being used for DNS amplification attacks. 126 139 '';