+7

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

reviewed

··· 506 506 </listitem> 507 507 <listitem> 508 508 <para> 509 509 + In the ncdns module, the default value of 510 510 + <literal>services.ncdns.address</literal> has been changed to 511 511 + the IPv6 loopback address (<literal>::1</literal>). 512 512 + </para> 513 513 + </listitem> 514 514 + <listitem> 515 515 + <para> 509 516 <literal>openssh</literal> has been update to 8.9p1, changing 510 517 the FIDO security key middleware interface. 511 518 </para>

+2

nixos/doc/manual/release-notes/rl-2205.section.md

reviewed

··· 160 160 (`services.pdns-recursor.dns.address`, `services.pdns-recursor.dns.allowFrom`); 161 161 - allow only local connections to the REST API server (`services.pdns-recursor.api.allowFrom`). 162 162 163 163 + - In the ncdns module, the default value of `services.ncdns.address` has been changed to the IPv6 loopback address (`::1`). 164 164 + 163 165 - `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface. 164 166 165 167 - `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`.

+2 -2

nixos/modules/services/networking/ncdns.nix

reviewed

··· 58 58 59 59 address = mkOption { 60 60 type = types.str; 61 61 - default = "127.0.0.1"; 61 61 + default = "[::1]"; 62 62 description = '' 63 63 The IP address the ncdns resolver will bind to. Leave this unchanged 64 64 if you do not wish to directly expose the resolver. ··· 202 202 config = mkIf cfg.enable { 203 203 204 204 services.pdns-recursor = mkIf cfgs.pdns-recursor.resolveNamecoin { 205 205 - forwardZonesRecurse.bit = "127.0.0.1:${toString cfg.port}"; 205 205 + forwardZonesRecurse.bit = "${cfg.address}:${toString cfg.port}"; 206 206 luaConfig = 207 207 if cfg.dnssec.enable 208 208 then ''readTrustAnchorsFromFile("${cfg.dnssec.keys.public}")''

+6 -9

nixos/tests/ncdns.nix

reviewed

··· 29 29 }; 30 30 31 31 nodes.server = { ... }: { 32 32 - networking.nameservers = [ "127.0.0.1" ]; 32 32 + networking.nameservers = [ "::1" ]; 33 33 34 34 services.namecoind.rpc = { 35 35 - address = "127.0.0.1"; 35 35 + address = "::1"; 36 36 user = "namecoin"; 37 37 password = "secret"; 38 38 port = 8332; ··· 45 45 script = '' 46 46 while true; do 47 47 echo -e "HTTP/1.1 200 OK\n\n $(<${fakeReply})\n" \ 48 48 - | ${pkgs.netcat}/bin/nc -N -l 127.0.0.1 8332 48 48 + | ${pkgs.netcat}/bin/nc -N -l ::1 8332 49 49 done 50 50 ''; 51 51 }; ··· 58 58 identity.address = "1.0.0.1"; 59 59 }; 60 60 61 61 - services.pdns-recursor = { 62 62 - enable = true; 63 63 - dns.allowFrom = [ "127.0.0.0/8" ]; 64 64 - resolveNamecoin = true; 65 65 - }; 61 61 + services.pdns-recursor.enable = true; 62 62 + services.pdns-recursor.resolveNamecoin = true; 66 63 67 64 environment.systemPackages = [ pkgs.dnsutils ]; 68 68 - 69 65 }; 70 66 71 67 testScript = ··· 91 87 assert "example.com" in server.succeed("dig SOA @localhost -p 5333 bit") 92 88 93 89 with subtest("bit. zone forwarding works"): 90 90 + server.wait_for_unit("pdns-recursor") 94 91 assert "1.2.3.4" in server.succeed("host test.bit") 95 92 ''; 96 93 })