[Dnsmasq-discuss] Two questions about authoritative mode
Raphaël Halimi
raphael.halimi at gmail.com
Sat Jun 2 21:58:17 BST 2018
Le 02/06/2018 à 19:39, Simon Kelley a écrit :
> This is just some security logic, since omiting auth-peer is allowed,
> and accepts AXFR requests from anywhere, AXFR is inhibited unless
> auth-sec-servers is specified. Otherwise, a dnsmasq instance without any
> secondary-server configuration would be open to zone transfers from
> anywhere, which is not a good default. The obvious solution is to allow
> zone transfers even if there is no auth-sec-servers config, as long as
> auth-peer is specified and satisfied.
>
> This commit implements that.
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=090856c7e6d483bc4d7ec41f55208a9842769c45
> The complexity arises because dnsmasq doesn't store "reverse" records
> and PTR records in an in-addr.arpa zone. To answer individual queries,
> it essentially extracts the IP address encoded in the domain name, and
> looks up IP addresses in the internal data structures. This is a result
> of a very old design decision.
>
> Doing a AXFR of a in-addr.arpa zone, therefore requires iterating over
> all the name<->IP address mappings, and looking for addresses that end
> up in the zone in question. It would be possible, but it would be a lot
> of new code, especially for IPv6.
Thank you very much for answering both questions, and implementing the
solution to the first one so quickly.
For the second one, I can live with a tiny script that converts the A
records from the zone data to PTR records and build a zone file.
Thanks again !
Regards,
--
Raphaël Halimi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1000 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180602/3a7b8e3a/attachment.sig>
More information about the Dnsmasq-discuss
mailing list