View | Details | Raw Unified | Return to bug 44380
Collapse All | Expand All

(-)a/doc/manual/ip-config-de.xml (-5 / +9 lines)
Lines 328-339 Link Here
328 
	  <section id="ip-config:Konfiguration_von_Zonentransfers">
 328 
	  <section id="ip-config:Konfiguration_von_Zonentransfers">
329 
		<title>Konfiguration von Zonentransfers</title>
 329 
		<title>Konfiguration von Zonentransfers</title>
330 
		<para>
 330 
		<para>
331 
		  In der Grundeinstellung erlaubt der UCS-Nameserver Zonentransfers
 331 
		  In der Grundeinstellung erlaubt der UCS-Nameserver keine Zonentransfers der DNS-Daten.
332 
		  der DNS-Daten. Ist der UCS-Server aus dem Internet erreichbar, kann dadurch eine Liste
 332 
		  Andernfalls kann dadurch eine vollständige Liste aller Rechnernamen, IP-Adressen und Dienste abgefragt werden.
333 
		  aller Rechnernamen und IP-Adressen abgefragt werden. Der Zonentransfer kann bei Verwendung des OpenLDAP-Backends durch Setzen
 333 
		  Der Zonentransfer kann durch Setzen der &ucsUCRV; <envar>dns/allow/transfer</envar> auf <literal>none</literal> vollständig deaktiviert werden.
334 
		  der &ucsUCRV; <envar>dns/allow/transfer</envar> auf <literal>none</literal> deaktiviert
 334 
		  Alternativ kann auch eine Semikolon separierte Liste von Hostnamen, IP-Adressen oder ACL-Namen angegeben werden.
335 
		  werden.
336 
		</para>
 335 
		</para>
336 
		<caution>
337 
		  <para>
338 
			Bei Verwendung des OpenLDAP-Backends (<envar>dns/backend</envar>=<literal>ldap</literal>) <emphasis>muss</emphasis> der Zonentransfer für <systemitem class="systemname">localhost</systemitem> jedoch auf jeden Fall freigegeben bleiben!
339 
		  </para>
340 
		</caution>
337 
	  </section>
 341 
	  </section>
338 

          342
          

        

        

          339
          
	</section>

          343
          
	</section>

        



(-)a/doc/manual/ip-config-en.xml
      (-4 / +9 lines)




  

    
      
            Lines 336-346
          
      
      
        Link Here
      
    
  

        

          336
          
	  <section id="ip-config:Configuration_of_zone_transfers">

          336
          
	  <section id="ip-config:Configuration_of_zone_transfers">

        

        

          337
          
		<title>Configuration of zone transfers</title>

          337
          
		<title>Configuration of zone transfers</title>

        

        

          338
          
		<para>

          338
          
		<para>

        

          
            

              339
              
		  In the default setting, the UCS name server allows zone transfers of the


              339
              
		  In the default setting, the UCS name server disallows zone transfers of the DNS data.

            

            

              340
              
		  DNS data. If the UCS server can be reached from the Internet, a list of all computer names


              340
              
		  Otherwise a complete list of all computer names, IP addresses and services can be requested.

            

            

              341
              
		  and IP addresses can be requested. The zone transfer can be deactivated when using the OpenLDAP backend by setting the


              341
              
		  The zone transfer can be deactivated completely when by setting the &ucsUCRV; <envar>dns/allow/transfer</envar> to <literal>none</literal>.

            

            

              342
              
		  &ucsUCRV; <envar>dns/allow/transfer</envar> to <literal>none</literal>.


              342
              
		  As an alternative a semicolon separated list of host names, IP addresses, or ACL names can be given.

            

        

          343
          
		</para>

          343
          
		</para>

        

            

              
              
              344
              
		<caution>

            

            

              345
              
		  <para>

            

            

              346
              
			If the OpenLDAP backend (<envar>dns/backend</envar>=<literal>ldap</literal>) is used, the zone transfer <emphasis>must</emphasis> be allowed for <systemitem class="systemname">localhost</systemitem> in any case!

            

            

              347
              
		  </para>

            

            

              348
              
		</caution>

            

        

          344
          
	  </section>

          349
          
	  </section>

        

        

          345
          

          350
          

        

        

          346
          
	</section>

          351
          
	</section>

        



(-)a/services/univention-bind/debian/changelog
      (+6 lines)




  

    
      
            Lines 1-3
          
      
      
        Link Here
      
    
  

            

              
              
              1
              
univention-bind (11.0.1-2) unstable; urgency=low

            

            

              2
              

            

            

              3
              
  * Bug #44380: Limit zone transfers to localhost

            

            

              4
              

            

            

              5
              
 -- Philipp Hahn <hahn@univention.de>  Tue, 18 Apr 2017 14:04:47 +0200

            

            

              6
              

            

        

          1
          
univention-bind (11.0.1-1) unstable; urgency=medium

          7
          
univention-bind (11.0.1-1) unstable; urgency=medium

        

        

          2
          

          8
          

        

        

          3
          
  * Execute univention-fix-ucr-dns in univention-bind postinst only if

          9
          
  * Execute univention-fix-ucr-dns in univention-bind postinst only if

        



(-)a/services/univention-bind/debian/univention-bind.postinst
      (-3 / +1 lines)




  

    
      
            Lines 52-58
          univention-config-registry set 'bind/autostart?yes' \
      
      
        Link Here
      
    
  

        

          52
          
                               'dns/ipv6?yes' \

          52
          
                               'dns/ipv6?yes' \

        

        

          53
          
                               'nameserver/external?false' \

          53
          
                               'nameserver/external?false' \

        

        

          54
          
                               'dns/allow/query?any' \

          54
          
                               'dns/allow/query?any' \

        

          
            

              55
              
                               'dns/allow/transfer?any' \


              55
              
                               'dns/allow/transfer?localhost' \

            

        

          56
          
                               'dns/dlz/debug/level?0' \

          56
          
                               'dns/dlz/debug/level?0' \

        

        

          57
          
                               'dns/debug/level?0'

          57
          
                               'dns/debug/level?0'

        

        

          58
          

          58
          

        

            

              59
              
- 

              
              
            

            

              60
              
--

            

        

          61
          
services/univention-bind/bind.py                       | 3 ---

          59
          
services/univention-bind/bind.py                       | 3 ---

        

        

          62
          
services/univention-bind/conffiles/etc/bind/named.conf | 1 +

          60
          
services/univention-bind/conffiles/etc/bind/named.conf | 1 +

        

        

          63
          
2 files changed, 1 insertion(+), 3 deletions(-)

          61
          
2 files changed, 1 insertion(+), 3 deletions(-)

        



(-)a/services/univention-bind/bind.py
      (-3 lines)




  

    
      
            Lines 210-218
          def _reload(zones, restart=False, dns_backend='ldap'):
      
      
        Link Here
      
    
  

        

          210
          
					cmd = ['rndc', '-p', '55555', 'reload', zone]

          210
          
					cmd = ['rndc', '-p', '55555', 'reload', zone]

        

        

          211
          
					pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd)

          211
          
					pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd)

        

        

          212
          
					pids[pid] = cmd

          212
          
					pids[pid] = cmd

        

            

              213
              
					cmd = ['rndc', '-p', '953', 'reload', zone]

              
              
            

            

              214
              
					pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd)

            

            

              215
              
					pids[pid] = cmd

            

        

          216
          
		elif dns_backend == 'samba4':

          213
          
		elif dns_backend == 'samba4':

        

        

          217
          
			cmd = [RNDC_BIN, '-p', '953', 'reload']

          214
          
			cmd = [RNDC_BIN, '-p', '953', 'reload']

        

        

          218
          
			p = subprocess.Popen(cmd)

          215
          
			p = subprocess.Popen(cmd)

        



(-)a/services/univention-bind/conffiles/etc/bind/named.conf
      (-1 / +1 lines)




  

    
      
            Lines 7-12
          controls{
      
      
        Link Here
      
    
  

        

          7
          
};

          7
          
};

        

        

          8
          
options {

          8
          
options {

        

        

          9
          
	directory "/var/cache/bind";

          9
          
	directory "/var/cache/bind";

        

            

              
              
              10
              
	notify explicit;

            

        

          10
          
	also-notify {

          11
          
	also-notify {

        

        

          11
          
		127.0.0.1;

          12
          
		127.0.0.1;

        

        

          12
          
	};

          13
          
	};

        

            

              13
              
- 

              
              
            






  

  Return to bug 44380