Univention Bugzilla – Attachment 8780 Details for
Bug 44380
AXFR should be limited to UCS system roles only
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Limit AXFR
44380_bind-zone-notify.patch (text/plain), 6.83 KB, created by
Philipp Hahn
on 2017-04-18 16:23:02 CEST
(
hide
)
Description:
Limit AXFR
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2017-04-18 16:23:02 CEST
Size:
6.83 KB
patch
obsolete
>From f23e0ea05f6c6b11981b8371b7adf21564ee143c Mon Sep 17 00:00:00 2001 >Message-Id: <f23e0ea05f6c6b11981b8371b7adf21564ee143c.1492525156.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Tue, 18 Apr 2017 14:05:07 +0200 >Subject: [PATCH 1/2] Bug #44380 DNS: Limit zone transfers to localhost >Organization: Univention GmbH, Bremen, Germany > >Allow zone transfers only from localhost by default. >--- > doc/manual/ip-config-de.xml | 14 +++++++++----- > doc/manual/ip-config-en.xml | 13 +++++++++---- > services/univention-bind/debian/changelog | 6 ++++++ > services/univention-bind/debian/univention-bind.postinst | 2 +- > 4 files changed, 25 insertions(+), 10 deletions(-) > >diff --git a/doc/manual/ip-config-de.xml b/doc/manual/ip-config-de.xml >index 57343d8303..d25ce84154 100644 >--- a/doc/manual/ip-config-de.xml >+++ b/doc/manual/ip-config-de.xml >@@ -328,12 +328,16 @@ > <section id="ip-config:Konfiguration_von_Zonentransfers"> > <title>Konfiguration von Zonentransfers</title> > <para> >- In der Grundeinstellung erlaubt der UCS-Nameserver Zonentransfers >- der DNS-Daten. Ist der UCS-Server aus dem Internet erreichbar, kann dadurch eine Liste >- aller Rechnernamen und IP-Adressen abgefragt werden. Der Zonentransfer kann bei Verwendung des OpenLDAP-Backends durch Setzen >- der &ucsUCRV; <envar>dns/allow/transfer</envar> auf <literal>none</literal> deaktiviert >- werden. >+ In der Grundeinstellung erlaubt der UCS-Nameserver keine Zonentransfers der DNS-Daten. >+ Andernfalls kann dadurch eine vollständige Liste aller Rechnernamen, IP-Adressen und Dienste abgefragt werden. >+ Der Zonentransfer kann durch Setzen der &ucsUCRV; <envar>dns/allow/transfer</envar> auf <literal>none</literal> vollständig deaktiviert werden. >+ Alternativ kann auch eine Semikolon separierte Liste von Hostnamen, IP-Adressen oder ACL-Namen angegeben werden. > </para> >+ <caution> >+ <para> >+ Bei Verwendung des OpenLDAP-Backends (<envar>dns/backend</envar>=<literal>ldap</literal>) <emphasis>muss</emphasis> der Zonentransfer für <systemitem class="systemname">localhost</systemitem> jedoch auf jeden Fall freigegeben bleiben! >+ </para> >+ </caution> > </section> > > </section> >diff --git a/doc/manual/ip-config-en.xml b/doc/manual/ip-config-en.xml >index 3a546a1e55..c762a85832 100644 >--- a/doc/manual/ip-config-en.xml >+++ b/doc/manual/ip-config-en.xml >@@ -336,11 +336,16 @@ > <section id="ip-config:Configuration_of_zone_transfers"> > <title>Configuration of zone transfers</title> > <para> >- In the default setting, the UCS name server allows zone transfers of the >- DNS data. If the UCS server can be reached from the Internet, a list of all computer names >- and IP addresses can be requested. The zone transfer can be deactivated when using the OpenLDAP backend by setting the >- &ucsUCRV; <envar>dns/allow/transfer</envar> to <literal>none</literal>. >+ In the default setting, the UCS name server disallows zone transfers of the DNS data. >+ Otherwise a complete list of all computer names, IP addresses and services can be requested. >+ The zone transfer can be deactivated completely when by setting the &ucsUCRV; <envar>dns/allow/transfer</envar> to <literal>none</literal>. >+ As an alternative a semicolon separated list of host names, IP addresses, or ACL names can be given. > </para> >+ <caution> >+ <para> >+ If the OpenLDAP backend (<envar>dns/backend</envar>=<literal>ldap</literal>) is used, the zone transfer <emphasis>must</emphasis> be allowed for <systemitem class="systemname">localhost</systemitem> in any case! >+ </para> >+ </caution> > </section> > > </section> >diff --git a/services/univention-bind/debian/changelog b/services/univention-bind/debian/changelog >index 7f14cb08ee..07bb9ed9c9 100644 >--- a/services/univention-bind/debian/changelog >+++ b/services/univention-bind/debian/changelog >@@ -1,3 +1,9 @@ >+univention-bind (11.0.1-2) unstable; urgency=low >+ >+ * Bug #44380: Limit zone transfers to localhost >+ >+ -- Philipp Hahn <hahn@univention.de> Tue, 18 Apr 2017 14:04:47 +0200 >+ > univention-bind (11.0.1-1) unstable; urgency=medium > > * Execute univention-fix-ucr-dns in univention-bind postinst only if >diff --git a/services/univention-bind/debian/univention-bind.postinst b/services/univention-bind/debian/univention-bind.postinst >index 93e1583116..49e9202ba9 100644 >--- a/services/univention-bind/debian/univention-bind.postinst >+++ b/services/univention-bind/debian/univention-bind.postinst >@@ -52,7 +52,7 @@ univention-config-registry set 'bind/autostart?yes' \ > 'dns/ipv6?yes' \ > 'nameserver/external?false' \ > 'dns/allow/query?any' \ >- 'dns/allow/transfer?any' \ >+ 'dns/allow/transfer?localhost' \ > 'dns/dlz/debug/level?0' \ > 'dns/debug/level?0' > >-- >2.11.0 > > >From 166d48d27ac7fdd0134451714e4751f474bea7ee Mon Sep 17 00:00:00 2001 >Message-Id: <166d48d27ac7fdd0134451714e4751f474bea7ee.1492525156.git.hahn@univention.de> >In-Reply-To: <f23e0ea05f6c6b11981b8371b7adf21564ee143c.1492525156.git.hahn@univention.de> >References: <f23e0ea05f6c6b11981b8371b7adf21564ee143c.1492525156.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Tue, 18 Apr 2017 16:17:20 +0200 >Subject: [PATCH 2/2] Bug #44380 DNS: Only notify local PROXY-named >Organization: Univention GmbH, Bremen, Germany > >As the PROXY-named always pulls its data from the local LDAP-named, let >the later only notify the former. > >Drop the duplicate reload, as it duplicates the NOTIFY mechanism. >--- > services/univention-bind/bind.py | 3 --- > services/univention-bind/conffiles/etc/bind/named.conf | 1 + > 2 files changed, 1 insertion(+), 3 deletions(-) > >diff --git a/services/univention-bind/bind.py b/services/univention-bind/bind.py >index 8b86a0bb26..7cc13c51b3 100755 >--- a/services/univention-bind/bind.py >+++ b/services/univention-bind/bind.py >@@ -210,9 +210,6 @@ def _reload(zones, restart=False, dns_backend='ldap'): > cmd = ['rndc', '-p', '55555', 'reload', zone] > pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd) > pids[pid] = cmd >- cmd = ['rndc', '-p', '953', 'reload', zone] >- pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd) >- pids[pid] = cmd > elif dns_backend == 'samba4': > cmd = [RNDC_BIN, '-p', '953', 'reload'] > p = subprocess.Popen(cmd) >diff --git a/services/univention-bind/conffiles/etc/bind/named.conf b/services/univention-bind/conffiles/etc/bind/named.conf >index 9c71f9d090..729898fd00 100644 >--- a/services/univention-bind/conffiles/etc/bind/named.conf >+++ b/services/univention-bind/conffiles/etc/bind/named.conf >@@ -7,6 +7,7 @@ controls{ > }; > options { > directory "/var/cache/bind"; >+ notify explicit; > also-notify { > 127.0.0.1; > }; >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8780">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 44380
: 8780