From f23e0ea05f6c6b11981b8371b7adf21564ee143c Mon Sep 17 00:00:00 2001 Message-Id: From: Philipp Hahn Date: Tue, 18 Apr 2017 14:05:07 +0200 Subject: [PATCH 1/2] Bug #44380 DNS: Limit zone transfers to localhost Organization: Univention GmbH, Bremen, Germany Allow zone transfers only from localhost by default. --- doc/manual/ip-config-de.xml | 14 +++++++++----- doc/manual/ip-config-en.xml | 13 +++++++++---- services/univention-bind/debian/changelog | 6 ++++++ services/univention-bind/debian/univention-bind.postinst | 2 +- 4 files changed, 25 insertions(+), 10 deletions(-) diff --git a/doc/manual/ip-config-de.xml b/doc/manual/ip-config-de.xml index 57343d8303..d25ce84154 100644 --- a/doc/manual/ip-config-de.xml +++ b/doc/manual/ip-config-de.xml @@ -328,12 +328,16 @@
Konfiguration von Zonentransfers - In der Grundeinstellung erlaubt der UCS-Nameserver Zonentransfers - der DNS-Daten. Ist der UCS-Server aus dem Internet erreichbar, kann dadurch eine Liste - aller Rechnernamen und IP-Adressen abgefragt werden. Der Zonentransfer kann bei Verwendung des OpenLDAP-Backends durch Setzen - der &ucsUCRV; dns/allow/transfer auf none deaktiviert - werden. + In der Grundeinstellung erlaubt der UCS-Nameserver keine Zonentransfers der DNS-Daten. + Andernfalls kann dadurch eine vollständige Liste aller Rechnernamen, IP-Adressen und Dienste abgefragt werden. + Der Zonentransfer kann durch Setzen der &ucsUCRV; dns/allow/transfer auf none vollständig deaktiviert werden. + Alternativ kann auch eine Semikolon separierte Liste von Hostnamen, IP-Adressen oder ACL-Namen angegeben werden. + + + Bei Verwendung des OpenLDAP-Backends (dns/backend=ldap) muss der Zonentransfer für localhost jedoch auf jeden Fall freigegeben bleiben! + +
diff --git a/doc/manual/ip-config-en.xml b/doc/manual/ip-config-en.xml index 3a546a1e55..c762a85832 100644 --- a/doc/manual/ip-config-en.xml +++ b/doc/manual/ip-config-en.xml @@ -336,11 +336,16 @@
Configuration of zone transfers - In the default setting, the UCS name server allows zone transfers of the - DNS data. If the UCS server can be reached from the Internet, a list of all computer names - and IP addresses can be requested. The zone transfer can be deactivated when using the OpenLDAP backend by setting the - &ucsUCRV; dns/allow/transfer to none. + In the default setting, the UCS name server disallows zone transfers of the DNS data. + Otherwise a complete list of all computer names, IP addresses and services can be requested. + The zone transfer can be deactivated completely when by setting the &ucsUCRV; dns/allow/transfer to none. + As an alternative a semicolon separated list of host names, IP addresses, or ACL names can be given. + + + If the OpenLDAP backend (dns/backend=ldap) is used, the zone transfer must be allowed for localhost in any case! + +
diff --git a/services/univention-bind/debian/changelog b/services/univention-bind/debian/changelog index 7f14cb08ee..07bb9ed9c9 100644 --- a/services/univention-bind/debian/changelog +++ b/services/univention-bind/debian/changelog @@ -1,3 +1,9 @@ +univention-bind (11.0.1-2) unstable; urgency=low + + * Bug #44380: Limit zone transfers to localhost + + -- Philipp Hahn Tue, 18 Apr 2017 14:04:47 +0200 + univention-bind (11.0.1-1) unstable; urgency=medium * Execute univention-fix-ucr-dns in univention-bind postinst only if diff --git a/services/univention-bind/debian/univention-bind.postinst b/services/univention-bind/debian/univention-bind.postinst index 93e1583116..49e9202ba9 100644 --- a/services/univention-bind/debian/univention-bind.postinst +++ b/services/univention-bind/debian/univention-bind.postinst @@ -52,7 +52,7 @@ univention-config-registry set 'bind/autostart?yes' \ 'dns/ipv6?yes' \ 'nameserver/external?false' \ 'dns/allow/query?any' \ - 'dns/allow/transfer?any' \ + 'dns/allow/transfer?localhost' \ 'dns/dlz/debug/level?0' \ 'dns/debug/level?0' -- 2.11.0 From 166d48d27ac7fdd0134451714e4751f474bea7ee Mon Sep 17 00:00:00 2001 Message-Id: <166d48d27ac7fdd0134451714e4751f474bea7ee.1492525156.git.hahn@univention.de> In-Reply-To: References: From: Philipp Hahn Date: Tue, 18 Apr 2017 16:17:20 +0200 Subject: [PATCH 2/2] Bug #44380 DNS: Only notify local PROXY-named Organization: Univention GmbH, Bremen, Germany As the PROXY-named always pulls its data from the local LDAP-named, let the later only notify the former. Drop the duplicate reload, as it duplicates the NOTIFY mechanism. --- services/univention-bind/bind.py | 3 --- services/univention-bind/conffiles/etc/bind/named.conf | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/services/univention-bind/bind.py b/services/univention-bind/bind.py index 8b86a0bb26..7cc13c51b3 100755 --- a/services/univention-bind/bind.py +++ b/services/univention-bind/bind.py @@ -210,9 +210,6 @@ def _reload(zones, restart=False, dns_backend='ldap'): cmd = ['rndc', '-p', '55555', 'reload', zone] pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd) pids[pid] = cmd - cmd = ['rndc', '-p', '953', 'reload', zone] - pid = os.spawnv(os.P_NOWAIT, RNDC_BIN, cmd) - pids[pid] = cmd elif dns_backend == 'samba4': cmd = [RNDC_BIN, '-p', '953', 'reload'] p = subprocess.Popen(cmd) diff --git a/services/univention-bind/conffiles/etc/bind/named.conf b/services/univention-bind/conffiles/etc/bind/named.conf index 9c71f9d090..729898fd00 100644 --- a/services/univention-bind/conffiles/etc/bind/named.conf +++ b/services/univention-bind/conffiles/etc/bind/named.conf @@ -7,6 +7,7 @@ controls{ }; options { directory "/var/cache/bind"; + notify explicit; also-notify { 127.0.0.1; }; -- 2.11.0