[Pdns-users] Disabling DNSUPDATE for *some* zones?

Kevin P. Fleming kevin at km6g.us
Wed Jan 2 01:15:45 UTC 2019


I've got PowerDNS Auth happily running and serving a number of domains
(primary and two secondaries, NOTIFY/AXFR, IPv6, etc.).

I've enabled DNSUPDATE so that I can do Let's Encrypt DNS-01
challenges for certificate issuance, and I use a TSIG key for the
update requests. When setting up a cert for a new domain recently, I
failed to set the domain metadata to indicate that the TSIG key would
be required, and PowerDNS accepted the DNSUPDATE anyway (and emitted a
log message to that effect).

I don't want this behavior, I want to disable DNSUPDATE for all
domains which don't have a TSIG key set in their metadata. The only
way I can see to do this would be to set ALLOW-DNSUPDATE-FROM at the
domain level to an invalid address, so that all requests will fail,
but I also have this set in the main configuration which might not be
overridden by the domain metadata.

Is there another way to disable DNSUPDATE at the domain level?


More information about the Pdns-users mailing list