[Pdns-users] Disabling DNSUPDATE for *some* zones?

Remi Gacogne remi.gacogne at powerdns.com
Thu Jan 3 09:01:45 UTC 2019

Hi Kevin,

On 1/2/19 2:15 AM, Kevin P. Fleming wrote:
> I've got PowerDNS Auth happily running and serving a number of domains
> (primary and two secondaries, NOTIFY/AXFR, IPv6, etc.).
> I've enabled DNSUPDATE so that I can do Let's Encrypt DNS-01
> challenges for certificate issuance, and I use a TSIG key for the
> update requests. When setting up a cert for a new domain recently, I
> failed to set the domain metadata to indicate that the TSIG key would
> be required, and PowerDNS accepted the DNSUPDATE anyway (and emitted a
> log message to that effect).
> I don't want this behavior, I want to disable DNSUPDATE for all
> domains which don't have a TSIG key set in their metadata. The only
> way I can see to do this would be to set ALLOW-DNSUPDATE-FROM at the
> domain level to an invalid address, so that all requests will fail,
> but I also have this set in the main configuration which might not be
> overridden by the domain metadata.
> Is there another way to disable DNSUPDATE at the domain level?

I'm afraid I don't see any other way. I would advise opening a feature
request on GitHub [1] so it doesn't get lost.

[1]: https://github.com/PowerDNS/pdns/issues/new

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20190103/c99735d9/attachment.sig>

More information about the Pdns-users mailing list