[Pdns-users] Disabling DNSUPDATE for *some* zones?

Kevin P. Fleming kevin at km6g.us
Thu Jan 3 11:34:17 UTC 2019


Done, thanks.

On Thu, Jan 3, 2019 at 4:02 AM Remi Gacogne <remi.gacogne at powerdns.com> wrote:
>
> Hi Kevin,
>
> On 1/2/19 2:15 AM, Kevin P. Fleming wrote:
> > I've got PowerDNS Auth happily running and serving a number of domains
> > (primary and two secondaries, NOTIFY/AXFR, IPv6, etc.).
> >
> > I've enabled DNSUPDATE so that I can do Let's Encrypt DNS-01
> > challenges for certificate issuance, and I use a TSIG key for the
> > update requests. When setting up a cert for a new domain recently, I
> > failed to set the domain metadata to indicate that the TSIG key would
> > be required, and PowerDNS accepted the DNSUPDATE anyway (and emitted a
> > log message to that effect).
> >
> > I don't want this behavior, I want to disable DNSUPDATE for all
> > domains which don't have a TSIG key set in their metadata. The only
> > way I can see to do this would be to set ALLOW-DNSUPDATE-FROM at the
> > domain level to an invalid address, so that all requests will fail,
> > but I also have this set in the main configuration which might not be
> > overridden by the domain metadata.
> >
> > Is there another way to disable DNSUPDATE at the domain level?
>
> I'm afraid I don't see any other way. I would advise opening a feature
> request on GitHub [1] so it doesn't get lost.
>
> [1]: https://github.com/PowerDNS/pdns/issues/new
>
> Best regards,
> --
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users


More information about the Pdns-users mailing list