[Pdns-users] Disabling DNSUPDATE for *some* zones?
Kevin P. Fleming
kevin at km6g.us
Thu Jan 3 11:34:17 UTC 2019
On Thu, Jan 3, 2019 at 4:02 AM Remi Gacogne <remi.gacogne at powerdns.com> wrote:
> Hi Kevin,
> On 1/2/19 2:15 AM, Kevin P. Fleming wrote:
> > I've got PowerDNS Auth happily running and serving a number of domains
> > (primary and two secondaries, NOTIFY/AXFR, IPv6, etc.).
> > I've enabled DNSUPDATE so that I can do Let's Encrypt DNS-01
> > challenges for certificate issuance, and I use a TSIG key for the
> > update requests. When setting up a cert for a new domain recently, I
> > failed to set the domain metadata to indicate that the TSIG key would
> > be required, and PowerDNS accepted the DNSUPDATE anyway (and emitted a
> > log message to that effect).
> > I don't want this behavior, I want to disable DNSUPDATE for all
> > domains which don't have a TSIG key set in their metadata. The only
> > way I can see to do this would be to set ALLOW-DNSUPDATE-FROM at the
> > domain level to an invalid address, so that all requests will fail,
> > but I also have this set in the main configuration which might not be
> > overridden by the domain metadata.
> > Is there another way to disable DNSUPDATE at the domain level?
> I'm afraid I don't see any other way. I would advise opening a feature
> request on GitHub  so it doesn't get lost.
> : https://github.com/PowerDNS/pdns/issues/new
> Best regards,
> Remi Gacogne
> PowerDNS.COM BV - https://www.powerdns.com/
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
More information about the Pdns-users