Prevents DNS Amplification Attack and allow to customize named

While [1] did open recursion, it also opened widely a security flaw. This patch intends to close it back, while allowing operators to easily add their open configuration within Bind9. In order to allow operators to still open Bind recursion, a new file is introduced, "ipa-ext.conf" (path might change according to the OS). This file is not managed by the installer, meaning changes to it won't be overridden. Since it's included at the very end of the main configuration file, it also allows to override some defaults - of course, operators have to be careful with that. Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530 Fixes: https://pagure.io/freeipa/issue/8079 [1] 5f4c75eb28 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Stanislav Levin <slev@altlinux.org>
2025-02-25 18:55:28 -06:00 · 2019-09-24 14:00:55 +02:00
parent f58fb573d1
commit 6c27104467
9 changed files with 86 additions and 2 deletions
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -79,6 +79,8 @@ class BasePathNamespace:
    LDAP_CONF = "/etc/ldap.conf"
    LIBNSS_LDAP_CONF = "/etc/libnss-ldap.conf"
    NAMED_CONF = "/etc/named.conf"
+    NAMED_CUSTOM_CONFIG = "/etc/named/ipa-ext.conf"
+    NAMED_CUSTOM_CFG_SRC = '/usr/share/ipa/bind.ipa-ext.conf'
    NAMED_VAR_DIR = "/var/named"
    NAMED_KEYTAB = "/etc/named.keytab"
    NAMED_RFC1912_ZONES = "/etc/named.rfc1912.zones"