mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
6c27104467
While [1] did open recursion, it also opened widely a security flaw.
This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.
In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.
Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079
[1] 5f4c75eb28
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
68 lines
1.8 KiB
Plaintext
68 lines
1.8 KiB
Plaintext
options {
|
|
// turns on IPv6 for port 53, IPv4 is on by default for all ifaces
|
|
listen-on-v6 {any;};
|
|
|
|
// Put files that named is allowed to write in the data/ directory:
|
|
directory "$NAMED_VAR_DIR"; // the default
|
|
dump-file "${NAMED_DATA_DIR}cache_dump.db";
|
|
statistics-file "${NAMED_DATA_DIR}named_stats.txt";
|
|
memstatistics-file "${NAMED_DATA_DIR}named_mem_stats.txt";
|
|
|
|
// If not explicitly set, the ACLs for "allow-query-cache" and
|
|
// "allow-recursion" are set to "localnets; localhost;".
|
|
// If either "allow-query-cache" or "allow-recursion" is set,
|
|
// the other would be set the same value.
|
|
// Please refer to $CUSTOM_CONFIG
|
|
// for more informations
|
|
|
|
tkey-gssapi-keytab "$NAMED_KEYTAB";
|
|
pid-file "$NAMED_PID";
|
|
|
|
dnssec-enable yes;
|
|
dnssec-validation yes;
|
|
|
|
/* Path to ISC DLV key */
|
|
bindkeys-file "$BINDKEYS_FILE";
|
|
|
|
managed-keys-directory "$MANAGED_KEYS_DIR";
|
|
|
|
/* crypto policy snippet on platforms with system-wide policy. */
|
|
$INCLUDE_CRYPTO_POLICY
|
|
};
|
|
|
|
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
|
* By default, SELinux policy does not allow named to modify the /var/named directory,
|
|
* so put the default debug log file in data/ :
|
|
*/
|
|
logging {
|
|
channel default_debug {
|
|
file "${NAMED_DATA_DIR}named.run";
|
|
severity dynamic;
|
|
print-time yes;
|
|
};
|
|
};
|
|
|
|
${NAMED_ZONE_COMMENT}zone "." IN {
|
|
${NAMED_ZONE_COMMENT} type hint;
|
|
${NAMED_ZONE_COMMENT} file "named.ca";
|
|
${NAMED_ZONE_COMMENT}};
|
|
|
|
include "$RFC1912_ZONES";
|
|
include "$ROOT_KEY";
|
|
|
|
/* custom configuration snippet */
|
|
include "$CUSTOM_CONFIG";
|
|
|
|
/* WARNING: This part of the config file is IPA-managed.
|
|
* Modifications may break IPA setup or upgrades.
|
|
*/
|
|
dyndb "ipa" "$BIND_LDAP_SO" {
|
|
uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket";
|
|
base "cn=dns, $SUFFIX";
|
|
server_id "$FQDN";
|
|
auth_method "sasl";
|
|
sasl_mech "GSSAPI";
|
|
sasl_user "DNS/$FQDN";
|
|
};
|
|
/* End of IPA-managed part. */
|