allow-update in global options (was Re: bind and certbot with dns-challenge)
Alan Clegg
aclegg at isc.org
Tue Apr 2 16:28:02 UTC 2019
On 4/2/19 6:00 PM, Sam Wilson wrote:
>> During a cleanup of other code (specifically named-checkconf), code was
>> changed that enforced what was believed to have been the default
>> previously: specifically, allow-update was only allowed in zone stanzas.
>
> Can I ask who believed it was previously the default? I hope I'm not
> misreading the first dozen or so lines of this page (which seems to be
> reflected in previous editions of the ARM).
>
> <https://ftp.isc.org/isc/bind9/cur/9.13/doc/arm/Bv9ARM.ch05.html#options_grammar>
The answer to your question is: "someone at ISC".
However, can you post exactly what you mean by "this page" and what
default we are talking about? Based on the history of this e-mail
thread, I think that we are talking about "allow-update" being available
at the global view (up until 9.13.3) and it not being allowed there (the
rest of the 9.13 branch up until 9.14.0)
In the options section of the ARM I see:
allow-update
Specifies which hosts are allowed to submit Dynamic DNS updates for
master zones. The default is to deny updates from all hosts. Note that
allowing updates based on the requestor's IP address is insecure; see
the section called “Dynamic Update Security” for details.
in 9.12
(https://ftp.isc.org/isc/bind9/cur/9.12/doc/arm/Bv9ARM.ch05.html#options_grammar)
and:
allow-update
When set in the zone statement for a master zone, specifies which hosts
are allowed to submit Dynamic DNS updates to that zone. The default is
to deny updates from all hosts. This can only be set at the zone level,
not in options or view.
in 9.13 and 9.14. The text here (as referred to in your link) is the
updated text that was changed at the same time that the code change was
made, thus matching what was released in 9.14.
AlanC
More information about the bind-users
mailing list