Allow transfer

Discussion in 'General' started by The Other Air Force, Sep 28, 2018.

  1. The Other Air Force

    The Other Air Force New Member

    I know this issue has been brought up in various forms before but I would like to be able to specify default allow transfer IP address for Bind. I'd like to be able to set the allow-transfer in named.conf.options and not have allow-transfer set to none by default at the zone level. I'd like the behaviour to only have allow-transfer set at the zone level if something is specified in the ISPConfig manager for that particular zone. If a user wants to specifically set the zone to none perhaps we can have a checkbox in the zone for that domain. This would allow more transparent DNS setup for my users.

    To clarify:
    I have my allow-transfer in named.conf.options with my preferred slave servers.
    If at the zone level the allow-transfer box is blank then allow-transfer will not be included in the zone file allowing the global option to be used.
    If the user sets allow-transfer at the zone level this would be respected and added to the zone file.
    To avoid confusion in the case a user wants to strictly prohibit transfers then there could be an allow none checkbox that would set allow-transfer to none at the zone level.

    This would allow me to transparently give my users a slave zone without having something listed in the zone box.

  2. ahrasis

    ahrasis Well-Known Member

    For slave server, e.g. to as asked by a user recently, ISPConfig DNS Settings page should be able to do that simply by adding its IP in "Allow zone transfers" (and "Also Notify"); so you do not have to modify any of your bind file manually (though for that you might also want to create that slave server and its IP in the Secondary DNS Zone).

    However, for other things, you can make feature request, of course @The Other Air Force.

    Other than what you have stated, I would suggest per domain tsig key other than dnssec for mirror setup (that is not covered currently) so only user with tsig key can access and update a domain zone temporarily yet securely (as ISPConfig keep all in its database, so any changes must be properly done via php, add to its database, then resync that domain zone).

    As an extra note, I am trying to attend to the last part since I am interested in allowing ISPConfig user to create letsencrypt ssl certs using dns-01 challenge and the best way I figure so far is using nsupdate command with domain tsig key but definitely not using bind (dns_rfc2136) plugin for certbot as the later send jnl (journal) file that is currently not consistent with bind9.

    My trials disclose that there is no need to keep the acme_challenge TXT in any domain zone file after Let's Encrypt SSL certs are issued since certbot will issue new validation token on every creation or renewal them.

    Sorry to extend the thread of yours with some of my previous discussions but I thought they are related and I might attend to such your proposal as well.
  3. The Other Air Force

    The Other Air Force New Member

    I know this is old, but the reason I wanted this is because I have clients that use the DNS function. They are using my DNS servers and I want to force the transfers. So if they mess up the entries for the individual zone I can have an ACL setup. I have it setup right now with the IP addresses in, but I'd like to have the option to force notifies.

Share This Page