Le 02/06/2018 à 19:39, Simon Kelley a écrit :
> This is just some security logic, since omiting auth-peer is allowed,
> and accepts AXFR requests from anywhere, AXFR is inhibited unless
> auth-sec-servers is specified. Otherwise, a dnsmasq instance without any
> secondary-server configuration would be open to zone transfers from
> anywhere, which is not a good default. The obvious solution is to allow
> zone transfers even if there is no auth-sec-servers config, as long as
> auth-peer is specified and satisfied.
> This commit implements that.
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=090856c7e6d483bc4d7ec41f55208a9842769c45

> The complexity arises because dnsmasq doesn't store "reverse" records
> and PTR records in an in-addr.arpa zone. To answer individual queries,
> it essentially extracts the IP address encoded in the domain name, and
> looks up IP addresses in the internal data structures. This is a result
> of a very old design decision.
> Doing a AXFR of a in-addr.arpa zone, therefore requires iterating over
> all the name<->IP address mappings, and looking for addresses that end
> up in the zone in question. It would be possible, but it would be a lot
> of new code, especially for IPv6.
Thank you very much for answering both questions, and implementing the
solution to the first one so quickly.

For the second one, I can live with a tiny script that converts the A
records from the zone data to PTR records and build a zone file.

Thanks again !


Raphaël Halimi

Attachment: signature.asc
Description: OpenPGP digital signature

Dnsmasq-discuss mailing list

Reply via email to