Hi Kevin, On 1/2/19 2:15 AM, Kevin P. Fleming wrote: > I've got PowerDNS Auth happily running and serving a number of domains > (primary and two secondaries, NOTIFY/AXFR, IPv6, etc.). > > I've enabled DNSUPDATE so that I can do Let's Encrypt DNS-01 > challenges for certificate issuance, and I use a TSIG key for the > update requests. When setting up a cert for a new domain recently, I > failed to set the domain metadata to indicate that the TSIG key would > be required, and PowerDNS accepted the DNSUPDATE anyway (and emitted a > log message to that effect). > > I don't want this behavior, I want to disable DNSUPDATE for all > domains which don't have a TSIG key set in their metadata. The only > way I can see to do this would be to set ALLOW-DNSUPDATE-FROM at the > domain level to an invalid address, so that all requests will fail, > but I also have this set in the main configuration which might not be > overridden by the domain metadata. > > Is there another way to disable DNSUPDATE at the domain level?
I'm afraid I don't see any other way. I would advise opening a feature request on GitHub [1] so it doesn't get lost. [1]: https://github.com/PowerDNS/pdns/issues/new Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
