mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 22:15:20 +00:00
improved documentation
This commit is contained in:
@@ -7053,18 +7053,24 @@ options {
|
|||||||
<term><command>allow-notify</command></term>
|
<term><command>allow-notify</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Specifies which hosts are allowed to
|
This ACL specifies which hosts may send NOTIFY messages
|
||||||
notify this server, a slave, of zone changes in addition
|
to inform this server of changes to zones for which it
|
||||||
to the zone masters.
|
is acting as a secondary server. This is only
|
||||||
<command>allow-notify</command> may also be
|
applicable for secondary zones (i.e., type
|
||||||
specified in the
|
<literal>secondary</literal> or <literal>slave</literal>).
|
||||||
<command>zone</command> statement, in which case
|
</para>
|
||||||
it overrides the
|
<para>
|
||||||
<command>options allow-notify</command>
|
If this option is set in <command>view</command> or
|
||||||
statement. It is only meaningful
|
<command>options</command>, it is globally applied to
|
||||||
for a slave zone. If not specified, the default is to
|
all secondary zones. If set in the <command>zone</command>
|
||||||
process notify messages
|
statement, the global value is overridden.
|
||||||
only from a zone's master.
|
</para>
|
||||||
|
<para>
|
||||||
|
If not specified, the default is to process NOTIFY
|
||||||
|
messages only from the configured
|
||||||
|
<command>masters</command> for the zone.
|
||||||
|
<command>allow-notify</command> can be used to expand the
|
||||||
|
list of permitted hosts, not to reduce it.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -7199,11 +7205,16 @@ options {
|
|||||||
<term><command>allow-update</command></term>
|
<term><command>allow-update</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Specifies which hosts are allowed to
|
When set in the <command>zone</command> statement for
|
||||||
submit Dynamic DNS updates for master zones. The default is
|
a master zone, specifies which hosts are allowed to
|
||||||
to deny
|
submit Dynamic DNS updates to that zone. The default
|
||||||
updates from all hosts. Note that allowing updates based
|
is to deny updates from all hosts. This can only
|
||||||
on the requestor's IP address is insecure; see
|
be set at the <command>zone</command> level, not in
|
||||||
|
<command>options</command> or <command>view</command>.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
Note that allowing updates based on the
|
||||||
|
requestor's IP address is insecure; see
|
||||||
<xref linkend="dynamic_update_security"/> for details.
|
<xref linkend="dynamic_update_security"/> for details.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
@@ -7213,29 +7224,30 @@ options {
|
|||||||
<term><command>allow-update-forwarding</command></term>
|
<term><command>allow-update-forwarding</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Specifies which hosts are allowed to
|
When set in the <command>zone</command> statement for
|
||||||
submit Dynamic DNS updates to slave zones to be forwarded to
|
a slave zone, specifies which hosts are allowed to
|
||||||
the
|
submit Dynamic DNS updates and have them be forwarded
|
||||||
master. The default is <userinput>{ none; }</userinput>,
|
to the master. The default is
|
||||||
which
|
<userinput>{ none; }</userinput>, which means that no
|
||||||
means that no update forwarding will be performed. To
|
update forwarding will be performed. This can only be
|
||||||
enable
|
set at the <command>zone</command> level, not in
|
||||||
update forwarding, specify
|
<command>options</command> or <command>view</command>.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
To enable update forwarding, specify
|
||||||
<userinput>allow-update-forwarding { any; };</userinput>.
|
<userinput>allow-update-forwarding { any; };</userinput>.
|
||||||
Specifying values other than <userinput>{ none; }</userinput> or
|
in the <command>zone</command> statement.
|
||||||
<userinput>{ any; }</userinput> is usually
|
Specifying values other than <userinput>{ none; }</userinput>
|
||||||
counterproductive, since
|
or <userinput>{ any; }</userinput> is usually
|
||||||
the responsibility for update access control should rest
|
counterproductive; the responsibility for update
|
||||||
with the
|
access control should rest with the master server, not
|
||||||
master server, not the slaves.
|
the slave.
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Note that enabling the update forwarding feature on a slave
|
Note that enabling the update forwarding feature on a slave
|
||||||
server
|
server may expose master servers to attacks if they rely
|
||||||
may expose master servers relying on insecure IP address
|
on insecure IP-address-based access control; see
|
||||||
based
|
<xref linkend="dynamic_update_security"/> for more details.
|
||||||
access control to attacks; see <xref linkend="dynamic_update_security"/>
|
|
||||||
for more details.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
@@ -7259,13 +7271,14 @@ options {
|
|||||||
<term xml:id="allow_transfer_term"><command>allow-transfer</command></term>
|
<term xml:id="allow_transfer_term"><command>allow-transfer</command></term>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
Specifies which hosts are allowed to
|
Specifies which hosts are allowed to receive zone
|
||||||
receive zone transfers from the server. <command>allow-transfer</command> may
|
transfers from the server. <command>allow-transfer</command>
|
||||||
also be specified in the <command>zone</command>
|
may also be specified in the <command>zone</command>
|
||||||
statement, in which
|
statement, in which case it overrides the
|
||||||
case it overrides the <command>options allow-transfer</command> statement.
|
<command>allow-transfer</command> statement set in
|
||||||
If not specified, the default is to allow transfers to all
|
<command>options</command> or <command>view</command>.
|
||||||
hosts.
|
If not specified, the default is to allow transfers to
|
||||||
|
all hosts.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
Reference in New Issue
Block a user