Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport][ipa-4-8] Ensure recursion is locked when deploying DNS service #3886

Closed
wants to merge 1 commit into from
Closed

[Backport][ipa-4-8] Ensure recursion is locked when deploying DNS service #3886

wants to merge 1 commit into from

Conversation

abbra
Copy link
Contributor

@abbra abbra commented Nov 12, 2019

This PR was opened automatically because PR #3725 was pushed to master and backport to ipa-4-8 is required.

@cjeanner @abbra
Prevents DNS Amplification Attack and allow to customize named
63d0e9c 
While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] freeipa@5f4c75e
@abbra abbra added the ack Pull Request approved, can be merged label Nov 12, 2019
@abbra
Copy link
Contributor Author

abbra commented Nov 12, 2019

PR was ACKed automatically because this is backport of PR #3725. Wait for CI to finish before pushing. In case of questions or problems contact @cjeanner who is author of the original PR.

@abbra abbra added the re-run Trigger a new run of PR-CI label Nov 12, 2019
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Nov 12, 2019
@abbra abbra added the pushed Pull Request has already been pushed label Nov 12, 2019
@abbra
Copy link
Contributor Author

abbra commented Nov 12, 2019

ipa-4-8:

  • bbe2472 Prevents DNS Amplification Attack and allow to customize named

@abbra abbra closed this Nov 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@abbra @freeipa-pr-ci @cjeanner