Revert recursion/cache back to "trusted"

Revert recursion/cache back to "trusted"
Also restrict zone transfers to "trusted"

Change-Id: I172eb8c5e0f9cca1d977878b87c3d0467c33a8a7
This commit is contained in:
Mosher, Jaymes (jm616v) 2024-03-28 15:44:08 -06:00
parent d00ea5f796
commit 9c361ef2e5
8 changed files with 48 additions and 72 deletions

View File

@ -1,15 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644 index d76fcfa9a..0cca0fe8d 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no; @@ -18,3 +18,4 @@ allow-recursion { trusted; };
allow-query { any; }; {{if not upstream_allow_query_cache}}
{{endif}} allow-query-cache { trusted; };
{{if not upstream_allow_recursion}} {{endif}}
-allow-recursion { trusted; }; +allow-transfer { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -62,14 +62,14 @@ COPY 3.0_secure_headers.patch /tmp/3.0_secure_headers.patch
COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch COPY 3.0_ipmi_error.patch /tmp/3.0_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch COPY 3.0_redfish_retries.patch /tmp/3.0_redfish_retries.patch
# Patch to allow any recursion and cache queries # Patch to restrict access to zone transfers
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch COPY 3.0_transfer_trusted_only.patch /tmp/3.0_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/3.0_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/3.0_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/3.0_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

View File

@ -1,15 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index d76fcfa9a..d198e90b9 100644 index ba1aee316..6eda771b0 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ empty-zones-enable no; @@ -18,3 +18,4 @@ allow-recursion { trusted; };
allow-query { any; }; {{if not upstream_allow_query_cache}}
{{endif}} allow-query-cache { trusted; };
{{if not upstream_allow_recursion}} {{endif}}
-allow-recursion { trusted; }; +allow-transfer { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -61,14 +61,14 @@ COPY 2.8_secure_headers.patch /tmp/2.8_secure_headers.patch
COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch COPY 2.8_ipmi_error.patch /tmp/2.8_ipmi_error.patch
# Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC # Patch to space redfish request retries apart a bit, to avoid overwhelming the BMC
COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch COPY 2.8_redfish_retries.patch /tmp/2.8_redfish_retries.patch
# Patch to allow any recursion and cache queries # Patch to restrict access to zone transfers
COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch COPY 2.8_transfer_trusted_only.patch /tmp/2.8_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/utils && patch network.py < /tmp/2.8_nic_filter.patch
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch ipmi.py < /tmp/2.8_ipmi_error.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/drivers/power && patch redfish.py < /tmp/2.8_redfish_retries.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY scripts/journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

View File

@ -1,15 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index ba1aee316..ab5766210 100644 index d76fcfa9a..0cca0fe8d 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}}; @@ -18,3 +18,4 @@ allow-recursion { trusted; };
allow-query { any; }; {{if not upstream_allow_query_cache}}
{{endif}} allow-query-cache { trusted; };
{{if not upstream_allow_recursion}} {{endif}}
-allow-recursion { trusted; }; +allow-transfer { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -65,8 +65,8 @@ COPY 3.0_region_secret_rotate.patch /tmp/3.0_region_secret_rotate.patch
COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch COPY 3.0_partitiontable_does_not_exist.patch /tmp/3.0_partitiontable_does_not_exist.patch
# Allow tags with '/' symbols # Allow tags with '/' symbols
COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch COPY 3.0_regex_tags.patch /tmp/3.0_regex_tags.patch
# Patch to allow any recursion and cache queries # Patch to restrict access to zone transfers
COPY 3.0_allow_query.patch /tmp/3.0_allow_query.patch COPY 3.0_transfer_trusted_only.patch /tmp/3.0_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/3.0_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/3.0_kernel_package.patch
@ -77,7 +77,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/3.0_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/3.0_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch RUN cd /usr/lib/python3/dist-packages/maasserver/models && patch ownerdata.py < /tmp/3.0_regex_tags.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/3.0_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service

View File

@ -1,15 +1,9 @@
diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template diff --git a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
index ba1aee316..ab5766210 100644 index ba1aee316..6eda771b0 100644
--- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template --- a/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
+++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template +++ b/src/provisioningserver/templates/dns/named.conf.options.inside.maas.template
@@ -13,8 +13,8 @@ dnssec-validation {{dnssec_validation}}; @@ -18,3 +18,4 @@ allow-recursion { trusted; };
allow-query { any; }; {{if not upstream_allow_query_cache}}
{{endif}} allow-query-cache { trusted; };
{{if not upstream_allow_recursion}} {{endif}}
-allow-recursion { trusted; }; +allow-transfer { trusted; };
+allow-recursion { any; };
{{endif}}
{{if not upstream_allow_query_cache}}
-allow-query-cache { trusted; };
+allow-query-cache { any; };
{{endif}}

View File

@ -64,8 +64,8 @@ COPY 2.8_region_secret_rotate.patch /tmp/2.8_region_secret_rotate.patch
COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch COPY 2.8_partitiontable_does_not_exist.patch /tmp/2.8_partitiontable_does_not_exist.patch
# Avoid enlistment failures due to exceptions during moonshot detect attempts # Avoid enlistment failures due to exceptions during moonshot detect attempts
COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch COPY 2.8_maas_ipmi_autodetect_tool.patch /tmp/2.8_maas_ipmi_autodetect_tool.patch
# Patch to allow any recursion and cache queries # Patch to restrict access to zone transfers
COPY 2.8_allow_query.patch /tmp/2.8_allow_query.patch COPY 2.8_transfer_trusted_only.patch /tmp/2.8_transfer_trusted_only.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed_network.py < /tmp/2.8_route.patch
RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch RUN cd /usr/lib/python3/dist-packages/maasserver && patch preseed.py < /tmp/2.8_kernel_package.patch
@ -76,7 +76,7 @@ RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/proxy && patc
RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch RUN cd /usr/lib/python3/dist-packages/twisted/web && patch server.py < /tmp/2.8_secure_headers.patch
RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch RUN cd /usr/lib/python3/dist-packages/maasserver/api && patch partitions.py < /tmp/2.8_partitiontable_does_not_exist.patch
RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch RUN cd /usr/lib/python3/dist-packages/metadataserver/user_data/templates/snippets/ && patch maas_ipmi_autodetect_tool.py < /tmp/2.8_maas_ipmi_autodetect_tool.patch
RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_allow_query.patch RUN cd /usr/lib/python3/dist-packages/provisioningserver/templates/dns && patch named.conf.options.inside.maas.template < /tmp/2.8_transfer_trusted_only.patch
# echo journalctl logs to the container's stdout # echo journalctl logs to the container's stdout
COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service COPY journalctl-to-tty.service /etc/systemd/system/journalctl-to-tty.service