ndb/dnstcp: restrict DNS zone transfers to clients listed as dnsslave=

initial idea from Steve Simon, but doesnt require reverse lookup of the callers ip address.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2018-10-09 06:02:36 +0200
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2018-10-09 06:02:36 +0200
commit: 7ddda493c0c5370902148e20c579dd2d213f0a69 (patch)
tree: 6224ecb33675e65159aa600b1a95d3de9c1334f9 /sys/man/8
parent: 679a253931804caf4de436c5cdab8d34f178d779 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/man/8/ndb b/sys/man/8/ndb
index c80e13f19..af4df056d 100644
--- a/sys/man/8/ndb
+++ b/sys/man/8/ndb
@@ -77,7 +77,7 @@ query, ipquery, mkhash, mkdb, mkhosts, cs, csquery, dns, dnstcp, dnsquery, dnsde
 .br
 .B ndb/dnstcp
 [
-.B -rR
+.B -arR
 ] [
 .B -f
 .I dbfile
@@ -664,6 +664,12 @@ Recursion is disabled by
 .BR -R ;
 acting as a pure resolver is enabled by
 .BR -r .
+Unless the
+.B -a
+flag is provided, clients requesting DNS zone transfer must be listed
+with a
+.B dnsslave
+attribute for the relevant domain.
 If
 .I conn-dir
 is provided, it is assumed to be a directory within
author	cinap_lenrek <cinap_lenrek@felloff.net>	2018-10-09 06:02:36 +0200
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2018-10-09 06:02:36 +0200
commit	7ddda493c0c5370902148e20c579dd2d213f0a69 (patch)
tree	6224ecb33675e65159aa600b1a95d3de9c1334f9 /sys/man/8
parent	679a253931804caf4de436c5cdab8d34f178d779 (diff)