Commit - freeipa - bbe2472324c140a22aad6d272733fc6d434782ef

    Prevents DNS Amplification Attack and allow to customize named
    
    While [1] did open recursion, it also opened widely a security flaw.
    
    This patch intends to close it back, while allowing operators to easily
    add their open configuration within Bind9.
    
    In order to allow operators to still open Bind recursion, a new file is
    introduced, "ipa-ext.conf" (path might change according to the OS). This
    file is not managed by the installer, meaning changes to it won't be
    overridden.
    Since it's included at the very end of the main configuration file, it
    also allows to override some defaults - of course, operators have to be
    careful with that.
    
    Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
    Fixes: https://pagure.io/freeipa/issue/8079
    
    [1] https://github.com/freeipa/freeipa/commit/5f4c75eb28b3d50a35fbf3a86a6d842bce8e72f9
    
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Stanislav Levin <slev@altlinux.org>

freeipa.spec.in

file modified

+2 -0

install/share/Makefile.am

file modified

+1 -0

install/share/bind.ipa-ext.conf

file added

+15

install/share/bind.named.conf.template

file modified

+9 -2

ipaplatform/base/paths.py

file modified

+2 -0

ipaplatform/debian/paths.py

file modified

+1 -0

ipaserver/install/bindinstance.py

file modified

+25 -0

ipaserver/install/ipa_backup.py

file modified

+1 -0

ipaserver/install/server/upgrade.py

file modified

+30 -0

freeipa

Source Code

bbe2472 Prevents DNS Amplification Attack and allow to customize named

9 files Authored by cjeanner 4 years ago, Committed by abbra 4 years ago,

`bbe2472` Prevents DNS Amplification Attack and allow to customize named