nixos/bind: Fix cacheNetworks option

services.bind.cacheNetworks should only apply to recursive queryies, as per the option documentation: > Note that this is for recursive queries – all networks are allowed to > query zones configured with the zones option by default [...]. This would correspond to the `allow-query-cache` option in named.conf, as per the BIND docs[1]: > Specifies which hosts (an IP address list) can access this server’s > cache and thus effectively controls recursion. And not `allow-query`, which restricts all requests (including requests where the server has authority) [2]: > Specifies which hosts (an IP address list) are allowed to send queries > to this resolver. > [...] > Note: > `allow-query-cache` is used to specify access to the cache. [1]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query-cache [2]: https://bind9.readthedocs.io/en/v9.20.0/reference.html#namedconf-statement-allow-query
2024-11-25 08:23:09 +00:00 · 2024-08-19 16:07:59 +02:00 · 2024-08-19 16:07:59 +02:00 · 26fbd1adbe
commit 26fbd1adbe
parent f17c1d575a
2 changed files with 4 additions and 5 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -900,7 +900,9 @@

 - `freecad` now supports addons and custom configuration in nix-way, which can be used by calling `freecad.customize`.

-## Detailed Migration Information {#sec-release-24.11-migration}
+- `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.
+
+## Detailed migration information {#sec-release-24.11-migration}

 ### `sound` options removal {#sec-release-24.11-migration-sound}

--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@ -38,9 +38,6 @@ let
        description = ''
          List of address ranges allowed to query this zone. Instead of the address(es), this may instead
          contain the single string "any".
-
-          NOTE: This overrides the global-level `allow-query` setting, which is set to the contents
-          of `cachenetworks`.
        '';
        default = [ "any" ];
      };
@ -65,7 +62,7 @@ let
      options {
        listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
        listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
-        allow-query { cachenetworks; };
+        allow-query-cache { cachenetworks; };
        blackhole { badnetworks; };
        forward ${cfg.forward};
        forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };