Are you actually using AXFR to something on pipebackend? If not, why not just send FAIL when you get one? I can't imagine this being performance issue as it's clearly identifiable. It's hardly worth the trouble you are going thru now.
Aki Tuomi On Fri, Oct 11, 2013 at 09:32:27AM -0700, Brendan Oakley wrote: > Hi Marcin, > > Depending on your application, the allow-axfr-ips option might be useful to > fence this off. > > Brendan > > > On Fri, Oct 11, 2013 at 7:08 AM, Marcin Deranek > <[email protected]>wrote: > > > Hi, > > > > So far we've been using PowerDNS solely for dynamic DNS resolution > > using PipeBackend only, so we had "disable-axfr=yes" in PowerDNS > > configuration as there was no need to provide zone transfers. > > Currently I'm trying to add static DNS resolution to the very same > > instance (using Bind backend) which requires enabling zone transfers, > > but I struggle to disable them only for PipeBackend while enabling them > > for Bind backend. > > > > So far the "cleanest" approach (or the most compatible with > > "disable-axfr=yes" setting we had before) I came up with is to return > > nothing on AXFR or SOA query when remote-ip-address=='0.0.0.0' (this is > > SOA query which precedes AXFR). > > Filtering out query type in pipe-regex has the problem with SOA query > > which precedes AXFR especially when you want to support SOA queries. > > Does anybody has a better idea ? > > Thanx in advance. > > > > Marcin Deranek > > > > _______________________________________________ > > Pdns-users mailing list > > [email protected] > > http://mailman.powerdns.com/mailman/listinfo/pdns-users > > > _______________________________________________ > Pdns-users mailing list > [email protected] > http://mailman.powerdns.com/mailman/listinfo/pdns-users
signature.asc
Description: Digital signature
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
