mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
afb582b108
- add the new role to redirect.archlinux.org - release mirror.pkgbuild.com of all DNS duties
43 lines
1.3 KiB
Django/Jinja
43 lines
1.3 KiB
Django/Jinja
#jinja2: lstrip_blocks: True
|
|
-- Based on https://github.com/PowerDNS/pdns/wiki/Lua-Examples-(Authoritative)#updatepolicy-access-control-for-rfc2136-dynamic-updates
|
|
function updatepolicy(input)
|
|
valid_rrnames = {
|
|
{% for domain in geo_domains %}
|
|
["_acme-challenge.{{ domain }}."]=true,
|
|
{% endfor %}
|
|
}
|
|
|
|
-- only allow updates from our servers
|
|
mynetworks = newNMG()
|
|
mynetworks:addMasks({
|
|
{% for host in groups['geo_mirrors'] | sort %}
|
|
'{{ hostvars[host]['ipv4_address'] }}/32',
|
|
'{{ hostvars[host]['ipv6_address'] }}/128',
|
|
{% endfor %}
|
|
})
|
|
|
|
-- ignore non-authorized networks
|
|
if not mynetworks:match(input:getRemote())
|
|
then
|
|
pdnslog("updatepolicy: network check failed from " .. input:getRemote():toString(), pdns.loglevels.Info)
|
|
return false
|
|
end
|
|
|
|
-- ignore non-TSIG requests
|
|
if input:getTsigName():countLabels() == 0
|
|
then
|
|
pdnslog("updatepolicy: missing TSIG", pdns.loglevels.Info)
|
|
return false
|
|
end
|
|
|
|
-- only accept TXT record updates for _acme_challenge
|
|
if input:getQType() == pdns.TXT and valid_rrnames[input:getQName():toString()]
|
|
then
|
|
pdnslog("updatepolicy: query checks successful", pdns.loglevels.Info)
|
|
return true
|
|
end
|
|
|
|
pdnslog("updatepolicy: query checks failed", pdns.loglevels.Info)
|
|
return false
|
|
end
|