From fd480f55df0647f8739546ffa9fa780ce17f0a91 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 13 Apr 2022 17:40:11 +0200 Subject: [PATCH 1/3] nixos/pdns-recursor: update default values 1. Update the default values of several addresses-related settings that have been changed by upstream. 2. Make `dns.address` take multiple addresses. This is needed for dual stack, now working by default. --- .../services/networking/pdns-recursor.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/networking/pdns-recursor.nix b/nixos/modules/services/networking/pdns-recursor.nix index 0579d314a9b..a986f83141c 100644 --- a/nixos/modules/services/networking/pdns-recursor.nix +++ b/nixos/modules/services/networking/pdns-recursor.nix @@ -30,10 +30,10 @@ in { enable = mkEnableOption "PowerDNS Recursor, a recursive DNS server"; dns.address = mkOption { - type = types.str; - default = "0.0.0.0"; + type = oneOrMore types.str; + default = [ "::" "0.0.0.0" ]; description = '' - IP address Recursor DNS server will bind to. + IP addresses Recursor DNS server will bind to. ''; }; @@ -47,8 +47,12 @@ in { dns.allowFrom = mkOption { type = types.listOf types.str; - default = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; - example = [ "0.0.0.0/0" ]; + default = [ + "127.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" + "169.254.0.0/16" "192.168.0.0/16" "172.16.0.0/12" + "::1/128" "fc00::/7" "fe80::/10" + ]; + example = [ "0.0.0.0/0" "::/0" ]; description = '' IP address ranges of clients allowed to make DNS queries. ''; @@ -72,7 +76,8 @@ in { api.allowFrom = mkOption { type = types.listOf types.str; - default = [ "0.0.0.0/0" ]; + default = [ "127.0.0.1" "::1" ]; + example = [ "0.0.0.0/0" "::/0" ]; description = '' IP address ranges of clients allowed to make API requests. ''; @@ -96,7 +101,7 @@ in { forwardZonesRecurse = mkOption { type = types.attrs; - example = { eth = "127.0.0.1:5353"; }; + example = { eth = "[::1]:5353"; }; default = {}; description = '' DNS zones to be forwarded to other recursive servers. From fe27976534472b042d41f7b30c0aa0af6e8a7444 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 13 Apr 2022 17:48:53 +0200 Subject: [PATCH 2/3] nixos/tests/pdns-recursor: test a DNS query --- nixos/tests/pdns-recursor.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nixos/tests/pdns-recursor.nix b/nixos/tests/pdns-recursor.nix index de1b60e0b1c..cf473a06431 100644 --- a/nixos/tests/pdns-recursor.nix +++ b/nixos/tests/pdns-recursor.nix @@ -1,12 +1,15 @@ import ./make-test-python.nix ({ pkgs, ... }: { - name = "powerdns"; + name = "powerdns-recursor"; nodes.server = { ... }: { services.pdns-recursor.enable = true; + services.pdns-recursor.exportHosts= true; + networking.hosts."192.0.2.1" = [ "example.com" ]; }; testScript = '' server.wait_for_unit("pdns-recursor") server.wait_for_open_port("53") + assert "192.0.2.1" in server.succeed("host example.com localhost") ''; }) From bad701b1d3f28345cfeef0c3950a5d5b7bd06a1f Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 13 Apr 2022 23:20:39 +0200 Subject: [PATCH 3/3] doc/release-notes: mention pdns-recursor options changes --- .../from_md/release-notes/rl-2205.section.xml | 25 +++++++++++++++++++ .../manual/release-notes/rl-2205.section.md | 6 +++++ 2 files changed, 31 insertions(+) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index ce257b4c072..e5e03ace094 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -479,6 +479,31 @@ relying on the insecure behaviour before upgrading. + + + In the PowerDNS Recursor module + (services.pdns-recursor), default values of + several IP address-related NixOS options have been updated to + match the default upstream behavior. In particular, Recursor + by default will: + + + + + listen on (and allows connections from) both IPv4 and IPv6 + addresses + (services.pdns-recursor.dns.address, + services.pdns-recursor.dns.allowFrom); + + + + + allow only local connections to the REST API server + (services.pdns-recursor.api.allowFrom). + + + + openssh has been update to 8.9p1, changing diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 408d77526a7..0a4b43db8fa 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -154,6 +154,12 @@ In addition to numerous new and upgraded packages, this release has the followin - `services.kubernetes.scheduler.{port,address}` now set `--secure-port` and `--bind-address` instead of `--port` and `--address`, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading. +- In the PowerDNS Recursor module (`services.pdns-recursor`), default values of several IP address-related NixOS options have been updated to match the default upstream behavior. + In particular, Recursor by default will: + - listen on (and allows connections from) both IPv4 and IPv6 addresses + (`services.pdns-recursor.dns.address`, `services.pdns-recursor.dns.allowFrom`); + - allow only local connections to the REST API server (`services.pdns-recursor.api.allowFrom`). + - `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface. - `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`.