diff options
| author | Jan Hák <jan.hak@nic.cz> | 2024-09-24 14:11:59 +0200 |
|---|---|---|
| committer | Daniel Salzman <daniel.salzman@nic.cz> | 2024-09-27 12:41:36 +0200 |
| commit | 6055b7c9f659df05ace330fa3b03a063c9d7da82 (patch) | |
| tree | a5530d44c17d6a690122b073b04ba4cb4a626d79 /doc | |
| parent | Merge branch 'ctl_uni' (diff) | |
| download | knot-6055b7c9f659df05ace330fa3b03a063c9d7da82.tar.xz knot-6055b7c9f659df05ace330fa3b03a063c9d7da82.zip | |
acl: add protocol option to the configuration
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/configuration.rst | 7 | ||||
| -rw-r--r-- | doc/reference.rst | 25 |
2 files changed, 25 insertions, 7 deletions
diff --git a/doc/configuration.rst b/doc/configuration.rst index 982031bb7..9d27e4bb9 100644 --- a/doc/configuration.rst +++ b/doc/configuration.rst @@ -96,9 +96,10 @@ what requests are authorized. An :ref:`automatic ACL <server_automatic-acl>` feature can be used to simplify ACL management. Every ACL rule can allow or deny one or more request types (:ref:`actions <acl_action>`) -based on the source IP address, network subnet, or address range and/or if the -request is secured by a given TSIG key. See :doc:`keymgr -t<man_keymgr>` on how -to generate a TSIG key. +based on the source IP address, network subnet, address range, protocol, +remote certificate key PIN and/or +if the request is secured by a given TSIG key. See :doc:`keymgr -t<man_keymgr>` +on how to generate a TSIG key. If there are multiple ACL rules assigned to a zone, they are applied in the specified order of the :ref:`zone_acl` configuration. The first rule that matches diff --git a/doc/reference.rst b/doc/reference.rst index ffe654d54..beea979d5 100644 --- a/doc/reference.rst +++ b/doc/reference.rst @@ -1640,8 +1640,8 @@ An ordered list of :ref:`references<remote_id>` to remote server definitions. Access control list rule definitions. An ACL rule is a description of one or more authorized actions (zone transfer request, zone change notification, -and dynamic DNS update) which are allowed to be processed or denied. Normal -DNS queries are always allowed. +and dynamic DNS update) which are allowed to be processed or denied. Queries +which don't require authorization are always allowed. :: @@ -1652,6 +1652,7 @@ DNS queries are always allowed. cert-key: BASE64 ... remote: remote_id | remotes_id ... action: query | notify | transfer | update ... + protocol: udp | tcp | tls | quic ... deny: BOOL update-type: STR ... update-owner: key | zone | name @@ -1714,8 +1715,8 @@ match one of the remotes. Specifically, one of the remote's addresses and remote TSIG key if configured must match. .. NOTE:: - This option cannot be specified along with the :ref:`acl_address` or - :ref:`acl_key` option at one ACL item. + This option cannot be specified along with the :ref:`acl_address`, + :ref:`acl_key`, or :ref:`acl_protocol` option at one ACL item. *Default:* not set @@ -1736,6 +1737,22 @@ Possible values: *Default:* ``query`` +.. _acl_protocol: + +protocol +-------- + +List of allowed protocols. + +Possible values: + +- ``udp`` – UDP protocol. +- ``tcp`` – TCP protocol. +- ``tls`` – TLS protocol. +- ``quic`` – QUIC protocol. + +*Default:* not set (any) + .. _acl_deny: deny |