Created
January 23, 2022 10:55
-
-
Save Zash/1dd41e33f28b9e0dc63b6a9285e1960b to your computer and use it in GitHub Desktop.
PowerDNS DNSUPDATE policy script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- Policy control thing with policy derived from key name | |
| -- "keyname.owner.domain" will be allowed to edit domain (including suddomains) | |
| -- Special keyname "acme" should be allowed to add and remove _acme-challenge TXT records under domain | |
| -- Assumes that the key name can't be faked | |
| function updatepolicy(request) | |
| local tsig = request:getTsigName(); | |
| local zone = request:getZoneName(); | |
| pdnslog("updatepolicy: tsig "..tsig:toString().." wants to update "..request:getQName():toString().." in "..zone:toString(), pdns.loglevels.Info); | |
| if not tsig:isPartOf(zone) then | |
| pdnslog("updatepolicy: tsig "..tsig:toString().." is not part of "..zone:toString()..", UNACCEPTABLE!", pdns.loglevels.Info); | |
| return false | |
| end | |
| if tsig:toString():match("^acme%.") then -- Is there a better way to match prefixes? | |
| if string.match(request:getQName():toString(), "^_acme%-challenge%.") then | |
| local qtype = request:getQType(); | |
| return qtype == pdns.TXT or qtype == pdns.ANY; | |
| end | |
| return false; | |
| end | |
| pdnslog("updatepolicy: "..tsig:toString().." acting on "..request:getQName():toString(), pdns.loglevels.Info); | |
| return true; | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment