nixos/bind: Fix cacheNetworks option

[TobTobXX]

Description of changes

services.bind.cacheNetworks should only apply to recursive queryies, as per the option documentation:

Note that this is for recursive queries – all networks are allowed to
query zones configured with the zones option by default [...].

This would correspond to the allow-query-cache option in named.conf, as per the BIND docs1:

Specifies which hosts (an IP address list) can access this server’s
cache and thus effectively controls recursion.

And not allow-query, which restricts all requests (including requests where the server has authority) 2:

Specifies which hosts (an IP address list) are allowed to send queries
to this resolver.
[...]
Note:
allow-query-cache is used to specify access to the cache.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[TobTobXX]

• There's nixos/test/bind.nix and I don't know how to run it.
• Is this breaking in some way? It should only bring it close to what the docs said it should do.

[Zocker1999NET]

I agree with you that allow-query-cache is the better option considering the description of cacheNetworks. Through, it might be that some users are relying on allow-query to be defined by cacheNetworks, so I would add a release note nonetheless.

Also, I catched that the services.bind.zones.<name>.allowQuery option’s description explains that allow-query is set by cacheNetworks, so I think this description should be adapted as well (IMO that additional note probably can be removed).

• There's nixos/test/bind.nix and I don't know how to run it.

Just in case you haven’t figured it out yet: with your branch checked out, from the nixpkgs root, run: nix-build -A nixosTests.bind or nix build .#nixosTests.bind (with flakes enabled).

On the current commit 8f16ef25cb2ee37cb1018e6cddaab82d93868858 I ran following tests, which were all successful:

• .acme
  • over two imports, this does import the file https://github.com/NixOS/nixpkgs/blob/8f16ef25cb2ee37cb1018e6cddaab82d93868858/nixos/tests/common/resolver.nix which uses the cacheNetworks setting
• .bind
  • but that does not use the cacheNetworks setting

[TobTobXX]

I'll implement your recommendations soon. It took me quite some time just to rebase the PR and I ran out of time for this week. Thank you for your great review though.

[TobTobXX]

Ok nevermind, I could implement the changes just now.

• Add changelog entry
• Run tests

The PR is now ready for review again.

[Zocker1999NET]

LGTM with changing the doc & adding that short release note

[TobTobXX]

Rebased again. @peti is there something blocking this?

[peti]

👍, looks good to me.

[TobTobXX]

I just rebased this for the I-dont-know-how-many-th time.

• How should I write the changelog line so that there are no merge conflicts? Is there a styleguide I missed?
• Whom do I need to ping to get this finally merged?