3636. [bug] Automatic empty zones now behave better with

                        forward only "zones" beneath them. [RT #34583]

(cherry picked from commit 997c2c5116927bab77284c24c3bd0d7f646da5ee)

diff --git a/CHANGES b/CHANGES
index 76c8f7f66d7fc7b2af8f4d4eb380dca83f74545c..a7a8d8e72433155390d9e9bd306ad191ba14ae47 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3637.  [bug]           'allow-query-on' was checking the source address
+                       rather than the destination address. [RT #34590]
+
 3636.  [bug]           Automatic empty zones now behave better with
                        forward only "zones" beneath them. [RT #34583]
 

diff --git a/bin/named/query.c b/bin/named/query.c
index 973219a150f704e5db1c3fa346d047fc41a6b2a5..ce355b05cf166f9faf49083f05f25ed0172a1a44 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -773,7 +773,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
                if (queryonacl == NULL)
                        queryonacl = client->view->queryonacl;
 
-               result = ns_client_checkaclsilent(client, NULL,
+               result = ns_client_checkaclsilent(client, &client->destaddr,
                                                  queryonacl, ISC_TRUE);
                if ((options & DNS_GETDB_NOLOG) == 0 &&
                    result != ISC_R_SUCCESS)

diff --git a/bin/tests/system/acl/ns2/named5.conf b/bin/tests/system/acl/ns2/named5.conf
new file mode 100644 (file)
index 0000000..09e81cb
--- /dev/null
+++ b/bin/tests/system/acl/ns2/named5.conf
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named1.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+       query-source address 10.53.0.2;
+       notify-source 10.53.0.2;
+       transfer-source 10.53.0.2;
+       port 5300;
+       pid-file "named.pid";
+       listen-on { 10.53.0.2; };
+       listen-on-v6 { none; };
+       recursion no;
+       notify yes;
+       ixfr-from-differences yes;
+       check-integrity no;
+       allow-query-on { 10.53.0.2; };
+};
+
+include "../../common/controls.conf";
+
+key one {
+        algorithm hmac-md5;
+        secret "1234abcd8765";
+};
+
+key two {
+        algorithm hmac-md5;
+        secret "1234abcd8765";
+};
+
+zone "." {
+       type hint;
+       file "../../common/root.hint";
+};
+
+zone "example" {
+       type master;
+       file "example.db";
+};
+
+zone "tsigzone" {
+       type master;
+       file "tsigzone.db";
+        allow-transfer { !key one; any; };
+};

diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
index f74a5544ebafdff36c140bec632133c55e3dc2c5..82625678af31097e8e467c78be985ece2b3b10a8 100644 (file)
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@@ -140,5 +140,14 @@ $DIG $DIGOPTS tsigzone. \
        @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
 
+echo "I:testing allow-query-on ACL processing"
+cp -f ns2/named5.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+sleep 5
+t=`expr $t + 1`
+$DIG +tcp soa example. \
+       @10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out
+grep "status: NOERROR" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
+
 echo "I:exit status: $status"
 exit $status