DNSSEC signing is useless as the zone won't be queried by clients), including primary/secondary configuration
and ACLs. A catalog zone is indicated by setting the option
:ref:`zone_catalog-role`. Standard DNS queries to a catalog zone are answered
-with REFUSED as though the zone doesn't exist unless there is a matching ACL
-rule for action transfer configured.
+with NOTAUTH unless there is a matching ACL rule for action at least ``query`` configured.
The name of the catalog zone is arbitrary. It's possible to configure
multiple catalog zones.
/* Allow normal queries to catalog only if allowed by ACL. */
if (qdata->extra->zone != NULL && qdata->extra->zone->is_catalog_flag &&
query_type(query) == KNOTD_QUERY_TYPE_NORMAL) {
- if (!process_query_acl_check(conf(), ACL_ACTION_TRANSFER, qdata)) {
+ if (!process_query_acl_check(conf(), ACL_ACTION_QUERY, qdata)) {
qdata->extra->zone = NULL;
qdata->extra->contents = NULL;
}
t.sleep(3)
try:
resp = slave.dig("version.catalog1.", "TXT", tsig=True)
- resp.check(rcode="REFUSED")
+ resp.check(rcode="NOTAUTH")
except:
pass
projects / thirdparty / knot-dns.git / commitdiff
