denied axfr requests were not effective for writable DLZ zones

(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283)

diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
index 9e565107bef66d68f63331e97cd6ddcc0038f6e3..25c4eff05d58698c0fafa690f6e7115395572bad 100644 (file)
--- a/bin/tests/system/dlzexternal/driver.c
+++ b/bin/tests/system/dlzexternal/driver.c
@@ -541,10 +541,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
  */
 isc_result_t
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
-       UNUSED(client);
+       isc_result_t result;
+
+       result = dlz_findzonedb(dbdata, name, NULL, NULL);
+       if (result != ISC_R_SUCCESS) {
+               return (result);
+       }
 
-       /* Just say yes for all our zones */
-       return (dlz_findzonedb(dbdata, name, NULL, NULL));
+       /*
+        * Exception for 10.53.0.5 so we can test that allow-transfer
+        * is effective.
+        */
+       if (strcmp(client, "10.53.0.5") == 0) {
+               return (ISC_R_NOPERM);
+       }
+
+       return (ISC_R_SUCCESS);
 }
 
 /*

diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
index 87dd13b10ec555759c92e42793b3df940e87de61..1754aaa57cdeeddecd8a3d04daec4648a06259e4 100644 (file)
--- a/bin/tests/system/dlzexternal/tests.sh
+++ b/bin/tests/system/dlzexternal/tests.sh
@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
 status=`expr $status + $ret`
 
 newtest "testing AXFR from DLZ drivers"
-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n
-lines=`cat dig.out.ns1.test$n | wc -l`
+$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
+lines=`cat dig.out.example.ns1.test$n | wc -l`
 [ ${lines:-0} -eq 4 ] || ret=1
-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n
-lines=`cat dig.out.ns1.test$n | wc -l`
+$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
+lines=`cat dig.out.alternate.ns1.test$n | wc -l`
 [ ${lines:-0} -eq 5 ] || ret=1
 [ "$ret" -eq 0 ] || echo_i "failed"
 status=`expr $status + $ret`
 
+newtest "testing AXFR denied from DLZ drivers"
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
+grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
+grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
 newtest "testing unsearched/unregistered DLZ zone is not found"
 $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1

diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c
index c9beae50051cc8e85dff0f057d31bd344a11bea4..5c7fba964cb07249ba7c2999f582ad458336009e 100644 (file)
--- a/lib/ns/xfrout.c
+++ b/lib/ns/xfrout.c
@@ -805,12 +805,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
        result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
                             &zone);
 
-       if (result != ISC_R_SUCCESS) {
+       if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
                /*
-                * Normal zone table does not have a match.
-                * Try the DLZ database
+                * The normal zone table does not have a match, or this is
+                * marked in the zone table as a DLZ zone. Check the DLZ
+                * databases for a match.
                 */
-               // Temporary: only searching the first DLZ database
                if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
                        result = dns_dlzallowzonexfr(client->view,
                                                     question_name,