From: Mark Andrews Date: Sun, 18 Aug 2013 23:18:28 +0000 (+1000) Subject: 3636. [bug] Automatic empty zones now behave better with X-Git-Tag: v9.8.6rc2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=35185f40dcc2525b6384755ccf09d5d15c884bde;p=thirdparty%2Fbind9.git 3636. [bug] Automatic empty zones now behave better with forward only "zones" beneath them. [RT #34583] (cherry picked from commit 997c2c5116927bab77284c24c3bd0d7f646da5ee) --- diff --git a/CHANGES b/CHANGES index 76c8f7f66d7..a7a8d8e7243 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3637. [bug] 'allow-query-on' was checking the source address + rather than the destination address. [RT #34590] + 3636. [bug] Automatic empty zones now behave better with forward only "zones" beneath them. [RT #34583] diff --git a/bin/named/query.c b/bin/named/query.c index 973219a150f..ce355b05cf1 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -773,7 +773,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name, if (queryonacl == NULL) queryonacl = client->view->queryonacl; - result = ns_client_checkaclsilent(client, NULL, + result = ns_client_checkaclsilent(client, &client->destaddr, queryonacl, ISC_TRUE); if ((options & DNS_GETDB_NOLOG) == 0 && result != ISC_R_SUCCESS) diff --git a/bin/tests/system/acl/ns2/named5.conf b/bin/tests/system/acl/ns2/named5.conf new file mode 100644 index 00000000000..09e81cbcdd6 --- /dev/null +++ b/bin/tests/system/acl/ns2/named5.conf @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: named1.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */ + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + ixfr-from-differences yes; + check-integrity no; + allow-query-on { 10.53.0.2; }; +}; + +include "../../common/controls.conf"; + +key one { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +key two { + algorithm hmac-md5; + secret "1234abcd8765"; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +zone "example" { + type master; + file "example.db"; +}; + +zone "tsigzone" { + type master; + file "tsigzone.db"; + allow-transfer { !key one; any; }; +}; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index f74a5544eba..82625678af3 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -140,5 +140,14 @@ $DIG $DIGOPTS tsigzone. \ @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } +echo "I:testing allow-query-on ACL processing" +cp -f ns2/named5.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 5 +t=`expr $t + 1` +$DIG +tcp soa example. \ + @10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out +grep "status: NOERROR" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; } + echo "I:exit status: $status" exit $status