From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Thu, 30 Oct 2025 14:49:10 +0000 (+0100)
Subject: internet: refactor ACL evaluation for catalog queries
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=635bec86f7bfea6047cf30a620dcedec9558034a;p=thirdparty%2Fknot-dns.git

internet: refactor ACL evaluation for catalog queries
---

diff --git a/src/knot/nameserver/internet.c b/src/knot/nameserver/internet.c
index 8a499bf61e..cc9a169a50 100644
--- a/src/knot/nameserver/internet.c
+++ b/src/knot/nameserver/internet.c
@@ -715,6 +715,8 @@ knot_layer_state_t internet_process_query(knot_pkt_t *pkt, knotd_qdata_t *qdata)
 		if (ret != KNOT_EOK) {
 			return KNOT_STATE_FAIL;
 		}
+	} else if (qdata->extra->zone->is_catalog_flag) {
+		NS_NEED_AUTH(qdata, ACL_ACTION_QUERY);
 	}
 
 	/* Check if the zone is not empty or expired. */
diff --git a/src/knot/nameserver/process_query.c b/src/knot/nameserver/process_query.c
index d82af13933..b044260811 100644
--- a/src/knot/nameserver/process_query.c
+++ b/src/knot/nameserver/process_query.c
@@ -497,15 +497,6 @@ static int prepare_answer(knot_pkt_t *query, knot_pkt_t *resp, knot_layer_t *ctx
 		qdata->extra->contents = qdata->extra->zone->contents;
 	}
 
-	/* Allow normal queries to catalog only if allowed by ACL. */
-	if (qdata->extra->zone != NULL && qdata->extra->zone->is_catalog_flag &&
-	    query_type(query) == KNOTD_QUERY_TYPE_NORMAL) {
-		if (!process_query_acl_check(conf(), ACL_ACTION_QUERY, qdata)) {
-			qdata->extra->zone = NULL;
-			qdata->extra->contents = NULL;
-		}
-	}
-
 	return KNOT_EOK;
 }