From: Matthijs Mekking Date: Wed, 14 Dec 2022 10:41:10 +0000 (+0100) Subject: Don't set EDE in ns_client_aclchecksilent X-Git-Tag: v9.19.9~31^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=798c8f57d440cb5f9739cef86ad781ad3dfcb3bc;p=thirdparty%2Fbind9.git Don't set EDE in ns_client_aclchecksilent The ns_client_aclchecksilent is used to check multiple ACLs before the decision is made that a query is denied. It is also used to determine if recursion is available. In those cases we should not set the extended DNS error "Prohibited". --- diff --git a/lib/ns/client.c b/lib/ns/client.c index 0bab7dbb516..ea94e45427f 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2525,7 +2525,6 @@ allow: return (ISC_R_SUCCESS); deny: - ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); return (DNS_R_REFUSED); } @@ -2548,6 +2547,7 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), "%s approved", opname); } else { + ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, log_level, "%s denied", opname);