2539. [security] Update the interaction between recursion, allow-query,

                        allow-query-cache and allow-recursion.  [RT #19198]

diff --git a/CHANGES b/CHANGES
index 3a1aecbfc997ff89b3bfde26cd6c90a1a3dbd296..c9aa2c3fbc5d38691e22eba1fbf43b2319cba897 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2539.  [security]      Update the interaction between recursion, allow-query,
+                       allow-query-cache and allow-recursion.  [RT #19198]
+
 2536.  [cleanup]       Silence some warnings when -Werror=format-security is
                        specified. [RT #19083]
 

diff --git a/README b/README
index 0a0bc9e86f6dae884e01197b2e48def2ce88606a..6ee3b601013148517ae0662d38e66f3e6742710b 100644 (file)
--- a/README
+++ b/README
@@ -76,13 +76,14 @@ BIND 9.4.0
 
        rndc now allows addresses to be set in the server clauses.
 
-       New option "allow-query-cache".  This lets allow-query be
-       used to specify the default zone access level rather than
-       having to have every zone override the global value.
-       allow-query-cache can be set at both the options and view
-       levels. If allow-query-cache is not set then allow-recursion
-       is used if set, otherwise allow-query is used if set, otherwise
-       the default (localhost; localnets;) is used.
+       New option "allow-query-cache".  This lets "allow-query"
+       be used to specify the default zone access level rather
+       than having to have every zone override the global value.
+       "allow-query-cache" can be set at both the options and view
+       levels.  If "allow-query-cache" is not set then "allow-recursion"
+       is used if set, otherwise "allow-query" is used if set
+       unless "recursion no;" is set in which case "none;" is used,
+       otherwise the default (localhost; localnets;) is used.
 
        rndc: the source address can now be specified.
 

diff --git a/bin/named/server.c b/bin/named/server.c
index 7639e420d303559645977f3deec5d1cf251f22f0..83467db42d0b064bc91afd2309b7edad45da670d 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.419.18.73 2009/01/19 00:36:26 marka Exp $ */
+/* $Id: server.c,v 1.419.18.74 2009/01/30 04:24:29 marka Exp $ */
 
 /*! \file */
 
@@ -1561,10 +1561,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
         */
        if (view->queryacl == NULL && view->recursionacl != NULL)
                dns_acl_attach(view->recursionacl, &view->queryacl);
-       if (view->queryacl == NULL)
+       if (view->queryacl == NULL && view->recursion)
                CHECK(configure_view_acl(vconfig, config, "allow-query",
                                         actx, ns_g_mctx, &view->queryacl));
-       if (view->recursionacl == NULL && view->queryacl != NULL)
+       if (view->recursion &&
+           view->recursionacl == NULL && view->queryacl != NULL)
                dns_acl_attach(view->queryacl, &view->recursionacl);
 
        /*
@@ -1573,10 +1574,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
        if (view->recursionacl == NULL && view->recursion)
                CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion",
                                         actx, ns_g_mctx, &view->recursionacl));
-       if (view->queryacl == NULL)
-               CHECK(configure_view_acl(NULL, ns_g_config,
-                                        "allow-query-cache", actx,
-                                        ns_g_mctx, &view->queryacl));
+       if (view->queryacl == NULL) {
+               if (view->recursion)
+                       CHECK(configure_view_acl(NULL, ns_g_config,
+                                                "allow-query-cache", actx,
+                                                ns_g_mctx, &view->queryacl));
+               else {
+                       if (view->queryacl != NULL)
+                               dns_acl_detach(&view->queryacl);
+                       CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
+              }
+
+       }
 
        CHECK(configure_view_acl(vconfig, config, "sortlist",
                                 actx, ns_g_mctx, &view->sortlist));

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index e9e0b59b8ac7d0b92b411157a181d519e5321684..acf3180f2a36f0bfed03b1fd4729f3b48efaca2d 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.100 2009/01/22 23:46:00 tbox Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.101 2009/01/30 04:24:29 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -5884,8 +5884,9 @@ options {
                  from the cache.  If <command>allow-query-cache</command>
                  is not set then <command>allow-recursion</command>
                  is used if set, otherwise <command>allow-query</command>
-                 is used if set, otherwise the default
-                 (<command>localnets;</command>
+                 is used if set unless <command>recursion no;</command> is
+                 set in which case <command>none;</command> is used,
+                 otherwise the default (<command>localnets;</command>
                  <command>localhost;</command>) is used.
                </para>
              </listitem>