negative 'blackhole' ACL match could be treated as positive

There was a bug in the checking of the "blackhole" ACL in
dns_request_create*(), causing an address to be treated as included
in the ACL if it was explicitly *excluded*. Thus, leaving "blackhole"
unset had no effect, but setting it to "none" would cause any
destination addresses to be rejected for dns_request purposes. This
would cause zone transfer requests and SOA queries to fail, among
other things.

The bug has been fixed, and "blackhole { none; };" was added to the
xfer system test as a regression test.

diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
index 395f80c580555a8695aa6098cf5f5c20bae64dbc..8e77d0cd7d1bce580457e3a38c9e249f956ff7a9 100644 (file)
--- a/bin/tests/system/xfer/ns4/named.conf.base
+++ b/bin/tests/system/xfer/ns4/named.conf.base
@@ -21,6 +21,7 @@ options {
        listen-on-v6 { none; };
        recursion no;
        notify yes;
+       blackhole { none; };
 };
 
 key rndc_key {

diff --git a/lib/dns/request.c b/lib/dns/request.c
index b8248eaf257e2c107b4805e226a1bea062879247..b4348e469c0eed325eed30fd15c9166528d7bb34 100644 (file)
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -383,7 +383,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
 
        isc_netaddr_fromsockaddr(&netaddr, destaddr);
        result = dns_acl_match(&netaddr, NULL, blackhole, NULL, &match, NULL);
-       if (result != ISC_R_SUCCESS || match == 0) {
+       if (result != ISC_R_SUCCESS || match <= 0) {
                return (false);
        }