Don't set EDE in ns_client_aclchecksilent

The ns_client_aclchecksilent is used to check multiple ACLs before
the decision is made that a query is denied. It is also used to
determine if recursion is available. In those cases we should not
set the extended DNS error "Prohibited".

diff --git a/lib/ns/client.c b/lib/ns/client.c
index 0bab7dbb51649b89acc97feca5735b7d33433795..ea94e45427f52b5b149497952562c1da9b571a46 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2525,7 +2525,6 @@ allow:
        return (ISC_R_SUCCESS);
 
 deny:
-       ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
        return (DNS_R_REFUSED);
 }
 
@@ -2548,6 +2547,7 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
                              NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
                              "%s approved", opname);
        } else {
+               ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
                ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
                              NS_LOGMODULE_CLIENT, log_level, "%s denied",
                              opname);