Log "not authoritative for update zone" more clearly

Ensure the update zone name is mentioned in the NOTAUTH error message
in the server log, so that it is easier to track down problematic
update clients. There are two cases: either the update zone is
unrelated to any of the server's zones (previously no zone was
mentioned); or the update zone is a subdomain of one or more of the
server's zones (previously the name of the irrelevant parent zone was
misleadingly logged).

Closes #3209

diff --git a/CHANGES b/CHANGES
index 57df1e27a1446be2f2bc8f46ed820bebe8a44828..61cf97dab95a5cf90b794f80093b62094c672e42 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5843.  [bug]           When an UPDATE targets a zone that is not configured,
+                       the requested zone name is now logged in the "not
+                       authoritative" error message, so that it is easier to
+                       track down problematic update clients. [GL #3209]
+
 5842.  [cleanup]       Remove the task exclusive mode use in ns_clientmgr.
                        [GL #3230]
 

diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 7316fe327cb09de940a54fb4de36cb76eb541c42..0863d0a1ad12085671c5c4aebf1ee28dd94e9855 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -82,6 +82,32 @@ digcomp knowngood.ns1.before dig.out.ns1 || ret=1
 digcomp knowngood.ns1.before dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+ret=0
+echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone unconfigured.test
+update add unconfigured.test 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' unconfigured.test: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone sub.sub.example.nil
+update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 ret=0
 echo_i "updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.

diff --git a/lib/ns/update.c b/lib/ns/update.c
index c96d87071db6afdec8ce002b22b8e8c4b9114ecf..5659a8c9164bccd7932c3914a1588b3ce666a0bf 100644 (file)
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1726,7 +1726,15 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
 
        result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
        if (result != ISC_R_SUCCESS) {
-               FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
+               /*
+                * If we found a zone that is a parent of the update zonename,
+                * detach it so it isn't mentioned in log - it is irrelevant.
+                */
+               if (zone != NULL) {
+                       dns_zone_detach(&zone);
+               }
+               FAILN(DNS_R_NOTAUTH, zonename,
+                     "not authoritative for update zone");
        }
 
        /*