Log "not authoritative for update zone" more clearly

Ensure the update zone name is mentioned in the NOTAUTH error message
in the server log, so that it is easier to track down problematic
update clients. There are two cases: either the update zone is
unrelated to any of the server's zones (previously no zone was
mentioned); or the update zone is a subdomain of one or more of the
server's zones (previously the name of the irrelevant parent zone was
misleadingly logged).

Closes #3209

(cherry picked from commit 84c4eb02e7a4599acfb5d2abc0e62e7d64fd1bd6)

diff --git a/CHANGES b/CHANGES
index d038272fb64614a4208663453c908259b1c066d1..2badf41551263b02e8dd02ec590d74f03db0dc4c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5843.  [bug]           When an UPDATE targets a zone that is not configured,
+                       the requested zone name is now logged in the "not
+                       authoritative" error message, so that it is easier to
+                       track down problematic update clients. [GL #3209]
+
 5836.  [bug]           Quote the dns64 prefix in error messages that complain
                        about problems with it, to avoid confusion with the
                        following dns64 ACLs. [GL #3210]

diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index b3cb85aada1a7946bd5ce46e1308971b3b37ecd2..e4f96eb1268951bb016a4228c321fa58fd5301ae 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -83,6 +83,32 @@ digcomp knowngood.ns1.before dig.out.ns1 || ret=1
 digcomp knowngood.ns1.before dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+ret=0
+echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone unconfigured.test
+update add unconfigured.test 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' unconfigured.test: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone sub.sub.example.nil
+update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 ret=0
 echo_i "updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.

diff --git a/lib/ns/update.c b/lib/ns/update.c
index 9ab13e330134c4a8fd80f23146ab6373baa42296..067ff990bdc5e4263496ad2cde1d07da7a8d0ada 100644 (file)
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1631,7 +1631,15 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
 
        result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
        if (result != ISC_R_SUCCESS) {
-               FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
+               /*
+                * If we found a zone that is a parent of the update zonename,
+                * detach it so it isn't mentioned in log - it is irrelevant.
+                */
+               if (zone != NULL) {
+                       dns_zone_detach(&zone);
+               }
+               FAILN(DNS_R_NOTAUTH, zonename,
+                     "not authoritative for update zone");
        }
 
        /*