+4788. [cleanup] When using "update-policy local", log a warning
+ when an update matching the session key is received
+ from a remote host. [RT #46213]
+
4787. [cleanup] Turn nsec3param_salt_totext() into a public function,
dns_nsec3param_salttotext(), and add unit tests for it.
[RT #46289]
n=`expr $n + 1`
ret=0
echo "I:check that 'update-policy local' fails from non-localhost address ($n)"
+grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
$NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
server 10.53.0.5 5300
local 10.53.0.1
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
$DIG @10.53.0.5 -p 5300 \
+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
nonlocal.local.nil. > dig.out.ns5.$n || ret=1
#define DNS_LOGMODULE_NTA (&dns_modules[30])
#define DNS_LOGMODULE_DYNDB (&dns_modules[31])
#define DNS_LOGMODULE_DNSTAP (&dns_modules[32])
+#define DNS_LOGMODULE_SSU (&dns_modules[33])
ISC_LANG_BEGINDECLS
{ "dns/nta", 0 },
{ "dns/dyndb", 0 },
{ "dns/dnstap", 0 },
+ { "dns/ssu", 0 },
{ NULL, 0 }
};
continue;
}
if (!dns_name_issubdomain(name, rule->name)) {
-
continue;
}
dns_acl_match(addr, NULL, env->localhost,
NULL, &match, NULL);
if (match == 0) {
+ if (signer != NULL) {
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_SSU,
+ ISC_LOG_WARNING,
+ "update-policy local: "
+ "match on session "
+ "key not from "
+ "localhost");
+ }
continue;
}
break;
projects / thirdparty / bind9.git / commitdiff
