denied axfr requests were not effective for writable DLZ zones

(cherry picked from commit 048e3acfdd19189bf927cb3431a28d4da2d09ac7)
(cherry picked from commit 4fc252783b85dd5e916fa93f0533de6e4ad1c903)
(cherry picked from commit 7261c48b9b752ea103fb18652cffdc472ed338dd)

diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
index 8f954e743c04542e4ff8b94c18bdacb8436969c8..4a08dd6e2b74b8b6dd19e76b9ecc07a23a71d007 100644 (file)
--- a/bin/tests/system/dlzexternal/driver.c
+++ b/bin/tests/system/dlzexternal/driver.c
@@ -544,10 +544,16 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
  */
 isc_result_t
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
-       UNUSED(client);
+       isc_result_t result;
 
-       /* Just say yes for all our zones */
-       return (dlz_findzonedb(dbdata, name, NULL, NULL));
+       result = dlz_findzonedb(dbdata, name, NULL, NULL);
+       if (result != ISC_R_SUCCESS) {
+               return (result);
+       }
+       if (strcmp(client, "10.53.0.5") == 0) {
+               return (ISC_R_NOPERM);
+       }
+       return (ISC_R_SUCCESS);
 }
 
 /*

diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
index 87dd13b10ec555759c92e42793b3df940e87de61..1754aaa57cdeeddecd8a3d04daec4648a06259e4 100644 (file)
--- a/bin/tests/system/dlzexternal/tests.sh
+++ b/bin/tests/system/dlzexternal/tests.sh
@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
 status=`expr $status + $ret`
 
 newtest "testing AXFR from DLZ drivers"
-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n
-lines=`cat dig.out.ns1.test$n | wc -l`
+$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
+lines=`cat dig.out.example.ns1.test$n | wc -l`
 [ ${lines:-0} -eq 4 ] || ret=1
-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n
-lines=`cat dig.out.ns1.test$n | wc -l`
+$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
+lines=`cat dig.out.alternate.ns1.test$n | wc -l`
 [ ${lines:-0} -eq 5 ] || ret=1
 [ "$ret" -eq 0 ] || echo_i "failed"
 status=`expr $status + $ret`
 
+newtest "testing AXFR denied from DLZ drivers"
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
+grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
+grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
 newtest "testing unsearched/unregistered DLZ zone is not found"
 $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1

diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c
index d2851063f6092842f12bcd0a1589253c3837a069..5807cc817d25d373eb6ad9c067ba0d32eed4c4e0 100644 (file)
--- a/lib/ns/xfrout.c
+++ b/lib/ns/xfrout.c
@@ -805,12 +805,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
        result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
                             &zone);
 
-       if (result != ISC_R_SUCCESS) {
+       if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
                /*
-                * Normal zone table does not have a match.
-                * Try the DLZ database
+                * The normal zone table does not have a match, or this is
+                * marked in the zone table as a DLZ zone. Check the DLZ
+                * databases for a match.
                 */
-               // Temporary: only searching the first DLZ database
                if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
                        result = dns_dlzallowzonexfr(client->view,
                                                     question_name,