obj = NULL;
result = named_config_get(maps, "recursion", &obj);
INSIST(result == ISC_R_SUCCESS);
- view->recursion = cfg_obj_asboolean(obj);
+ view->recursion = (view->rdclass == dns_rdataclass_in &&
+ cfg_obj_asboolean(obj));
max_cache_size = configure_max_cache_size(view, maps);
/*
* We have default root hints for class IN if we need them.
* Each view gets its own rootdb so a priming response only
- * writes into that view's copy.
+ * writes into that view's copy. Other classes don't support
+ * recursion and don't need hints.
*/
if (view->rdclass == dns_rdataclass_in && view->rootdb == NULL) {
CHECK(configure_rootdb(view, NULL));
}
- /*
- * If we still have no root hints, this is a non-IN view with no
- * "hints zone" configured. Issue a warning, except if this
- * is a root server. Root servers never need to consult
- * their hints, so it's no point requiring users to configure
- * them.
- */
- if (view->rootdb == NULL) {
- dns_zone_t *rootzone = NULL;
- (void)dns_view_findzone(view, dns_rootname, DNS_ZTFIND_EXACT,
- &rootzone);
- if (rootzone != NULL) {
- dns_zone_detach(&rootzone);
- } else if (strcmp(view->name, "_bind") != 0 ||
- view->rdclass != dns_rdataclass_chaos)
- {
- isc_log_write(NAMED_LOGCATEGORY_GENERAL,
- NAMED_LOGMODULE_SERVER, ISC_LOG_WARNING,
- "no root hints for view '%s'",
- view->name);
- }
- }
-
/*
* Configure the view's transports (DoT/DoH)
*/
CHECK(configure_view_acl(vconfig, config, "allow-proxy-on", NULL,
aclctx, isc_g_mctx, &view->proxyonacl));
- if (strcmp(view->name, "_bind") != 0 &&
- view->rdclass != dns_rdataclass_chaos)
- {
+ if (view->rdclass != dns_rdataclass_in) {
+ view->recursion = false;
+ dns_acl_none(isc_g_mctx, &view->recursionacl);
+ dns_acl_none(isc_g_mctx, &view->recursiononacl);
+ } else {
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
NULL, aclctx, isc_g_mctx,
&view->recursionacl));
| grep -v "is not implemented" \
| grep -v "is not recommended" \
| grep -v "no longer exists" \
+ | grep -v "recursion will be disabled" \
| grep -v "is obsolete" >checkconf.out$n || ret=1
diff good.zonelist checkconf.out$n >diff.out$n || ret=1
if [ $ret -ne 0 ]; then
+++ /dev/null
-options {
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.1; };
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-view _bind {
-};
-
-view foo {
-};
-
-view bar ch {
-};
+++ /dev/null
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-import isctest
-
-
-def test_nohintswarn_bindchaos(ns1):
- found = True
- try:
- with ns1.watch_log_from_start(timeout=1) as watcher:
- watcher.wait_for_line("no root hints for view '_bind'")
- except isctest.log.watchlog.WatchLogTimeout:
- found = False
- assert found is False
-
- with ns1.watch_log_from_start() as watcher:
- watcher.wait_for_line("no root hints for view 'bar'")
status=$((status + ret))
n=$((n + 1))
-echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)"
+echo_i "checking REFUSED is returned when querying non existing domain in CH class ($n)"
ret=0
-dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.${n} || ret=1
-grep "status: NXDOMAIN" dig.ns1.out.${n} >/dev/null || ret=1
+dig_with_opts @10.53.0.1 hostname.chaostest txt ch >dig.ns1.out.1.${n} || ret=1
+grep "status: NOERROR" dig.ns1.out.1.${n} >/dev/null || ret=1
+dig_with_opts @10.53.0.1 id.hostname txt ch >dig.ns1.out.2.${n} || ret=1
+grep "status: REFUSED" dig.ns1.out.2.${n} >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
*/
static bool
check_recursion(const cfg_obj_t *config, const cfg_obj_t *voptions,
- const cfg_obj_t *goptions, cfg_aclconfctx_t *aclctx,
- isc_mem_t *mctx) {
+ dns_rdataclass_t vclass, const cfg_obj_t *goptions,
+ cfg_aclconfctx_t *aclctx, isc_mem_t *mctx) {
dns_acl_t *acl = NULL;
const cfg_obj_t *obj;
isc_result_t result = ISC_R_SUCCESS;
bool retval = true;
+ if (vclass != dns_rdataclass_in) {
+ return false;
+ }
+
/*
* Check the "recursion" option first.
*/
* contradicts the purpose of the former.
*/
if (ztype == CFG_ZONE_MIRROR &&
- !check_recursion(config, voptions, goptions, aclctx, mctx))
+ !check_recursion(config, voptions, zclass, goptions, aclctx, mctx))
{
cfg_obj_log(zoptions, ISC_LOG_ERROR,
"zone '%s': mirror zones cannot be used if "
cfg_aclconfctx_create(mctx, &aclctx);
+ if (vclass != dns_rdataclass_in) {
+ if (check_recursion(config, voptions, dns_rdataclass_in,
+ options, aclctx, mctx))
+ {
+ cfg_obj_log(opts, ISC_LOG_WARNING,
+ "recursion will be disabled for "
+ "non-IN view '%s'",
+ viewname);
+ }
+ }
+
if (voptions != NULL) {
(void)cfg_map_get(voptions, "zone", &zones);
} else {
projects / thirdparty / bind9.git / commitdiff
