ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
ISC_LOG_DEBUG(6), "%s request", mnemonic);
- /*
- * Apply quota.
- */
- result = isc_quota_attach(&client->sctx->xfroutquota, "a);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
- "%s request denied: %s", mnemonic,
- isc_result_totext(result));
- goto failure;
- }
/*
* Interpret the question section.
FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
}
+ /*
+ * Apply quota after ACL is checked, so that unauthorized clients
+ * can not starve the authorized clients.
+ */
+ result = isc_quota_attach(&client->sctx->xfroutquota, "a);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
+ "%s request denied: %s", mnemonic,
+ isc_result_totext(result));
+ goto failure;
+ }
+
/*
* Look up the requesting server in the peer table.
*/
}
/* XXX kludge */
if (xfr != NULL) {
+ /* The quota will be released in xfrout_ctx_destroy(). */
xfrout_fail(xfr, result, "setting up zone transfer");
} else if (result != ISC_R_SUCCESS) {
ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
projects / thirdparty / bind9.git / commitdiff
