*/
isc_result_t
dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
+ struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
isc_result_t result;
+ if (state->log != NULL) {
+ state->log(ISC_LOG_INFO,
+ "dlz_example: dlz_allowzonexfr called for %s",
+ name);
+ }
+
result = dlz_findzonedb(dbdata, name, NULL, NULL);
if (result != ISC_R_SUCCESS) {
+ if (state->log != NULL) {
+ state->log(ISC_LOG_INFO,
+ "dlz_example: findzonedb returned %s",
+ isc_result_totext(result));
+ }
return (result);
}
+ /*
+ * Exception for "example.org" so we can test the use of
+ * the view ACL.
+ */
+ if (strcmp(name, "example.org") == 0) {
+ if (state->log != NULL) {
+ state->log(ISC_LOG_INFO,
+ "dlz_example: use view ACL "
+ "for example.org");
+ }
+ return (ISC_R_DEFAULT);
+ }
+
/*
* Exception for 10.53.0.5 so we can test that allow-transfer
* is effective.
*/
if (strcmp(client, "10.53.0.5") == 0) {
+ if (state->log != NULL) {
+ state->log(ISC_LOG_INFO,
+ "dlz_example: disallow transfer "
+ "to 10.53.0.5");
+ }
return (ISC_R_NOPERM);
}
+ if (state->log != NULL) {
+ state->log(ISC_LOG_INFO,
+ "dlz_example: transfer allowed for %s", name);
+ }
+
return (ISC_R_SUCCESS);
}
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
+newtest "testing AXFR denied based on view ACL"
+# 10.53.0.1 should be disallowed
+$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
+grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
+# 10.53.0.2 should be allowed
+$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
+grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
+[ "$ret" -eq 0 ] || echo_i "failed"
+status=`expr $status + $ret`
+
newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
projects / thirdparty / bind9.git / commitdiff
