cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
[RT #16987]
+2206. [security] "allow-query-cache" and "allow-recursion" now
+ cross inherit from each other.
+
+ If allow-query-cache is not set in named.conf then
+ allow-recursion is used if set, otherwise allow-query
+ is used if set, otherwise the default (localnets;
+ localhost;) is used.
+
+ If allow-recursion is not set in named.conf then
+ allow-query-cache is used if set, otherwise allow-query
+ is used if set, otherwise the default (localnets;
+ localhost;) is used.
+
+ [RT #16987]
+
2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
2203. [security] Query id generation was cryptographically weak.
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.419.18.55 2007/06/25 02:42:24 marka Exp $ */
+/* $Id: server.c,v 1.419.18.56 2007/07/09 02:18:49 marka Exp $ */
/*! \file */
view->additionalfromcache = ISC_TRUE;
}
+ /*
+ * Set "allow-query-cache" and "allow-recursion" acls if
+ * configured in named.conf.
+ */
CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
actx, ns_g_mctx, &view->queryacl));
- if (view->queryacl == NULL)
- CHECK(configure_view_acl(NULL, ns_g_config,
- "allow-query-cache", actx,
- ns_g_mctx, &view->queryacl));
if (strcmp(view->name, "_bind") != 0)
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
"active%s%s", forview, viewname);
/*
- * Set default "allow-recursion" acl.
+ * "allow-query-cache" inherits from "allow-recursion" if set,
+ * otherwise from "allow-query" if set.
+ * "allow-recursion" inherits from "allow-query-cache" if set,
+ * otherwise from "allow-query" if set.
+ */
+ if (view->queryacl == NULL && view->recursionacl != NULL)
+ dns_acl_attach(view->recursionacl, &view->queryacl);
+ if (view->queryacl == NULL)
+ CHECK(configure_view_acl(vconfig, config, "allow-query",
+ actx, ns_g_mctx, &view->queryacl));
+ if (view->recursionacl == NULL && view->queryacl != NULL)
+ dns_acl_attach(view->queryacl, &view->recursionacl);
+
+ /*
+ * Set default "allow-recursion" and "allow-query-cache" acls.
*/
if (view->recursionacl == NULL && view->recursion)
CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion",
actx, ns_g_mctx, &view->recursionacl));
+ if (view->queryacl == NULL)
+ CHECK(configure_view_acl(NULL, ns_g_config,
+ "allow-query-cache", actx,
+ ns_g_mctx, &view->queryacl));
CHECK(configure_view_acl(vconfig, config, "sortlist",
actx, ns_g_mctx, &view->sortlist));
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.77 2007/06/19 06:59:09 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.78 2007/07/09 02:18:49 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
<listitem>
<para>
Specifies which hosts are allowed to get answers
- from the cache. The default is the builtin acls
- <command>localnets</command> and
- <command>localhost</command>.
-
- <!-- The way to set query access to the cache is now via allow-query-cache. This differs from earlier versions which used allow-query. -->
- </para>
- <para>
- The way to set query access to the cache is now
- via <command>allow-query-cache</command>.
- This differs from earlier versions which used
- <command>allow-query</command>.
- </para>
- <para>
- The way to set query access to the cache is now via
- <command>allow-query-cache</command>.
- This differs from earlier versions which used
- <command>allow-query</command>.
+ from the cache. If <command>allow-query-cache</command>
+ is not set then <command>allow-recursion</command>
+ is used if set, otherwise <command>allow-query</command>
+ is used if set, otherwise the default
+ (<command>localnets;</command>
+ <command>localhost;</command>) is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-recursion</command></term>
<listitem>
+ <para>
Specifies which hosts are allowed to make recursive
- queries through this server. If not specified,
- the default is to allow recursive queries from
- the builtin acls <command>localnets</command> and
- <command>localhost</command>.
- Note that disallowing recursive queries for a
- host does not prevent the host from retrieving
- data that is already in the server's cache.
- </para>
+ queries through this server. If
+ <command>allow-recursion</command> is not set
+ then <command>allow-query-cache</command> is
+ used if set, otherwise <command>allow-query</command>
+ is used if set, otherwise the default
+ (<command>localnets;</command>
+ <command>localhost;</command>) is used.
+ </para>
</listitem>
</varlistentry>
projects / thirdparty / bind9.git / commitdiff
