Don't set EDE in ns_client_aclchecksilent

The ns_client_aclchecksilent is used to check multiple ACLs before
the decision is made that a query is denied. It is also used to
determine if recursion is available. In those cases we should not
set the extended DNS error "Prohibited".

(cherry picked from commit 798c8f57d440cb5f9739cef86ad781ad3dfcb3bc)

diff --git a/lib/ns/client.c b/lib/ns/client.c
index 39ac87f54065560f033d58ad4e2672a0bb778ef2..8dc1abe3f89bc5d3f4fc65e4c243f58cbaf7fb0e 100644 (file)
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2583,7 +2583,6 @@ allow:
        return (ISC_R_SUCCESS);
 
 deny:
-       ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
        return (DNS_R_REFUSED);
 }
 
@@ -2606,6 +2605,7 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
                              NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
                              "%s approved", opname);
        } else {
+               ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
                ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
                              NS_LOGMODULE_CLIENT, log_level, "%s denied",
                              opname);