From: Evan Hunt Date: Tue, 19 Mar 2019 17:14:44 +0000 (-0700) Subject: don't fail when allow-update{,-forwarding} is used globally X-Git-Tag: v9.15.0~64^2~1 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=91dca0f8da192e8b3439e80717bad3bfc139118f;p=thirdparty%2Fbind9.git don't fail when allow-update{,-forwarding} is used globally --- diff --git a/bin/named/server.c b/bin/named/server.c index 461cf1d9cd1..5653358aba0 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -5074,8 +5074,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, /* * Configure default allow-update and allow-update-forwarding ACLs, - * so they can be inherited by zones. (Note these cannot be set at - * options/view level.) + * so they can be inherited by zones. (XXX: These are not + * read from the options/view level here. However, they may be + * read from there in zoneconf.c:configure_zone_acl() later.) */ if (view->updateacl == NULL) { CHECK(configure_view_acl(NULL, NULL, named_g_config, diff --git a/bin/tests/system/checkconf/bad-allow-update-forwarding-view.conf b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf similarity index 97% rename from bin/tests/system/checkconf/bad-allow-update-forwarding-view.conf rename to bin/tests/system/checkconf/good-allow-update-forwarding-view.conf index 47f34950ada..0c2aeb8ddbc 100644 --- a/bin/tests/system/checkconf/bad-allow-update-forwarding-view.conf +++ b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf @@ -9,6 +9,6 @@ * information regarding copyright ownership. */ -view { +view one { allow-update-forwarding { any; }; }; diff --git a/bin/tests/system/checkconf/bad-allow-update-forwarding.conf b/bin/tests/system/checkconf/good-allow-update-forwarding.conf similarity index 100% rename from bin/tests/system/checkconf/bad-allow-update-forwarding.conf rename to bin/tests/system/checkconf/good-allow-update-forwarding.conf diff --git a/bin/tests/system/checkconf/bad-allow-update-view.conf b/bin/tests/system/checkconf/good-allow-update-view.conf similarity index 97% rename from bin/tests/system/checkconf/bad-allow-update-view.conf rename to bin/tests/system/checkconf/good-allow-update-view.conf index 22c4361e1ed..a893b9a2c5e 100644 --- a/bin/tests/system/checkconf/bad-allow-update-view.conf +++ b/bin/tests/system/checkconf/good-allow-update-view.conf @@ -9,6 +9,6 @@ * information regarding copyright ownership. */ -view { +view one { allow-update { any; }; }; diff --git a/bin/tests/system/checkconf/bad-allow-update.conf b/bin/tests/system/checkconf/good-allow-update.conf similarity index 100% rename from bin/tests/system/checkconf/bad-allow-update.conf rename to bin/tests/system/checkconf/good-allow-update.conf diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index a97a4d3acfd..b313840324f 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -7025,15 +7025,21 @@ options { When set in the zone statement for a master zone, specifies which hosts are allowed to submit Dynamic DNS updates to that zone. The default - is to deny updates from all hosts. This can only - be set at the zone level, not in - options or view. + is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see for details. + + In general this option should only be set at the + zone level. While a default + value can be set at the options or + view level and inherited by zones, + this could lead to some zones unintentionally allowing + updates. + @@ -7046,9 +7052,7 @@ options { submit Dynamic DNS updates and have them be forwarded to the master. The default is { none; }, which means that no - update forwarding will be performed. This can only be - set at the zone level, not in - options or view. + update forwarding will be performed. To enable update forwarding, specify @@ -7066,6 +7070,14 @@ options { on insecure IP-address-based access control; see for more details. + + In general this option should only be set at the + zone level. While a default + value can be set at the options or + view level and inherited by zones, + this can lead to some zones unintentionally forwarding + updates. + diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 813cb7930bc..1d7a3d4a3be 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -482,43 +482,6 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions, return (result); } -static isc_result_t -check_non_viewacls(const cfg_obj_t *voptions, const cfg_obj_t *config, - isc_log_t *logctx) -{ - const cfg_obj_t *aclobj = NULL; - const cfg_obj_t *options; - const char *where = NULL; - int i; - - static const char *acls[] = { - "allow-update", "allow-update-forwarding", NULL - }; - - for (i = 0; acls[i] != NULL; i++) { - if (voptions != NULL && aclobj == NULL) { - cfg_map_get(voptions, acls[i], &aclobj); - where = "view"; - } - if (config != NULL && aclobj == NULL) { - options = NULL; - cfg_map_get(config, "options", &options); - if (options != NULL) { - cfg_map_get(options, acls[i], &aclobj); - where = "options"; - } - } - if (aclobj != NULL) { - cfg_obj_log(aclobj, logctx, ISC_LOG_ERROR, - "'%s' can only be set per-zone, " - "not in '%s'", acls[i], where); - return (ISC_R_FAILURE); - } - } - - return (ISC_R_SUCCESS); -} - static const unsigned char zeros[16]; static isc_result_t @@ -3702,11 +3665,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions, if (tresult != ISC_R_SUCCESS) result = tresult; - tresult = check_non_viewacls(voptions, config, logctx); - if (tresult != ISC_R_SUCCESS) { - result = tresult; - } - tresult = check_recursionacls(actx, voptions, viewname, config, logctx, mctx); if (tresult != ISC_R_SUCCESS)