diff --git a/CHANGES b/CHANGES index caa56b09c9..b773b38458 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5806. [bug] An error in checking the "blackhole" ACL could cause + DNS requests sent by named to fail if the + destination address or prefix was specifically + excluded from the ACL. [GL #3157] + 5805. [func] The result of each resolver priming attempt is now included in the "resolver priming query complete" log message. [GL #3139] diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base index 395f80c580..8e77d0cd7d 100644 --- a/bin/tests/system/xfer/ns4/named.conf.base +++ b/bin/tests/system/xfer/ns4/named.conf.base @@ -21,6 +21,7 @@ options { listen-on-v6 { none; }; recursion no; notify yes; + blackhole { none; }; }; key rndc_key { diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index ded784f7a7..c9ae25023b 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -62,3 +62,11 @@ Bug Fixes - Build errors were introduced in some DLZ modules due to an incomplete change in the previous release. This has been fixed. :gl:`#3111` + +- An error in the processing of the ``blackhole`` ACL could cause some DNS + requests sent by ``named`` to fail - for example, zone transfer requests + and SOA refresh queries - if the destination address or prefix was + specifically excluded from the ACL using ``!``, or if the ACL was set + to ``none``. ``blackhole`` worked correctly when it was left unset, or + if only positive-match elements were included. This has now been fixed. + :gl:`#3157` diff --git a/lib/dns/request.c b/lib/dns/request.c index b8248eaf25..b4348e469c 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -383,7 +383,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) { isc_netaddr_fromsockaddr(&netaddr, destaddr); result = dns_acl_match(&netaddr, NULL, blackhole, NULL, &match, NULL); - if (result != ISC_R_SUCCESS || match == 0) { + if (result != ISC_R_SUCCESS || match <= 0) { return (false); }