From da029f10bae6dd66d6d140027df2422c5e1fa326 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 16 Feb 2022 15:46:33 -0800
Subject: [PATCH 1/2] negative 'blackhole' ACL match could be treated as
 positive

There was a bug in the checking of the "blackhole" ACL in
dns_request_create*(), causing an address to be treated as included
in the ACL if it was explicitly *excluded*. Thus, leaving "blackhole"
unset had no effect, but setting it to "none" would cause any
destination addresses to be rejected for dns_request purposes. This
would cause zone transfer requests and SOA queries to fail, among
other things.

The bug has been fixed, and "blackhole { none; };" was added to the
xfer system test as a regression test.

(cherry picked from commit 4444b168dbadc68460d09f69545b5bb7d12b5281)
---
 bin/tests/system/xfer/ns4/named.conf.base | 1 +
 lib/dns/request.c                         | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base
index 395f80c580..8e77d0cd7d 100644
--- a/bin/tests/system/xfer/ns4/named.conf.base
+++ b/bin/tests/system/xfer/ns4/named.conf.base
@@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	blackhole { none; };
 };
 
 key rndc_key {
diff --git a/lib/dns/request.c b/lib/dns/request.c
index b8248eaf25..b4348e469c 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -383,7 +383,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
 
 	isc_netaddr_fromsockaddr(&netaddr, destaddr);
 	result = dns_acl_match(&netaddr, NULL, blackhole, NULL, &match, NULL);
-	if (result != ISC_R_SUCCESS || match == 0) {
+	if (result != ISC_R_SUCCESS || match <= 0) {
 		return (false);
 	}
 

From 839a17186e2e03e303705e87d5548ce4a89f7853 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 16 Feb 2022 15:58:50 -0800
Subject: [PATCH 2/2] CHANGES and release note for [GL #3157]

(cherry picked from commit 04361b0ad5e3a799cb37432ac0eb06226a6b62e0)
---
 CHANGES                     | 5 +++++
 doc/notes/notes-current.rst | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/CHANGES b/CHANGES
index caa56b09c9..b773b38458 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5806.	[bug]		An error in checking the "blackhole" ACL could cause
+			DNS requests sent by named to fail if the
+			destination address or prefix was specifically
+			excluded from the ACL. [GL #3157]
+
 5805.	[func]		The result of each resolver priming attempt is now
 			included in the "resolver priming query complete" log
 			message. [GL #3139]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ded784f7a7..c9ae25023b 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -62,3 +62,11 @@ Bug Fixes
 
 - Build errors were introduced in some DLZ modules due to an incomplete
   change in the previous release. This has been fixed. :gl:`#3111`
+
+- An error in the processing of the ``blackhole`` ACL could cause some DNS
+  requests sent by ``named`` to fail - for example, zone transfer requests
+  and SOA refresh queries - if the destination address or prefix was
+  specifically excluded from the ACL using ``!``, or if the ACL was set
+  to ``none``.  ``blackhole`` worked correctly when it was left unset, or
+  if only positive-match elements were included. This has now been fixed.
+  :gl:`#3157`