254. [bug] suppress "query denied" messages on additional data

lookups. ISC-Bugs #139
2026-06-09 07:32:09 -04:00 · 2000-06-15 04:42:01 +00:00 · 2000-06-15 04:42:01 +00:00 · 0bfcec250f
commit 0bfcec250f
parent 1e98bdb4a3
6 changed files with 25 additions and 15 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+ 254.	[bug]		suppress "query denied" messages on additional data
+			lookups.
+
 	--- 9.0.0b4 released ---

 253.	[func]		resolv.conf parser now recognises ';' and '#' as
--- a/bin/named/client.c
+++ b/bin/named/client.c
@ -1009,7 +1009,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	    /* XXX this will log too much too early */
 	    ns_client_checkacl(client, "recursion",
 			       client->view->recursionacl,
-			       ISC_TRUE) == ISC_R_SUCCESS)
+			       ISC_TRUE, ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;

 	if (ra == ISC_TRUE)
@ -1557,7 +1557,7 @@ ns_client_getsockaddr(ns_client_t *client) {
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
 		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow)
+		   isc_boolean_t default_allow, isc_boolean_t logfailure)
 {
 	isc_result_t result;
 	int match;
@ -1589,7 +1589,8 @@ ns_client_checkacl(ns_client_t  *client,

 deny:
 	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+		      NS_LOGMODULE_CLIENT,
+		      logfailure ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3),
 		      "%s denied", opname);
 	return (DNS_R_REFUSED);
 }
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@ -223,7 +223,8 @@ ns_client_getsockaddr(ns_client_t *client);
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
 		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow);
+		   isc_boolean_t default_allow,
+		   isc_boolean_t logfailure);
 /*
 * Convenience function for client request ACL checking.
 *
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -67,6 +67,9 @@
 #define QTRACE(m) ((void)m)
 #endif

+#define DNS_GETDB_NOEXACT 0x01U
+#define DNS_GETDB_NOLOG 0x02U
+

 static isc_result_t
 query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
@ -443,12 +446,14 @@ query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options,
 	isc_boolean_t check_acl, new_zone;
 	dns_acl_t *queryacl;
 	ns_dbversion_t *dbversion;
+	unsigned int ztoptions;

 	/*
 	 * Find a database to answer the query.
 	 */
+	ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? DNS_ZTFIND_NOEXACT : 0;

-	result = dns_zt_find(client->view->zonetable, name, options, NULL,
+	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
 			     zonep);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
 		result = dns_zone_getdb(*zonep, dbp);
@ -515,11 +520,9 @@ query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options,
 	}

 	if (check_acl) {
-		/*
-		 * XXX RTH  need a "should we log acl failure" flag.
-		 */
+		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		result = ns_client_checkacl(client, "query", queryacl,
-					    ISC_TRUE);
+					    ISC_TRUE, log);
 		if (queryacl == client->view->queryacl) {
 			if (result == ISC_R_SUCCESS) {
 				/*
@ -769,7 +772,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	/*
 	 * Find a database to answer the query.
 	 */
-	result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone);
+	result = query_getdb(client, name, DNS_GETDB_NOLOG,
+			     &zone, &db, &version, &is_zone);
 	if (result != ISC_R_SUCCESS) {
 		/*
 		 * We don't want an ACL failure to fail the query.
@ -1871,7 +1875,7 @@ query_findparentkey(ns_client_t *client, dns_name_t *name,
 	is_zone = ISC_FALSE;
 	dns_fixedname_init(&pfoundname);

-	result = query_getdb(client, name, DNS_ZTFIND_NOEXACT,
+	result = query_getdb(client, name, DNS_GETDB_NOEXACT,
 			     &pzone, &pdb, &pversion, &is_zone);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
--- a/bin/named/update.c
+++ b/bin/named/update.c
@ -2017,10 +2017,11 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (ssutable == NULL)
 		CHECK(ns_client_checkacl(client, "update",
 					 dns_zone_getupdateacl(zone),
-					 ISC_FALSE));
+					 ISC_FALSE, ISC_TRUE));
 	else if (client->signer == NULL) {
 		/* This gets us a free log message. */
-		CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE));
+		CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE,
+					 ISC_TRUE));
 	}

 	/*
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@ -15,7 +15,7 @@
 * SOFTWARE.
 */

-/* $Id: xfrout.c,v 1.67 2000/06/15 00:08:53 bwelling Exp $ */
+/* $Id: xfrout.c,v 1.68 2000/06/15 04:41:59 marka Exp $ */

 #include <config.h>

@ -933,7 +933,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	 * Decide whether to allow this transfer.
 	 */
 	CHECK(ns_client_checkacl(client, "zone transfer",
-				 dns_zone_getxfracl(zone), ISC_TRUE));
+				 dns_zone_getxfracl(zone), ISC_TRUE, ISC_TRUE));

 	/*
 	 * AXFR over UDP is not possible.