From 0bfcec250f9705a1211d0374f0fc1049960de84b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 15 Jun 2000 04:42:01 +0000 Subject: [PATCH] 254. [bug] suppress "query denied" messages on additional data lookups. ISC-Bugs #139 --- CHANGES | 3 +++ bin/named/client.c | 7 ++++--- bin/named/include/named/client.h | 3 ++- bin/named/query.c | 18 +++++++++++------- bin/named/update.c | 5 +++-- bin/named/xfrout.c | 4 ++-- 6 files changed, 25 insertions(+), 15 deletions(-) diff --git a/CHANGES b/CHANGES index 5d09c6555a..e71bad209a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ + 254. [bug] suppress "query denied" messages on additional data + lookups. + --- 9.0.0b4 released --- 253. [func] resolv.conf parser now recognises ';' and '#' as diff --git a/bin/named/client.c b/bin/named/client.c index bd90e74c58..29bb9df8b9 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -1009,7 +1009,7 @@ client_request(isc_task_t *task, isc_event_t *event) { /* XXX this will log too much too early */ ns_client_checkacl(client, "recursion", client->view->recursionacl, - ISC_TRUE) == ISC_R_SUCCESS) + ISC_TRUE, ISC_TRUE) == ISC_R_SUCCESS) ra = ISC_TRUE; if (ra == ISC_TRUE) @@ -1557,7 +1557,7 @@ ns_client_getsockaddr(ns_client_t *client) { isc_result_t ns_client_checkacl(ns_client_t *client, const char *opname, dns_acl_t *acl, - isc_boolean_t default_allow) + isc_boolean_t default_allow, isc_boolean_t logfailure) { isc_result_t result; int match; @@ -1589,7 +1589,8 @@ ns_client_checkacl(ns_client_t *client, deny: ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_CLIENT, ISC_LOG_ERROR, + NS_LOGMODULE_CLIENT, + logfailure ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3), "%s denied", opname); return (DNS_R_REFUSED); } diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index 5c90190174..6baacae596 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -223,7 +223,8 @@ ns_client_getsockaddr(ns_client_t *client); isc_result_t ns_client_checkacl(ns_client_t *client, const char *opname, dns_acl_t *acl, - isc_boolean_t default_allow); + isc_boolean_t default_allow, + isc_boolean_t logfailure); /* * Convenience function for client request ACL checking. * diff --git a/bin/named/query.c b/bin/named/query.c index fbc150b151..f1bad63c33 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -67,6 +67,9 @@ #define QTRACE(m) ((void)m) #endif +#define DNS_GETDB_NOEXACT 0x01U +#define DNS_GETDB_NOLOG 0x02U + static isc_result_t query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type, @@ -443,12 +446,14 @@ query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options, isc_boolean_t check_acl, new_zone; dns_acl_t *queryacl; ns_dbversion_t *dbversion; + unsigned int ztoptions; /* * Find a database to answer the query. */ + ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? DNS_ZTFIND_NOEXACT : 0; - result = dns_zt_find(client->view->zonetable, name, options, NULL, + result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL, zonep); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { result = dns_zone_getdb(*zonep, dbp); @@ -515,11 +520,9 @@ query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options, } if (check_acl) { - /* - * XXX RTH need a "should we log acl failure" flag. - */ + isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); result = ns_client_checkacl(client, "query", queryacl, - ISC_TRUE); + ISC_TRUE, log); if (queryacl == client->view->queryacl) { if (result == ISC_R_SUCCESS) { /* @@ -769,7 +772,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { /* * Find a database to answer the query. */ - result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone); + result = query_getdb(client, name, DNS_GETDB_NOLOG, + &zone, &db, &version, &is_zone); if (result != ISC_R_SUCCESS) { /* * We don't want an ACL failure to fail the query. @@ -1871,7 +1875,7 @@ query_findparentkey(ns_client_t *client, dns_name_t *name, is_zone = ISC_FALSE; dns_fixedname_init(&pfoundname); - result = query_getdb(client, name, DNS_ZTFIND_NOEXACT, + result = query_getdb(client, name, DNS_GETDB_NOEXACT, &pzone, &pdb, &pversion, &is_zone); if (result != ISC_R_SUCCESS) goto cleanup; diff --git a/bin/named/update.c b/bin/named/update.c index 57dee96496..7555b756ab 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -2017,10 +2017,11 @@ update_action(isc_task_t *task, isc_event_t *event) { if (ssutable == NULL) CHECK(ns_client_checkacl(client, "update", dns_zone_getupdateacl(zone), - ISC_FALSE)); + ISC_FALSE, ISC_TRUE)); else if (client->signer == NULL) { /* This gets us a free log message. */ - CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE)); + CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE, + ISC_TRUE)); } /* diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index ff133d53ed..6412267bde 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -15,7 +15,7 @@ * SOFTWARE. */ -/* $Id: xfrout.c,v 1.67 2000/06/15 00:08:53 bwelling Exp $ */ +/* $Id: xfrout.c,v 1.68 2000/06/15 04:41:59 marka Exp $ */ #include @@ -933,7 +933,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { * Decide whether to allow this transfer. */ CHECK(ns_client_checkacl(client, "zone transfer", - dns_zone_getxfracl(zone), ISC_TRUE)); + dns_zone_getxfracl(zone), ISC_TRUE, ISC_TRUE)); /* * AXFR over UDP is not possible.