Merge branch '3209-notauth-subdomain' into 'main'

NOTAUTH errors should log the zone from the query not the nearest match Closes #3209 See merge request isc-projects/bind9!5982
2026-05-28 04:34:54 -04:00 · 2022-03-30 12:12:08 +00:00 · 2022-03-30 12:12:08 +00:00 · 3dd8af9aa8
commit 3dd8af9aa8
parent 8594cd00bc 84c4eb02e7
3 changed files with 40 additions and 1 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+5843.	[bug]		When an UPDATE targets a zone that is not configured,
+			the requested zone name is now logged in the "not
+			authoritative" error message, so that it is easier to
+			track down problematic update clients. [GL #3209]
+
 5842.	[cleanup]	Remove the task exclusive mode use in ns_clientmgr.
 			[GL #3230]

--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@ -82,6 +82,32 @@ digcomp knowngood.ns1.before dig.out.ns1 || ret=1
 digcomp knowngood.ns1.before dig.out.ns2 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }

+ret=0
+echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone unconfigured.test
+update add unconfigured.test 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' unconfigured.test: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+ret=0
+echo_i "ensure a subdomain is mentioned in its NOTAUTH log"
+$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1
+server 10.53.0.1 ${PORT}
+zone sub.sub.example.nil
+update add sub.sub.sub.example.nil 600 IN A 10.53.0.1
+send
+END
+grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1
+grep ' sub.sub.example.nil: not authoritative' ns1/named.run \
+     > /dev/null 2>&1 || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 ret=0
 echo_i "updating zone"
 # nsupdate will print a ">" prompt to stdout as it gets each input line.
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@ -1726,7 +1726,15 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,

 	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone);
 	if (result != ISC_R_SUCCESS) {
-		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
+		/*
+		 * If we found a zone that is a parent of the update zonename,
+		 * detach it so it isn't mentioned in log - it is irrelevant.
+		 */
+		if (zone != NULL) {
+			dns_zone_detach(&zone);
+		}
+		FAILN(DNS_R_NOTAUTH, zonename,
+		      "not authoritative for update zone");
 	}

 	/*