4032. [bug] Built-in "empty" zones did not correctly inherit the

"allow-transfer" ACL from the options or view. [RT #38310] (cherry picked from commit 7952156995)
2026-06-14 22:10:01 -04:00 · 2015-01-10 22:01:42 +11:00 · 2015-01-10 22:01:42 +11:00 · 41460026bc
commit 41460026bc
parent 173d9db665
6 changed files with 30 additions and 3 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+4032.	[bug]		Built-in "empty" zones did not correctly inherit the
+			"allow-transfer" ACL from the options or view.
+			[RT #38310]
+
 4031.	[bug]		named-checkconf -z failed to report a missing file
 			with a hint zone. [RT #38294]

--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -2258,16 +2258,19 @@ create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
 	dns_zone_setnotifytype(zone, dns_notifytype_no);
 	dns_zone_setdialup(zone, dns_dialuptype_no);
-	if (view->queryacl)
+	if (view->queryacl != NULL)
 		dns_zone_setqueryacl(zone, view->queryacl);
 	else
 		dns_zone_clearqueryacl(zone);
-	if (view->queryonacl)
+	if (view->queryonacl != NULL)
 		dns_zone_setqueryonacl(zone, view->queryonacl);
 	else
 		dns_zone_clearqueryonacl(zone);
 	dns_zone_clearupdateacl(zone);
-	dns_zone_clearxfracl(zone);
+	if (view->transferacl != NULL)
+		dns_zone_setxfracl(zone, view->transferacl);
+	else
+		dns_zone_clearxfracl(zone);

 	CHECK(setquerystats(zone, view->mctx, statlevel));
 	if (db != NULL) {
--- a/bin/tests/system/emptyzones/clean.sh
+++ b/bin/tests/system/emptyzones/clean.sh
@ -13,3 +13,4 @@
 # PERFORMANCE OF THIS SOFTWARE.

 rm -f ns1/named.conf
+rm -f dig.out.test*
--- a/bin/tests/system/emptyzones/ns1/named2.conf
+++ b/bin/tests/system/emptyzones/ns1/named2.conf
@ -41,9 +41,14 @@ options {
 		except-from { "goodcname.example.net";
 			      "gooddname.example.net"; };
 	allow-query {!10.53.0.8; any; };
+	allow-transfer { none; };
 };

 zone "." {
 	type hint;
 	file "root.hint";
 };
+
+zone "1.10.in-addr.arpa" {
+	type master; file "empty.db";
+};
--- a/bin/tests/system/emptyzones/tests.sh
+++ b/bin/tests/system/emptyzones/tests.sh
@ -32,4 +32,12 @@ $DIG +vc version.bind txt ch @10.53.0.1 -p 5300 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo "I:check that allow-transfer { none; } works ($n)"
+ret=0
+$DIG axfr 10.in-addr.arpa @10.53.0.1 -p 5300 +all > dig.out.test$n || ret=1
+grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 exit $status
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -275,6 +275,12 @@
 	  contacting authoritative servers for the first time.
        </para>
      </listitem>
+      <listitem>
+        <para>
+	  Built-in "empty" zones did not correctly inherit the
+	  "allow-transfer" ACL from the options or view. [RT #38310]
+        </para>
+      </listitem>
    </itemizedlist>
  </sect2>
  <sect2 id="end_of_life">