From 41460026bc34cae91364979a5ae5e6068c8b8337 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sat, 10 Jan 2015 22:01:42 +1100 Subject: [PATCH] 4032. [bug] Built-in "empty" zones did not correctly inherit the "allow-transfer" ACL from the options or view. [RT #38310] (cherry picked from commit 79521569952d5e2475f05e4397dc976f4685056e) --- CHANGES | 4 ++++ bin/named/server.c | 9 ++++++--- bin/tests/system/emptyzones/clean.sh | 1 + bin/tests/system/emptyzones/ns1/named2.conf | 5 +++++ bin/tests/system/emptyzones/tests.sh | 8 ++++++++ doc/arm/notes.xml | 6 ++++++ 6 files changed, 30 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 8aa92b17de..ebf6a07236 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4032. [bug] Built-in "empty" zones did not correctly inherit the + "allow-transfer" ACL from the options or view. + [RT #38310] + 4031. [bug] named-checkconf -z failed to report a missing file with a hint zone. [RT #38294] diff --git a/bin/named/server.c b/bin/named/server.c index 113b1259c4..8c322c18fb 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -2258,16 +2258,19 @@ create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view, dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE); dns_zone_setnotifytype(zone, dns_notifytype_no); dns_zone_setdialup(zone, dns_dialuptype_no); - if (view->queryacl) + if (view->queryacl != NULL) dns_zone_setqueryacl(zone, view->queryacl); else dns_zone_clearqueryacl(zone); - if (view->queryonacl) + if (view->queryonacl != NULL) dns_zone_setqueryonacl(zone, view->queryonacl); else dns_zone_clearqueryonacl(zone); dns_zone_clearupdateacl(zone); - dns_zone_clearxfracl(zone); + if (view->transferacl != NULL) + dns_zone_setxfracl(zone, view->transferacl); + else + dns_zone_clearxfracl(zone); CHECK(setquerystats(zone, view->mctx, statlevel)); if (db != NULL) { diff --git a/bin/tests/system/emptyzones/clean.sh b/bin/tests/system/emptyzones/clean.sh index 13a5e9e147..0f761a1874 100644 --- a/bin/tests/system/emptyzones/clean.sh +++ b/bin/tests/system/emptyzones/clean.sh @@ -13,3 +13,4 @@ # PERFORMANCE OF THIS SOFTWARE. rm -f ns1/named.conf +rm -f dig.out.test* diff --git a/bin/tests/system/emptyzones/ns1/named2.conf b/bin/tests/system/emptyzones/ns1/named2.conf index 60cc5efd79..ae0e6e2f99 100644 --- a/bin/tests/system/emptyzones/ns1/named2.conf +++ b/bin/tests/system/emptyzones/ns1/named2.conf @@ -41,9 +41,14 @@ options { except-from { "goodcname.example.net"; "gooddname.example.net"; }; allow-query {!10.53.0.8; any; }; + allow-transfer { none; }; }; zone "." { type hint; file "root.hint"; }; + +zone "1.10.in-addr.arpa" { + type master; file "empty.db"; +}; diff --git a/bin/tests/system/emptyzones/tests.sh b/bin/tests/system/emptyzones/tests.sh index 755d89d56f..672f9d4055 100644 --- a/bin/tests/system/emptyzones/tests.sh +++ b/bin/tests/system/emptyzones/tests.sh @@ -32,4 +32,12 @@ $DIG +vc version.bind txt ch @10.53.0.1 -p 5300 > /dev/null || ret=1 if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +n=`expr $n + 1` +echo "I:check that allow-transfer { none; } works ($n)" +ret=0 +$DIG axfr 10.in-addr.arpa @10.53.0.1 -p 5300 +all > dig.out.test$n || ret=1 +grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + exit $status diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 4e62335577..c34dc65642 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -275,6 +275,12 @@ contacting authoritative servers for the first time. + + + Built-in "empty" zones did not correctly inherit the + "allow-transfer" ACL from the options or view. [RT #38310] + +