pass in the log level desired; make 'client denied recursion' log at debug level 1 always.

CHANGES

@@ -1,3 +1,8 @@
+ 444.	[func]		"recursion denied" messages are always logged at
+			debug level 1, now, rather than sometimes at ERROR.
+			This silences these warnings in the usual case, where
+			some clients set the RD bit in all queries.
+
  443.	[bug]		When loading a master file failed because of an
 			unrecognized RR type name, the error message
 			did not include the file name and line number. 

bin/named/client.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.110 2000/09/12 07:48:28 bwelling Exp $ */
+/* $Id: client.c,v 1.111 2000/09/12 18:45:30 explorer Exp $ */
 
 #include <config.h>
 
@@ -865,7 +865,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	dns_view_t *view;
 	dns_rdataset_t *opt;
 	isc_boolean_t ra; 	/* Recursion available. */
-	isc_boolean_t rd; 	/* Recursion desired. */
 
 	REQUIRE(event != NULL);
 	client = event->ev_arg;
@@ -1102,13 +1101,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 * responses to ordinary queries.
 	 */
 	ra = ISC_FALSE;
-	rd = ISC_TF((client->message->flags & DNS_MESSAGEFLAG_RD) != 0);
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
 	    /* XXX this will log too much too early */
 	    ns_client_checkacl(client, "recursion",
 			       client->view->recursionacl,
-			       ISC_TRUE, rd) == ISC_R_SUCCESS)
+			       ISC_TRUE, ISC_LOG_DEBUG(1)) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
 	if (ra == ISC_TRUE)
@@ -1647,7 +1645,7 @@ ns_client_getsockaddr(ns_client_t *client) {
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
 		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow, isc_boolean_t logfailure)
+		   isc_boolean_t default_allow, int log_level)
 {
 	isc_result_t result;
 	int match;
@@ -1680,8 +1678,7 @@ ns_client_checkacl(ns_client_t  *client,
  deny:
 	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 		      NS_LOGMODULE_CLIENT,
-		      logfailure ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3),
-		      "%s denied", opname);
+		      log_level, "%s denied", opname);
 	return (DNS_R_REFUSED);
 }
 

bin/named/include/named/client.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.40 2000/08/01 01:12:03 tale Exp $ */
+/* $Id: client.h,v 1.41 2000/09/12 18:45:39 explorer Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -229,7 +229,7 @@ isc_result_t
 ns_client_checkacl(ns_client_t  *client,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow,
-		   isc_boolean_t logfailure);
+		   int log_level);
 /*
  * Convenience function for client request ACL checking.
  *

bin/named/query.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.128 2000/09/06 18:41:22 gson Exp $ */
+/* $Id: query.c,v 1.129 2000/09/12 18:45:32 explorer Exp $ */
 
 #include <config.h>
 
@@ -557,7 +557,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		result = ns_client_checkacl(client, "query", queryacl,
-					    ISC_TRUE, log);
+					    ISC_TRUE,
+					    log ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3));
 
 		if (queryacl == client->view->queryacl) {
 			if (result == ISC_R_SUCCESS) {
@@ -645,8 +646,10 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options)
 
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		result = ns_client_checkacl(client, "query", client->view->queryacl,
-					    ISC_TRUE, log);
+		result = ns_client_checkacl(client, "query",
+					    client->view->queryacl,
+					    ISC_TRUE,
+					    log ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3));
 		if (result == ISC_R_SUCCESS) {
 			/*
 			 * We were allowed by the default

bin/named/update.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.61 2000/09/12 10:38:51 bwelling Exp $ */
+/* $Id: update.c,v 1.62 2000/09/12 18:45:34 explorer Exp $ */
 
 #include <config.h>
 
@@ -2019,11 +2019,11 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (ssutable == NULL)
 		CHECK(ns_client_checkacl(client, "update",
 					 dns_zone_getupdateacl(zone),
-					 ISC_FALSE, ISC_TRUE));
+					 ISC_FALSE, ISC_LOG_ERROR));
 	else if (client->signer == NULL) {
 		/* This gets us a free log message. */
 		CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE,
-					 ISC_TRUE));
+					 ISC_LOG_ERROR));
 	}
 
 	/*

bin/named/xfrout.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.75 2000/08/29 19:07:11 gson Exp $ */
+/* $Id: xfrout.c,v 1.76 2000/09/12 18:45:36 explorer Exp $ */
 
 #include <config.h>
 
@@ -942,7 +942,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	 */
 	CHECK(ns_client_checkacl(client, "zone transfer",
 				 dns_zone_getxfracl(zone), ISC_TRUE,
-				 ISC_TRUE));
+				 ISC_LOG_ERROR));
 
 	/*
 	 * AXFR over UDP is not possible.