diff --git a/CHANGES b/CHANGES index b7a844a1d1..9e08e33107 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ + 444. [func] "recursion denied" messages are always logged at + debug level 1, now, rather than sometimes at ERROR. + This silences these warnings in the usual case, where + some clients set the RD bit in all queries. + 443. [bug] When loading a master file failed because of an unrecognized RR type name, the error message did not include the file name and line number. diff --git a/bin/named/client.c b/bin/named/client.c index e724289213..ef3ff05346 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.110 2000/09/12 07:48:28 bwelling Exp $ */ +/* $Id: client.c,v 1.111 2000/09/12 18:45:30 explorer Exp $ */ #include @@ -865,7 +865,6 @@ client_request(isc_task_t *task, isc_event_t *event) { dns_view_t *view; dns_rdataset_t *opt; isc_boolean_t ra; /* Recursion available. */ - isc_boolean_t rd; /* Recursion desired. */ REQUIRE(event != NULL); client = event->ev_arg; @@ -1102,13 +1101,12 @@ client_request(isc_task_t *task, isc_event_t *event) { * responses to ordinary queries. */ ra = ISC_FALSE; - rd = ISC_TF((client->message->flags & DNS_MESSAGEFLAG_RD) != 0); if (client->view->resolver != NULL && client->view->recursion == ISC_TRUE && /* XXX this will log too much too early */ ns_client_checkacl(client, "recursion", client->view->recursionacl, - ISC_TRUE, rd) == ISC_R_SUCCESS) + ISC_TRUE, ISC_LOG_DEBUG(1)) == ISC_R_SUCCESS) ra = ISC_TRUE; if (ra == ISC_TRUE) @@ -1647,7 +1645,7 @@ ns_client_getsockaddr(ns_client_t *client) { isc_result_t ns_client_checkacl(ns_client_t *client, const char *opname, dns_acl_t *acl, - isc_boolean_t default_allow, isc_boolean_t logfailure) + isc_boolean_t default_allow, int log_level) { isc_result_t result; int match; @@ -1680,8 +1678,7 @@ ns_client_checkacl(ns_client_t *client, deny: ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, - logfailure ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3), - "%s denied", opname); + log_level, "%s denied", opname); return (DNS_R_REFUSED); } diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index 9f5dffdd71..5662e73d0a 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.h,v 1.40 2000/08/01 01:12:03 tale Exp $ */ +/* $Id: client.h,v 1.41 2000/09/12 18:45:39 explorer Exp $ */ #ifndef NAMED_CLIENT_H #define NAMED_CLIENT_H 1 @@ -229,7 +229,7 @@ isc_result_t ns_client_checkacl(ns_client_t *client, const char *opname, dns_acl_t *acl, isc_boolean_t default_allow, - isc_boolean_t logfailure); + int log_level); /* * Convenience function for client request ACL checking. * diff --git a/bin/named/query.c b/bin/named/query.c index 9d94d8b9c6..160b55840f 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.128 2000/09/06 18:41:22 gson Exp $ */ +/* $Id: query.c,v 1.129 2000/09/12 18:45:32 explorer Exp $ */ #include @@ -557,7 +557,8 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options, if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); result = ns_client_checkacl(client, "query", queryacl, - ISC_TRUE, log); + ISC_TRUE, + log ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3)); if (queryacl == client->view->queryacl) { if (result == ISC_R_SUCCESS) { @@ -645,8 +646,10 @@ query_getcachedb(ns_client_t *client, dns_db_t **dbp, unsigned int options) if (check_acl) { isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0); - result = ns_client_checkacl(client, "query", client->view->queryacl, - ISC_TRUE, log); + result = ns_client_checkacl(client, "query", + client->view->queryacl, + ISC_TRUE, + log ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3)); if (result == ISC_R_SUCCESS) { /* * We were allowed by the default diff --git a/bin/named/update.c b/bin/named/update.c index 4f123a4d04..30deffb037 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.61 2000/09/12 10:38:51 bwelling Exp $ */ +/* $Id: update.c,v 1.62 2000/09/12 18:45:34 explorer Exp $ */ #include @@ -2019,11 +2019,11 @@ update_action(isc_task_t *task, isc_event_t *event) { if (ssutable == NULL) CHECK(ns_client_checkacl(client, "update", dns_zone_getupdateacl(zone), - ISC_FALSE, ISC_TRUE)); + ISC_FALSE, ISC_LOG_ERROR)); else if (client->signer == NULL) { /* This gets us a free log message. */ CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE, - ISC_TRUE)); + ISC_LOG_ERROR)); } /* diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c index 4484d38421..586ff07b4b 100644 --- a/bin/named/xfrout.c +++ b/bin/named/xfrout.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: xfrout.c,v 1.75 2000/08/29 19:07:11 gson Exp $ */ +/* $Id: xfrout.c,v 1.76 2000/09/12 18:45:36 explorer Exp $ */ #include @@ -942,7 +942,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) { */ CHECK(ns_client_checkacl(client, "zone transfer", dns_zone_getxfracl(zone), ISC_TRUE, - ISC_TRUE)); + ISC_LOG_ERROR)); /* * AXFR over UDP is not possible.