negative 'blackhole' ACL match could be treated as positive

There was a bug in the checking of the "blackhole" ACL in
dns_request_create*(), causing an address to be treated as included
in the ACL if it was explicitly *excluded*. Thus, leaving "blackhole"
unset had no effect, but setting it to "none" would cause any
destination addresses to be rejected for dns_request purposes. This
would cause zone transfer requests and SOA queries to fail, among
other things.

The bug has been fixed, and "blackhole { none; };" was added to the
xfer system test as a regression test.

bin/tests/system/xfer/ns4/named.conf.base

@@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	blackhole { none; };
 };
 
 key rndc_key {

lib/dns/request.c

@@ -383,7 +383,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
 
 	isc_netaddr_fromsockaddr(&netaddr, destaddr);
 	result = dns_acl_match(&netaddr, NULL, blackhole, NULL, &match, NULL);
-	if (result != ISC_R_SUCCESS || match == 0) {
+	if (result != ISC_R_SUCCESS || match <= 0) {
 		return (false);
 	}