From 4ec1a96d90784f70380bdec66f8a0bd6718a5b71 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 6 Nov 2000 08:11:11 +0000
Subject: [PATCH]  542.   [func]          Add allow-update-forwarding support.

---
 CHANGES                    |  2 ++
 bin/named/update.c         | 26 ++++++++++++++++++++++----
 bin/named/zoneconf.c       |  9 ++++++++-
 doc/arm/Bv9ARM-book.xml    | 12 ++++++++----
 lib/dns/config/confctx.c   | 10 +---------
 lib/dns/include/dns/zone.h | 34 +++++++++++++++++++++++++++++++++-
 lib/dns/zone.c             | 37 ++++++++++++++++++++++++++++++++++++-
 lib/dns/zoneconf.c         |  9 ++++++++-
 8 files changed, 118 insertions(+), 21 deletions(-)

diff --git a/CHANGES b/CHANGES
index 04617eba60..72bb38d085 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+ 542.	[func]		Add allow-update-forwarding support.
+
  541.	[func]		Add bogus server support.
 
  540.	[func]		Add dialup support.
diff --git a/bin/named/update.c b/bin/named/update.c
index bdf93cf15d..4fdf46571d 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.71 2000/10/31 03:21:45 marka Exp $ */
+/* $Id: update.c,v 1.72 2000/11/06 08:11:04 marka Exp $ */
 
 #include <config.h>
 
@@ -1891,9 +1891,27 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		CHECK(send_update_event(client, zone));
 		break;	/* OK. */
 	case dns_zone_slave:
-		if (dns_message_gettsig(client->message, NULL) == NULL)
-			FAILS(DNS_R_NOTIMP,
-			      "unsigned updates not forwarded");
+		if (dns_message_gettsig(client->message, NULL) == NULL) {
+			dns_acl_t *forwardacl;
+
+			/*
+			 * We only REFUSE if policy is explicitly set and
+			 * we fail to match.
+			 */
+			forwardacl = dns_zone_getforwardacl(zone);
+			if (forwardacl == NULL) {
+				FAILS(DNS_R_NOTIMP,
+				      "unsigned updates not forwarded (noacl)");
+			} else {
+				result = ns_client_checkacl(client,
+							    "update-forward",
+							    forwardacl,
+							    ISC_FALSE,
+							    ISC_LOG_INFO);
+				if (result != ISC_R_SUCCESS)
+					FAIL(DNS_R_REFUSED);
+			}
+		}
 		CHECK(send_forward_event(client, zone));
 		break;	/* OK. */
 	default:
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index bc1e7a857c..2fde0ba415 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.65 2000/11/03 07:15:52 marka Exp $ */
+/* $Id: zoneconf.c,v 1.66 2000/11/06 08:11:08 marka Exp $ */
 
 #include <config.h>
 
@@ -361,6 +361,13 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
 		if (result != ISC_R_SUCCESS)
 			uintval = 30 * 24 * 3600;
 		dns_zone_setsigvalidityinterval(zone, uintval);
+	} else if (czone->ztype == dns_c_zone_slave) {
+		RETERR(configure_zone_acl(czone, cctx, NULL, ac, zone,
+					  dns_c_zone_getallowupdateforwarding,
+					  dns_c_view_getallowupdateforwarding,
+					  dns_c_ctx_getallowupdateforwarding,
+					  dns_zone_setforwardacl,
+					  dns_zone_clearforwardacl));
 	}
 
 	result = dns_c_zone_gettransfersource(czone, &sockaddr);
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 2d158a211a..d3d2d96c70 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.25 2000/11/05 00:29:15 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.26 2000/11/06 08:11:05 marka Exp $ -->
 
 <book>
 
@@ -3670,9 +3670,13 @@ updates from all hosts.</para></entry>
                 <entry colname = "1"><para><command>allow-update-forwarding</command></para></entry>
                 <entry colname = "2"><para>Specifies which hosts are allowed to
 submit Dynamic DNS updates to slave zones to be forwarded to the
-master. The default is to deny update forwarding from all hosts.</para><note>
-                    <simpara>Update
-forwarding is not yet implemented.</simpara></note></entry>
+master.
+This applies only to unsigned updates.
+Signed updates are always forwarded.
+If there is no acl defined then the server will return NOTIMPL, causing the
+client to skip to the next server.  If an acl is defined and there is no
+match then the default is to deny update forwarding.</para>
+</entry>
               </row>
               <row rowsep = "0">
                 <entry colname = "1"><para><command>also-notify</command></para></entry>
diff --git a/lib/dns/config/confctx.c b/lib/dns/config/confctx.c
index 9840af7da4..eebc025f8f 100644
--- a/lib/dns/config/confctx.c
+++ b/lib/dns/config/confctx.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: confctx.c,v 1.96 2000/11/03 07:15:57 marka Exp $ */
+/* $Id: confctx.c,v 1.97 2000/11/06 08:11:10 marka Exp $ */
 
 #include <config.h>
 
@@ -533,14 +533,6 @@ dns_c_checkconfig(dns_c_ctx_t *cfg)
 			      "option 'rrset-order' is not yet implemented");
 	}
 
-	if (dns_c_ctx_getallowupdateforwarding(cfg, &ipml) != ISC_R_NOTFOUND) {
-		dns_c_ipmatchlist_detach(&ipml);
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
-			      DNS_LOGMODULE_CONFIG, ISC_LOG_WARNING,
-			      "option 'allow-update-forwarding' is not "
-			      "yet implemented");
-	}
-
 	if (cfg->zlist != NULL) {
 		tmpres = dns_c_zonelist_checkzones(cfg->zlist);
 		if (tmpres != ISC_R_SUCCESS) {
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 1d9ad66abd..2362f66115 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.84 2000/11/03 18:43:53 gson Exp $ */
+/* $Id: zone.h,v 1.85 2000/11/06 08:11:11 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -591,6 +591,16 @@ dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
  *	'acl' to be valid acl.
  */
 
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the forward unsigned updates acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acl' to be valid acl.
+ */
+
 void
 dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
 /*
@@ -642,6 +652,19 @@ dns_zone_getupdateacl(dns_zone_t *zone);
  *	NULL
  */
 
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone);
+/*
+ * 	Returns the current forward unsigned updates acl or NULL.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
 dns_acl_t *
 dns_zone_getxfracl(dns_zone_t *zone);
 /*
@@ -664,6 +687,15 @@ dns_zone_clearupdateacl(dns_zone_t *zone);
  *	'zone' to be a valid zone.
  */
 
+void
+dns_zone_clearforwardacl(dns_zone_t *zone);
+/*
+ *	Clear the current forward unsigned updates acl.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
 #ifndef NOMINUM_PUBLIC
 void
 dns_zone_clearnotifyacl(dns_zone_t *zone);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 1f7737535d..46e7b7aeae 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.245 2000/11/03 07:15:50 marka Exp $ */
+/* $Id: zone.c,v 1.246 2000/11/06 08:11:07 marka Exp $ */
 
 #include <config.h>
 
@@ -160,6 +160,7 @@ struct dns_zone {
 	dns_xfrin_ctx_t		*xfr;
 	/* Access Control Lists */
 	dns_acl_t		*update_acl;
+	dns_acl_t		*forward_acl;
 #ifndef NOMINUM_PUBLIC
 	dns_acl_t		*notify_acl;
 #endif /* NOMINUM_PUBLIC */
@@ -490,6 +491,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->notifycnt = 0;
 	zone->task = NULL;
 	zone->update_acl = NULL;
+	zone->forward_acl = NULL;
 #ifndef NOMINUM_PUBLIC
 	zone->notify_acl = NULL;
 #endif /* NOMINUM_PUBLIC */
@@ -583,6 +585,8 @@ zone_free(dns_zone_t *zone) {
 	zone->check_names = dns_severity_ignore;
 	if (zone->update_acl != NULL)
 		dns_acl_detach(&zone->update_acl);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
 #ifndef NOMINUM_PUBLIC
 	if (zone->notify_acl != NULL)
 		dns_acl_detach(&zone->notify_acl);
@@ -3911,6 +3915,18 @@ dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
 	UNLOCK(&zone->lock);
 }
 
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK(&zone->lock);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	dns_acl_attach(acl, &zone->forward_acl);
+	UNLOCK(&zone->lock);
+}
+
 void
 dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
 
@@ -3949,6 +3965,14 @@ dns_zone_getupdateacl(dns_zone_t *zone) {
 	return (zone->update_acl);
 }
 
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->forward_acl);
+}
+
 dns_acl_t *
 dns_zone_getxfracl(dns_zone_t *zone) {
 
@@ -3968,6 +3992,17 @@ dns_zone_clearupdateacl(dns_zone_t *zone) {
 	UNLOCK(&zone->lock);
 }
 
+void
+dns_zone_clearforwardacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK(&zone->lock);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	UNLOCK(&zone->lock);
+}
+
 #ifndef NOMINUM_PUBLIC
 void
 dns_zone_clearnotifyacl(dns_zone_t *zone) {
diff --git a/lib/dns/zoneconf.c b/lib/dns/zoneconf.c
index bc1e7a857c..2fde0ba415 100644
--- a/lib/dns/zoneconf.c
+++ b/lib/dns/zoneconf.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.65 2000/11/03 07:15:52 marka Exp $ */
+/* $Id: zoneconf.c,v 1.66 2000/11/06 08:11:08 marka Exp $ */
 
 #include <config.h>
 
@@ -361,6 +361,13 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
 		if (result != ISC_R_SUCCESS)
 			uintval = 30 * 24 * 3600;
 		dns_zone_setsigvalidityinterval(zone, uintval);
+	} else if (czone->ztype == dns_c_zone_slave) {
+		RETERR(configure_zone_acl(czone, cctx, NULL, ac, zone,
+					  dns_c_zone_getallowupdateforwarding,
+					  dns_c_view_getallowupdateforwarding,
+					  dns_c_ctx_getallowupdateforwarding,
+					  dns_zone_setforwardacl,
+					  dns_zone_clearforwardacl));
 	}
 
 	result = dns_c_zone_gettransfersource(czone, &sockaddr);