diff --git a/bin/named/client.c b/bin/named/client.c
index b6ecaf28c7..e5140e3089 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.172 2001/06/15 22:35:42 gson Exp $ */
+/* $Id: client.c,v 1.173 2001/06/15 23:28:26 gson Exp $ */
 
 #include <config.h>
 
@@ -2172,9 +2172,8 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkacl(ns_client_t  *client,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow, int log_level)
+ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
+			 isc_boolean_t default_allow)
 {
 	isc_result_t result;
 	int match;
@@ -2199,18 +2198,31 @@ ns_client_checkacl(ns_client_t  *client,
 	goto deny; /* Negative match or no match. */
 
  allow:
-	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-		      "%s approved", opname);
 	return (ISC_R_SUCCESS);
 
  deny:
-	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-		      NS_LOGMODULE_CLIENT,
-		      log_level, "%s denied", opname);
 	return (DNS_R_REFUSED);
 }
 
+isc_result_t
+ns_client_checkacl(ns_client_t *client,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow, int log_level)
+{
+	isc_result_t result =
+		ns_client_checkaclsilent(client, acl, default_allow);
+
+	if (result == ISC_R_SUCCESS) 
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "%s approved", opname);
+	else
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT,
+			      log_level, "%s denied", opname);
+	return (result);
+}
+
 static void
 ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
 	if (client->peeraddr_valid)
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 5baf92ba5a..17e9cb3662 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.57 2001/03/19 20:52:21 gson Exp $ */
+/* $Id: client.h,v 1.58 2001/06/15 23:28:29 gson Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -268,17 +268,14 @@ ns_client_getsockaddr(ns_client_t *client);
  */
 
 isc_result_t
-ns_client_checkacl(ns_client_t  *client,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow,
-		   int log_level);
+ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+			 isc_boolean_t default_allow);
+
 /*
  * Convenience function for client request ACL checking.
  *
  * Check the current client request against 'acl'.  If 'acl'
  * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
- * Log the outcome of the check if deemed appropriate.
- * Log messages will refer to the request as an 'opname' request.
  *
  * Notes:
  *	This is appropriate for checking allow-update,
@@ -289,7 +286,6 @@ ns_client_checkacl(ns_client_t  *client,
  *
  * Requires:
  *	'client' points to a valid client.
- *	'opname' points to a null-terminated string.
  *	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
@@ -298,6 +294,23 @@ ns_client_checkacl(ns_client_t  *client,
  *	No other return values are possible.
  */
 
+isc_result_t
+ns_client_checkacl(ns_client_t  *client,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow,
+		   int log_level);
+/*
+ * Like ns_client_checkacl, but also logs the outcome of the
+ * check at log level 'log_level' if denied, and at debug 3
+ * if approved.  Log messages will refer to the request as
+ * an 'opname' request.
+ *
+ * Requires:
+ *	Those of ns_client_checkaclsilent(), and:
+ *
+ *	'opname' points to a null-terminated string.
+ */
+
 void
 ns_client_log(ns_client_t *client, isc_logcategory_t *category,
 	      isc_logmodule_t *module, int level,
diff --git a/bin/named/query.c b/bin/named/query.c
index 3df7b65a2d..6933ddfd60 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.195 2001/05/19 00:08:21 gson Exp $ */
+/* $Id: query.c,v 1.196 2001/06/15 23:28:27 gson Exp $ */
 
 #include <config.h>
 
@@ -625,14 +625,33 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,
 
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE
-			 + sizeof "query '/'"];
-		
-		ns_client_aclmsg("query", name, client->view->rdclass,
-				 msg, sizeof(msg));
-		result = ns_client_checkacl(client, msg, queryacl,
-					    ISC_TRUE,
-					    log ? ISC_LOG_INFO : ISC_LOG_DEBUG(3));
+
+		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
+		if (log) {
+			char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE
+				+ sizeof "query '/'"];
+			if (result == ISC_R_SUCCESS) {
+				if (isc_log_wouldlog(ns_g_lctx,
+						     ISC_LOG_DEBUG(3)))
+				{
+					ns_client_aclmsg("query", name,
+							 client->view->rdclass,
+							 msg, sizeof(msg));
+					ns_client_log(client,
+						      DNS_LOGCATEGORY_SECURITY,
+						      NS_LOGMODULE_QUERY,
+						      ISC_LOG_DEBUG(3),
+						      "%s approved", msg);
+				}
+		    	} else {
+				ns_client_aclmsg("query", name,
+						 client->view->rdclass,
+						 msg, sizeof(msg));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+					      "%s denied", msg);
+			}
+		}
 
 		if (queryacl == client->view->queryacl) {
 			if (result == ISC_R_SUCCESS) {