fix: dev: Configure zone ACLs from templates

ACLs from templates should be configured in between the zone and view tier. Closes #6023 Closes #6040 Merge branch '6040-zone-ignores-template-acl' into 'main' See merge request isc-projects/bind9!12132
2026-06-08 22:22:05 -04:00 · 2026-05-29 06:55:07 +00:00 · 2026-05-29 06:55:07 +00:00 · 5c80876a6d
commit 5c80876a6d
parent 11e204ee00 470847a527
5 changed files with 42 additions and 1 deletions
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@ -139,8 +139,14 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 	if (config != NULL && maps[i] != NULL) {
 		const cfg_obj_t *toptions = named_zone_templateopts(config,
 								    maps[i]);
+		/* Check to see if ACL is defined within template */
 		if (toptions != NULL) {
 			maps[i++] = toptions;
+			(void)cfg_map_get(toptions, aclname, &aclobj);
+			if (aclobj != NULL) {
+				aclp = NULL;
+				goto parse_acl;
+			}
 		}
 	}

--- a/bin/tests/system/acl/ns3/named.conf.j2
+++ b/bin/tests/system/acl/ns3/named.conf.j2
@ -21,3 +21,8 @@ key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
 };
+
+template "allow-xfr" {
+	type primary;
+	allow-transfer { any; };
+};
--- a/bin/tests/system/acl/ns3/template.db
+++ b/bin/tests/system/acl/ns3/template.db
--- a/bin/tests/system/acl/tests.sh
+++ b/bin/tests/system/acl/tests.sh
@ -226,7 +226,8 @@ status=$((status + ret))
 echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"

 echo_i "calling addzone example.com on ns3"
-$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; '
+cp ns3/template.db ns3/example.com.db
+$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.com.db"; }; '
 sleep 1

 t=$((t + 1))
@ -237,6 +238,32 @@ grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))

+echo_i "calling addzone allow.example on ns3"
+cp ns3/template.db ns3/allow.example.db
+$RNDCCMD 10.53.0.3 addzone 'allow.example {type primary; file "allow.example.db"; allow-transfer { any; }; }; '
+sleep 1
+
+t=$((t + 1))
+ret=0
+echo_i "checking AXFR of allow.example from ns3 with ACL allow-transfer { any; }; (${t})"
+$DIG -p ${PORT} @10.53.0.3 allow.example axfr >dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+echo_i "calling addzone template.example on ns3"
+cp ns3/template.db ns3/template.example.db
+$RNDCCMD 10.53.0.3 addzone 'template.example {file "template.example.db"; template "allow-xfr"; }; '
+sleep 1
+
+t=$((t + 1))
+ret=0
+echo_i "checking AXFR of template.example from ns3 with ACL allow-transfer from template (${t})"
+$DIG -p ${PORT} @10.53.0.3 template.example axfr >dig.out.${t} 2>&1
+grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 && ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "calling rndc reconfig"
 rndc_reconfig ns3 10.53.0.3

--- a/bin/tests/system/acl/tests_sh_acl.py
+++ b/bin/tests/system/acl/tests_sh_acl.py
@ -18,6 +18,9 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns*/_default.nzf*",
        "ns2/example.db",
        "ns2/tsigzone.db",
+        "ns3/example.com.db",
+        "ns3/allow.example.db",
+        "ns3/template.example.db",
    ]
 )