From d47aeb96d49fb3ff43913eab98e07eb7c5c3afd2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 28 May 2026 15:06:50 +0200 Subject: [PATCH 1/2] Test ACL from template Add an acl system test case where the ACL comes from a template. It should override the ACL from the options. --- bin/tests/system/acl/ns3/named.conf.j2 | 5 ++++ .../acl/ns3/{example.db => template.db} | 0 bin/tests/system/acl/tests.sh | 29 ++++++++++++++++++- bin/tests/system/acl/tests_sh_acl.py | 3 ++ 4 files changed, 36 insertions(+), 1 deletion(-) rename bin/tests/system/acl/ns3/{example.db => template.db} (100%) diff --git a/bin/tests/system/acl/ns3/named.conf.j2 b/bin/tests/system/acl/ns3/named.conf.j2 index 763949c84f..c05a0d7953 100644 --- a/bin/tests/system/acl/ns3/named.conf.j2 +++ b/bin/tests/system/acl/ns3/named.conf.j2 @@ -21,3 +21,8 @@ key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; }; + +template "allow-xfr" { + type primary; + allow-transfer { any; }; +}; diff --git a/bin/tests/system/acl/ns3/example.db b/bin/tests/system/acl/ns3/template.db similarity index 100% rename from bin/tests/system/acl/ns3/example.db rename to bin/tests/system/acl/ns3/template.db diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index 50ff78a0aa..e8adeccf2c 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -226,7 +226,8 @@ status=$((status + ret)) echo_i "testing allow-transfer ACLs against ns3 (no existing zones)" echo_i "calling addzone example.com on ns3" -$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.db"; }; ' +cp ns3/template.db ns3/example.com.db +$RNDCCMD 10.53.0.3 addzone 'example.com {type primary; file "example.com.db"; }; ' sleep 1 t=$((t + 1)) @@ -237,6 +238,32 @@ grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 || ret=1 [ $ret -eq 0 ] || echo_i "failed" status=$((status + ret)) +echo_i "calling addzone allow.example on ns3" +cp ns3/template.db ns3/allow.example.db +$RNDCCMD 10.53.0.3 addzone 'allow.example {type primary; file "allow.example.db"; allow-transfer { any; }; }; ' +sleep 1 + +t=$((t + 1)) +ret=0 +echo_i "checking AXFR of allow.example from ns3 with ACL allow-transfer { any; }; (${t})" +$DIG -p ${PORT} @10.53.0.3 allow.example axfr >dig.out.${t} 2>&1 +grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + +echo_i "calling addzone template.example on ns3" +cp ns3/template.db ns3/template.example.db +$RNDCCMD 10.53.0.3 addzone 'template.example {file "template.example.db"; template "allow-xfr"; }; ' +sleep 1 + +t=$((t + 1)) +ret=0 +echo_i "checking AXFR of template.example from ns3 with ACL allow-transfer from template (${t})" +$DIG -p ${PORT} @10.53.0.3 template.example axfr >dig.out.${t} 2>&1 +grep "Transfer failed." dig.out.${t} >/dev/null 2>&1 && ret=1 +[ $ret -eq 0 ] || echo_i "failed" +status=$((status + ret)) + echo_i "calling rndc reconfig" rndc_reconfig ns3 10.53.0.3 diff --git a/bin/tests/system/acl/tests_sh_acl.py b/bin/tests/system/acl/tests_sh_acl.py index 9a6bc91e39..fc8ff379e9 100644 --- a/bin/tests/system/acl/tests_sh_acl.py +++ b/bin/tests/system/acl/tests_sh_acl.py @@ -18,6 +18,9 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/_default.nzf*", "ns2/example.db", "ns2/tsigzone.db", + "ns3/example.com.db", + "ns3/allow.example.db", + "ns3/template.example.db", ] ) From 470847a527d8b4091b5ffc7532e6f6945e3adc80 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 28 May 2026 15:13:26 +0200 Subject: [PATCH 2/2] When configuring zone ACL, check template too When zone templates were introduced, we forgot to add parsing ACL from templates in 'configure_zone_acl()'. This commit fixes the omission. --- bin/named/zoneconf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index cc300845be..89846353f5 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -139,8 +139,14 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, if (config != NULL && maps[i] != NULL) { const cfg_obj_t *toptions = named_zone_templateopts(config, maps[i]); + /* Check to see if ACL is defined within template */ if (toptions != NULL) { maps[i++] = toptions; + (void)cfg_map_get(toptions, aclname, &aclobj); + if (aclobj != NULL) { + aclp = NULL; + goto parse_acl; + } } }