upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 04:10:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

2206. [security] "allow-query-cache" and "allow-recursion" now

Browse source 
cross inherit from each other.

                        If allow-query-cache is not set in named.conf then
                        allow-recursion is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

                        If allow-recursion is not set in named.conf then
                        allow-query-cache is used if set, otherwise allow-query
                        is used if set, otherwise the default (localnets;
                        localhost;) is used.

                        [RT #16987]
This commit is contained in:
Mark Andrews 2007-07-09 02:14:39 +00:00
parent 5888f62c20
commit 69826a6a2f
3 changed files with 57 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
CHANGES
View file

@ -1,3 +1,18 @@
2206. [security] "allow-query-cache" and "allow-recursion" now
cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
[RT #16987]
2205. [bug] libbind: change #2119 broke thread support. [RT #16982]
2204 [bug] "rndc flushanme name unknown-view" caused named

35
bin/named/server.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.488 2007/07/02 01:00:35 marka Exp $ */
/* $Id: server.c,v 1.489 2007/07/09 02:12:42 marka Exp $ */
/*! \file */
@ -1543,20 +1543,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
view->additionalfromcache = ISC_TRUE;
}
/*
* Set "allow-query-cache", "allow-query-cache-on",
* "allow-recursion", and "allow-recursion-on" acls if
* configured in named.conf.
*/
CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
actx, ns_g_mctx, &view->queryacl));
if (view->queryacl == NULL)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache", actx,
ns_g_mctx, &view->queryacl));
CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
actx, ns_g_mctx, &view->queryonacl));
if (view->queryonacl == NULL)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache-on", actx,
ns_g_mctx, &view->queryonacl));
if (strcmp(view->name, "_bind") != 0) {
CHECK(configure_view_acl(vconfig, config, "allow-recursion",
actx, ns_g_mctx,
@ -1567,19 +1566,37 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
}
/*
* Set default "allow-recursion" and "allow-recursion-on" acls.
* "allow-query-cache" inherits from "allow-recursion" if set,
* otherwise from "allow-query" if set.
* "allow-recursion" inherits from "allow-query-cache" if set,
* otherwise from "allow-query" if set.
*/
if (view->queryacl == NULL && view->recursionacl != NULL)
dns_acl_attach(view->recursionacl, &view->queryacl);
if (view->queryacl == NULL)
CHECK(configure_view_acl(vconfig, config, "allow-query",
actx, ns_g_mctx, &view->queryacl));
if (view->recursionacl == NULL && view->queryacl != NULL)
dns_acl_attach(view->queryacl, &view->recursionacl);
/*
* Set default "allow-recursion", "allow-recursion-on" and
* "allow-query-cache" acls.
*/
if (view->recursionacl == NULL && view->recursion)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-recursion",
actx, ns_g_mctx,
&view->recursionacl));
if (view->recursiononacl == NULL && view->recursion)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-recursion-on",
actx, ns_g_mctx,
&view->recursiononacl));
if (view->queryacl == NULL)
CHECK(configure_view_acl(NULL, ns_g_config,
"allow-query-cache", actx,
ns_g_mctx, &view->queryacl));
CHECK(configure_view_acl(vconfig, config, "sortlist",
actx, ns_g_mctx, &view->sortlist));

37
doc/arm/Bv9ARM-book.xml
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.330 2007/06/19 06:58:04 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.331 2007/07/09 02:14:39 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@ -5956,17 +5956,12 @@ options {
<listitem>
<para>
Specifies which hosts are allowed to get answers
from the cache. The default is the builtin acls
<command>localnets</command> and
<command>localhost</command>.
<!-- The way to set query access to the cache is now via allow-query-cache. This differs from earlier versions which used allow-query. -->
</para>
<para>
The way to set query access to the cache is now via
<command>allow-query-cache</command>.
This differs from earlier versions which used
<command>allow-query</command>.
from the cache. If <command>allow-query-cache</command>
is not set then <command>allow-recursion</command>
is used if set, otherwise <command>allow-query</command>
is used if set, otherwise the default
(<command>localnets;</command>
<command>localhost;</command>) is used.
</para>
</listitem>
</varlistentry>
@ -5987,16 +5982,16 @@ options {
<varlistentry>
<term><command>allow-recursion</command></term>
<listitem>
<para>
<para>
Specifies which hosts are allowed to make recursive
queries through this server. If not specified,
the default is to allow recursive queries from
the builtin acls <command>localnets</command> and
<command>localhost</command>.
Note that disallowing recursive queries for a
host does not prevent the host from retrieving
data that is already in the server's cache.
</para>
queries through this server. If
<command>allow-recursion</command> is not set
then <command>allow-query-cache</command> is
used if set, otherwise <command>allow-query</command>
is used if set, otherwise the default
(<command>localnets;</command>
<command>localhost;</command>) is used.
</para>
</listitem>
</varlistentry>