From 69826a6a2f89ecb2b280eeb6d4adb4826bf0db72 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 9 Jul 2007 02:14:39 +0000 Subject: [PATCH] 2206. [security] "allow-query-cache" and "allow-recursion" now cross inherit from each other. If allow-query-cache is not set in named.conf then allow-recursion is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. If allow-recursion is not set in named.conf then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used. [RT #16987] --- CHANGES | 15 +++++++++++++++ bin/named/server.c | 35 ++++++++++++++++++++++++++--------- doc/arm/Bv9ARM-book.xml | 37 ++++++++++++++++--------------------- 3 files changed, 57 insertions(+), 30 deletions(-) diff --git a/CHANGES b/CHANGES index 5d0fd5eb2c..a0b195ae21 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,18 @@ +2206. [security] "allow-query-cache" and "allow-recursion" now + cross inherit from each other. + + If allow-query-cache is not set in named.conf then + allow-recursion is used if set, otherwise allow-query + is used if set, otherwise the default (localnets; + localhost;) is used. + + If allow-recursion is not set in named.conf then + allow-query-cache is used if set, otherwise allow-query + is used if set, otherwise the default (localnets; + localhost;) is used. + + [RT #16987] + 2205. [bug] libbind: change #2119 broke thread support. [RT #16982] 2204 [bug] "rndc flushanme name unknown-view" caused named diff --git a/bin/named/server.c b/bin/named/server.c index 39f00900ca..af7d968048 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.488 2007/07/02 01:00:35 marka Exp $ */ +/* $Id: server.c,v 1.489 2007/07/09 02:12:42 marka Exp $ */ /*! \file */ @@ -1543,20 +1543,19 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, view->additionalfromcache = ISC_TRUE; } + /* + * Set "allow-query-cache", "allow-query-cache-on", + * "allow-recursion", and "allow-recursion-on" acls if + * configured in named.conf. + */ CHECK(configure_view_acl(vconfig, config, "allow-query-cache", actx, ns_g_mctx, &view->queryacl)); - if (view->queryacl == NULL) - CHECK(configure_view_acl(NULL, ns_g_config, - "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); - CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", actx, ns_g_mctx, &view->queryonacl)); if (view->queryonacl == NULL) CHECK(configure_view_acl(NULL, ns_g_config, "allow-query-cache-on", actx, ns_g_mctx, &view->queryonacl)); - if (strcmp(view->name, "_bind") != 0) { CHECK(configure_view_acl(vconfig, config, "allow-recursion", actx, ns_g_mctx, @@ -1567,19 +1566,37 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, } /* - * Set default "allow-recursion" and "allow-recursion-on" acls. + * "allow-query-cache" inherits from "allow-recursion" if set, + * otherwise from "allow-query" if set. + * "allow-recursion" inherits from "allow-query-cache" if set, + * otherwise from "allow-query" if set. + */ + if (view->queryacl == NULL && view->recursionacl != NULL) + dns_acl_attach(view->recursionacl, &view->queryacl); + if (view->queryacl == NULL) + CHECK(configure_view_acl(vconfig, config, "allow-query", + actx, ns_g_mctx, &view->queryacl)); + if (view->recursionacl == NULL && view->queryacl != NULL) + dns_acl_attach(view->queryacl, &view->recursionacl); + + /* + * Set default "allow-recursion", "allow-recursion-on" and + * "allow-query-cache" acls. */ if (view->recursionacl == NULL && view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion", actx, ns_g_mctx, &view->recursionacl)); - if (view->recursiononacl == NULL && view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); + if (view->queryacl == NULL) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); CHECK(configure_view_acl(vconfig, config, "sortlist", actx, ns_g_mctx, &view->sortlist)); diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 5050cd25dd..6e746b790f 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -5956,17 +5956,12 @@ options { Specifies which hosts are allowed to get answers - from the cache. The default is the builtin acls - localnets and - localhost. - - - - - The way to set query access to the cache is now via - allow-query-cache. - This differs from earlier versions which used - allow-query. + from the cache. If allow-query-cache + is not set then allow-recursion + is used if set, otherwise allow-query + is used if set, otherwise the default + (localnets; + localhost;) is used. @@ -5987,16 +5982,16 @@ options { allow-recursion - + Specifies which hosts are allowed to make recursive - queries through this server. If not specified, - the default is to allow recursive queries from - the builtin acls localnets and - localhost. - Note that disallowing recursive queries for a - host does not prevent the host from retrieving - data that is already in the server's cache. - + queries through this server. If + allow-recursion is not set + then allow-query-cache is + used if set, otherwise allow-query + is used if set, otherwise the default + (localnets; + localhost;) is used. +