Treat mirror zone data as cache data for access control purposes

As mirror zone data should be treated the way validated, cached DNS
responses are, it should not be used when responding to clients who are
not allowed cache access.  Reuse code responsible for determining cache
database access for evaluating mirror zone access.

bin/tests/system/mirror/ns3/named.conf.in

@@ -27,6 +27,7 @@ options {
 	listen-on { 10.53.0.3; };
 	listen-on-v6 { none; };
 	recursion yes;
+	allow-query-cache { 10.53.0.1; };
 };
 
 zone "." {

bin/tests/system/mirror/tests.sh

@@ -12,7 +12,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-DIGOPTS="-p ${PORT} +dnssec +time=1 +tries=1 +multi"
+DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=1 +tries=1 +multi"
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
 
 # Wait until the transfer of the given zone to ns3 either completes successfully
@@ -329,5 +329,15 @@ nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/nu
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

lib/ns/query.c

@@ -1093,6 +1093,13 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name,
 	REQUIRE(zone != NULL);
 	REQUIRE(db != NULL);
 
+	/*
+	 * Mirror zone data is treated as cache data.
+	 */
+	if (dns_zone_ismirror(zone)) {
+		return (query_checkcacheaccess(client, name, qtype, options));
+	}
+
 	/*
 	 * This limits our searching to the zone where the first name
 	 * (the query target) was looked for.  This prevents following