From cc4928ec7116a064223f60639ca1a80f25ba350f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 12 Jun 2002 06:29:49 +0000
Subject: [PATCH] 1219.   [func]          New category 'update-security'.

---
 CHANGES                       |  2 ++
 bin/named/include/named/log.h |  3 +-
 bin/named/log.c               |  3 +-
 bin/named/update.c            | 58 ++++++++++++++++++++++-------------
 doc/arm/Bv9ARM-book.xml       | 13 +++++++-
 5 files changed, 55 insertions(+), 24 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3962f73601..46c5d7d923 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1219.	[func]		New category 'update-security'.
+
 1218.	[port]		Compaq Trucluster support.
 
 1219.	[bug]		Set AI_ADDRCONFIG when looking up addresses 
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index 8166a25f07..0ae8f27c35 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.19 2001/05/28 05:17:02 marka Exp $ */
+/* $Id: log.h,v 1.20 2002/06/12 06:29:44 marka Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
@@ -33,6 +33,7 @@
 #define NS_LOGCATEGORY_UPDATE		(&ns_g_categories[3])
 #define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
 #define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
+#define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
 
 /*
  * Backwards compatibility.
diff --git a/bin/named/log.c b/bin/named/log.c
index 542f774257..7c720c10cf 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.35 2001/11/23 01:15:06 marka Exp $ */
+/* $Id: log.c,v 1.36 2002/06/12 06:29:42 marka Exp $ */
 
 #include <config.h>
 
@@ -40,6 +40,7 @@ static isc_logcategory_t categories[] = {
 	{ "update",	 		0 },
 	{ "queries",	 		0 },
 	{ "unmatched",	 		0 },
+	{ "update-security",		0 },
 	{ NULL, 			0 }
 };
 
diff --git a/bin/named/update.c b/bin/named/update.c
index 8200907cda..c2d892594e 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.99 2002/05/24 06:26:04 marka Exp $ */
+/* $Id: update.c,v 1.100 2002/06/12 06:29:43 marka Exp $ */
 
 #include <config.h>
 
@@ -213,6 +213,33 @@ update_log(ns_client_t *client, dns_zone_t *zone,
 		      namebuf, classbuf, message);
 }
 
+static isc_result_t
+checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
+	       dns_name_t *zonename)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	int level = ISC_LOG_ERROR;
+	const char *msg = "denied";
+	isc_result_t result;
+
+	result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
+
+	if (result == ISC_R_SUCCESS) {
+		level = ISC_LOG_DEBUG(3);
+		msg = "approved";
+	}
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(client->view->rdclass, classbuf,
+			      sizeof(classbuf));
+
+	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
+			      message, namebuf, classbuf, msg);
+	return (result);
+}
+
 /*
  * Update a single RR in version 'ver' of 'db' and log the
  * update in 'diff'.
@@ -1993,9 +2020,8 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		CHECK(send_update_event(client, zone));
 		break;
 	case dns_zone_slave:
-		CHECK(ns_client_checkacl(client, "update forwarding",
-					 dns_zone_getforwardacl(zone),
-					 ISC_FALSE, ISC_LOG_ERROR));
+		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
+		      "update forwarding", zonename));
 		CHECK(send_forward_event(client, zone));
 		break;
 	default:
@@ -2166,25 +2192,15 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	 * Check Requestor's Permissions.  It seems a bit silly to do this
 	 * only after prerequisite testing, but that is what RFC2136 says.
 	 */
+	result = ISC_R_SUCCESS;
+	if (ssutable == NULL)
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
+				     "update", zonename));
+	else if (client->signer == NULL)
+		CHECK(checkupdateacl(client, NULL, "update", zonename));
+	
 	if (dns_zone_getupdatedisabled(zone))
 		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled");
-	if (ssutable == NULL) {
-		char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
-			 + sizeof("update '/'")];
-		ns_client_aclmsg("update", zonename, client->view->rdclass,
-                                 msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg,
-					 dns_zone_getupdateacl(zone),
-					 ISC_FALSE, ISC_LOG_ERROR));
-	} else if (client->signer == NULL) {
-		/* This gets us a free log message. */
-		char msg[DNS_RDATACLASS_FORMATSIZE + DNS_NAME_FORMATSIZE
-			 + sizeof("update '/'")];
-		ns_client_aclmsg("update", zonename, client->view->rdclass,
-                                 msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg, NULL, ISC_FALSE,
-					 ISC_LOG_ERROR));
-	}
 
 	/*
 	 * Perform the Update Section Prescan.
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 6ccfe8cc5d..cf32891760 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.200 2002/05/17 02:07:36 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.201 2002/06/12 06:29:49 marka Exp $ -->
 
 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@@ -2742,6 +2742,10 @@ the <command>null</command> channel.</para></entry>
 <entry colname = "2"><para>Dynamic updates.</para></entry>
 </row>
 <row rowsep = "0">
+<entry colname = "1"><para><command>update-security</command></para></entry>
+<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
+</row>
+<row rowsep = "0">
 <entry colname = "1"><para><command>queries</command></para></entry>
 <entry colname = "2"><para>Queries. Using the category <command>queries</command> will enable query logging.</para></entry>
 </row>
@@ -2839,6 +2843,7 @@ statement in the <filename>named.conf</filename> file:</para>
     <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
     <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
     <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
     <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
     <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
     <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
@@ -3158,6 +3163,12 @@ didn't have when constructing the additional
 data section of a response.  This is now considered a bad idea
 and BIND 9 never does it.</para></listitem></varlistentry>
 
+<varlistentry><term><command>flush-zones-on-shutdown</command></term>
+<listitem><para>When the nameserver exits due receiving SIGTERM,
+flush / do not flush any pending zone writes.  The default is
+<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
 <varlistentry><term><command>has-old-clients</command></term>
 <listitem><para>This option was incorrectly implemented
 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.