mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-08 19:52:07 -04:00
test the use of the view ACL in DLZ
This commit is contained in:
Evan Hunt
Mark Andrews
parent
a520662ed4
commit
e2062879c1
4 changed files with 50 additions and 0 deletions
|
|
@ -534,21 +534,56 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
|
|||
*/
|
||||
isc_result_t
|
||||
dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
|
||||
struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
|
||||
isc_result_t result;
|
||||
|
||||
if (state->log != NULL) {
|
||||
state->log(ISC_LOG_INFO,
|
||||
"dlz_example: dlz_allowzonexfr called for %s",
|
||||
name);
|
||||
}
|
||||
|
||||
result = dlz_findzonedb(dbdata, name, NULL, NULL);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
if (state->log != NULL) {
|
||||
state->log(ISC_LOG_INFO,
|
||||
"dlz_example: findzonedb returned %s",
|
||||
isc_result_totext(result));
|
||||
}
|
||||
return (result);
|
||||
}
|
||||
|
||||
/*
|
||||
* Exception for "example.org" so we can test the use of
|
||||
* the view ACL.
|
||||
*/
|
||||
if (strcmp(name, "example.org") == 0) {
|
||||
if (state->log != NULL) {
|
||||
state->log(ISC_LOG_INFO,
|
||||
"dlz_example: use view ACL "
|
||||
"for example.org");
|
||||
}
|
||||
return (ISC_R_DEFAULT);
|
||||
}
|
||||
|
||||
/*
|
||||
* Exception for 10.53.0.5 so we can test that allow-transfer
|
||||
* is effective.
|
||||
*/
|
||||
if (strcmp(client, "10.53.0.5") == 0) {
|
||||
if (state->log != NULL) {
|
||||
state->log(ISC_LOG_INFO,
|
||||
"dlz_example: disallow transfer "
|
||||
"to 10.53.0.5");
|
||||
}
|
||||
return (ISC_R_NOPERM);
|
||||
}
|
||||
|
||||
if (state->log != NULL) {
|
||||
state->log(ISC_LOG_INFO,
|
||||
"dlz_example: transfer allowed for %s", name);
|
||||
}
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,6 +17,10 @@ dlz "example two" {
|
|||
database "dlopen ../driver.@SO@ alternate.nil";
|
||||
};
|
||||
|
||||
dlz "example three" {
|
||||
database "dlopen ../driver.@SO@ example.org";
|
||||
};
|
||||
|
||||
dlz "unsearched1" {
|
||||
database "dlopen ../driver.@SO@ other.nil";
|
||||
search no;
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ options {
|
|||
session-keyfile "session.key";
|
||||
listen-on { 10.53.0.1; 127.0.0.1; };
|
||||
listen-on-v6 { none; };
|
||||
allow-transfer { !10.53.0.1; any; };
|
||||
recursion no;
|
||||
notify yes;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -125,6 +125,16 @@ grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
|
|||
[ "$ret" -eq 0 ] || echo_i "failed"
|
||||
status=`expr $status + $ret`
|
||||
|
||||
newtest "testing AXFR denied based on view ACL"
|
||||
# 10.53.0.1 should be disallowed
|
||||
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
|
||||
grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
|
||||
# 10.53.0.2 should be allowed
|
||||
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
|
||||
grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
|
||||
[ "$ret" -eq 0 ] || echo_i "failed"
|
||||
status=`expr $status + $ret`
|
||||
|
||||
newtest "testing unsearched/unregistered DLZ zone is not found"
|
||||
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
|
||||
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
|
||||
|
|
|
|||
Loading…
Reference in a new issue