diff --git a/CHANGES b/CHANGES index b406b1904d..e3513d1d29 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2539. [security] Update the interaction between recursion, allow-query, + allow-query-cache and allow-recursion. [RT #19198] + 2538. [bug] cache/ADB memory could grow over max-cache-size, especially with threads and smaller max-cache-size values. [RT #19240] diff --git a/README b/README index 1168aebf00..3b89403b64 100644 --- a/README +++ b/README @@ -109,13 +109,14 @@ BIND 9.4.0 rndc now allows addresses to be set in the server clauses. - New option "allow-query-cache". This lets allow-query be - used to specify the default zone access level rather than - having to have every zone override the global value. - allow-query-cache can be set at both the options and view - levels. If allow-query-cache is not set then allow-recursion - is used if set, otherwise allow-query is used if set, otherwise - the default (localhost; localnets;) is used. + New option "allow-query-cache". This lets "allow-query" + be used to specify the default zone access level rather + than having to have every zone override the global value. + "allow-query-cache" can be set at both the options and view + levels. If "allow-query-cache" is not set then "allow-recursion" + is used if set, otherwise "allow-query" is used if set + unless "recursion no;" is set in which case "none;" is used, + otherwise the default (localhost; localnets;) is used. rndc: the source address can now be specified. diff --git a/bin/named/server.c b/bin/named/server.c index 0f2a5c3723..2b3cf81dc8 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.526 2009/01/27 22:29:58 jinmei Exp $ */ +/* $Id: server.c,v 1.527 2009/01/30 03:48:54 marka Exp $ */ /*! \file */ @@ -1766,10 +1766,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, */ if (view->queryacl == NULL && view->recursionacl != NULL) dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL) + if (view->queryacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", actx, ns_g_mctx, &view->queryacl)); - if (view->recursionacl == NULL && view->queryacl != NULL) + if (view->recursion && + view->recursionacl == NULL && view->queryacl != NULL) dns_acl_attach(view->queryacl, &view->recursionacl); /* @@ -1786,10 +1787,17 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, "allow-recursion-on", actx, ns_g_mctx, &view->recursiononacl)); - if (view->queryacl == NULL) - CHECK(configure_view_acl(NULL, ns_g_config, - "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); + if (view->queryacl == NULL) { + if (view->recursion) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); + else { + if (view->queryacl != NULL) + dns_acl_detach(&view->queryacl); + CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); + } + } /* * Configure sortlist, if set diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 30b3f3faba..9c241627c0 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -6390,8 +6390,9 @@ options { from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query - is used if set, otherwise the default - (localnets; + is used if set unless recursion no; is + set in which case none; is used, + otherwise the default (localnets; localhost;) is used.