a2a915
From 3824a600a51188c713e900115d6af129b54706df Mon Sep 17 00:00:00 2001
a2a915
From: Mark Andrews <marka@isc.org>
a2a915
Date: Wed, 6 Feb 2019 11:35:21 -0800
a2a915
Subject: [PATCH] denied axfr requests were not effective for writable DLZ
a2a915
 zones
a2a915
a2a915
(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283)
a2a915
(cherry picked from commit 34348d9ee4db15307c6c42db294419b4df569f76)
a2a915
---
a2a915
 bin/named/xfrout.c                    |  8 ++++----
a2a915
 bin/tests/system/dlzexternal/driver.c | 18 +++++++++++++++---
a2a915
 bin/tests/system/dlzexternal/tests.sh | 16 ++++++++++++----
a2a915
 3 files changed, 31 insertions(+), 11 deletions(-)
a2a915
a2a915
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
a2a915
index c531e0acef..f6e57d889e 100644
a2a915
--- a/bin/named/xfrout.c
a2a915
+++ b/bin/named/xfrout.c
a2a915
@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
a2a915
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
a2a915
 			     &zone);
a2a915
 
a2a915
-	if (result != ISC_R_SUCCESS) {
a2a915
+	if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
a2a915
 		/*
a2a915
-		 * Normal zone table does not have a match.
a2a915
-		 * Try the DLZ database
a2a915
+		 * The normal zone table does not have a match, or this is
a2a915
+		 * marked in the zone table as a DLZ zone. Check the DLZ
a2a915
+		 * databases for a match.
a2a915
 		 */
a2a915
-		// Temporary: only searching the first DLZ database
a2a915
 		if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
a2a915
 			result = dns_dlzallowzonexfr(client->view,
a2a915
 						     question_name,
a2a915
diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
a2a915
index 37a62622da..dfa7847984 100644
a2a915
--- a/bin/tests/system/dlzexternal/driver.c
a2a915
+++ b/bin/tests/system/dlzexternal/driver.c
a2a915
@@ -542,10 +542,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
a2a915
  */
a2a915
 isc_result_t
a2a915
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
a2a915
-	UNUSED(client);
a2a915
+	isc_result_t result;
a2a915
+
a2a915
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
a2a915
+	if (result != ISC_R_SUCCESS) {
a2a915
+		return (result);
a2a915
+	}
a2a915
 
a2a915
-	/* Just say yes for all our zones */
a2a915
-	return (dlz_findzonedb(dbdata, name, NULL, NULL));
a2a915
+	/*
a2a915
+	 * Exception for 10.53.0.5 so we can test that allow-transfer
a2a915
+	 * is effective.
a2a915
+	 */
a2a915
+	if (strcmp(client, "10.53.0.5") == 0) {
a2a915
+		return (ISC_R_NOPERM);
a2a915
+	}
a2a915
+
a2a915
+	return (ISC_R_SUCCESS);
a2a915
 }
a2a915
 
a2a915
 /*
a2a915
diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
a2a915
index 87dd13b10e..1754aaa57c 100644
a2a915
--- a/bin/tests/system/dlzexternal/tests.sh
a2a915
+++ b/bin/tests/system/dlzexternal/tests.sh
a2a915
@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
a2a915
 status=`expr $status + $ret`
a2a915
 
a2a915
 newtest "testing AXFR from DLZ drivers"
a2a915
-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n
a2a915
-lines=`cat dig.out.ns1.test$n | wc -l`
a2a915
+$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
a2a915
+lines=`cat dig.out.example.ns1.test$n | wc -l`
a2a915
 [ ${lines:-0} -eq 4 ] || ret=1
a2a915
-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n
a2a915
-lines=`cat dig.out.ns1.test$n | wc -l`
a2a915
+$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
a2a915
+lines=`cat dig.out.alternate.ns1.test$n | wc -l`
a2a915
 [ ${lines:-0} -eq 5 ] || ret=1
a2a915
 [ "$ret" -eq 0 ] || echo_i "failed"
a2a915
 status=`expr $status + $ret`
a2a915
 
a2a915
+newtest "testing AXFR denied from DLZ drivers"
a2a915
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
a2a915
+grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
a2a915
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
a2a915
+grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
a2a915
+[ "$ret" -eq 0 ] || echo_i "failed"
a2a915
+status=`expr $status + $ret`
a2a915
+
a2a915
 newtest "testing unsearched/unregistered DLZ zone is not found"
a2a915
 $DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
a2a915
 grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
a2a915
-- 
a2a915
2.20.1
a2a915