|
|
a2a915 |
From 3824a600a51188c713e900115d6af129b54706df Mon Sep 17 00:00:00 2001
|
|
|
a2a915 |
From: Mark Andrews <marka@isc.org>
|
|
|
a2a915 |
Date: Wed, 6 Feb 2019 11:35:21 -0800
|
|
|
a2a915 |
Subject: [PATCH] denied axfr requests were not effective for writable DLZ
|
|
|
a2a915 |
zones
|
|
|
a2a915 |
|
|
|
a2a915 |
(cherry picked from commit d9077cd0038e59726e1956de18b4b7872038a283)
|
|
|
a2a915 |
(cherry picked from commit 34348d9ee4db15307c6c42db294419b4df569f76)
|
|
|
a2a915 |
---
|
|
|
a2a915 |
bin/named/xfrout.c | 8 ++++----
|
|
|
a2a915 |
bin/tests/system/dlzexternal/driver.c | 18 +++++++++++++++---
|
|
|
a2a915 |
bin/tests/system/dlzexternal/tests.sh | 16 ++++++++++++----
|
|
|
a2a915 |
3 files changed, 31 insertions(+), 11 deletions(-)
|
|
|
a2a915 |
|
|
|
a2a915 |
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
|
|
|
a2a915 |
index c531e0acef..f6e57d889e 100644
|
|
|
a2a915 |
--- a/bin/named/xfrout.c
|
|
|
a2a915 |
+++ b/bin/named/xfrout.c
|
|
|
a2a915 |
@@ -803,12 +803,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
|
|
|
a2a915 |
result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
|
|
|
a2a915 |
&zone);
|
|
|
a2a915 |
|
|
|
a2a915 |
- if (result != ISC_R_SUCCESS) {
|
|
|
a2a915 |
+ if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
|
|
|
a2a915 |
/*
|
|
|
a2a915 |
- * Normal zone table does not have a match.
|
|
|
a2a915 |
- * Try the DLZ database
|
|
|
a2a915 |
+ * The normal zone table does not have a match, or this is
|
|
|
a2a915 |
+ * marked in the zone table as a DLZ zone. Check the DLZ
|
|
|
a2a915 |
+ * databases for a match.
|
|
|
a2a915 |
*/
|
|
|
a2a915 |
- // Temporary: only searching the first DLZ database
|
|
|
a2a915 |
if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
|
|
|
a2a915 |
result = dns_dlzallowzonexfr(client->view,
|
|
|
a2a915 |
question_name,
|
|
|
a2a915 |
diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
|
|
|
a2a915 |
index 37a62622da..dfa7847984 100644
|
|
|
a2a915 |
--- a/bin/tests/system/dlzexternal/driver.c
|
|
|
a2a915 |
+++ b/bin/tests/system/dlzexternal/driver.c
|
|
|
a2a915 |
@@ -542,10 +542,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
|
|
|
a2a915 |
*/
|
|
|
a2a915 |
isc_result_t
|
|
|
a2a915 |
dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
|
|
|
a2a915 |
- UNUSED(client);
|
|
|
a2a915 |
+ isc_result_t result;
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+ result = dlz_findzonedb(dbdata, name, NULL, NULL);
|
|
|
a2a915 |
+ if (result != ISC_R_SUCCESS) {
|
|
|
a2a915 |
+ return (result);
|
|
|
a2a915 |
+ }
|
|
|
a2a915 |
|
|
|
a2a915 |
- /* Just say yes for all our zones */
|
|
|
a2a915 |
- return (dlz_findzonedb(dbdata, name, NULL, NULL));
|
|
|
a2a915 |
+ /*
|
|
|
a2a915 |
+ * Exception for 10.53.0.5 so we can test that allow-transfer
|
|
|
a2a915 |
+ * is effective.
|
|
|
a2a915 |
+ */
|
|
|
a2a915 |
+ if (strcmp(client, "10.53.0.5") == 0) {
|
|
|
a2a915 |
+ return (ISC_R_NOPERM);
|
|
|
a2a915 |
+ }
|
|
|
a2a915 |
+
|
|
|
a2a915 |
+ return (ISC_R_SUCCESS);
|
|
|
a2a915 |
}
|
|
|
a2a915 |
|
|
|
a2a915 |
/*
|
|
|
a2a915 |
diff --git a/bin/tests/system/dlzexternal/tests.sh b/bin/tests/system/dlzexternal/tests.sh
|
|
|
a2a915 |
index 87dd13b10e..1754aaa57c 100644
|
|
|
a2a915 |
--- a/bin/tests/system/dlzexternal/tests.sh
|
|
|
a2a915 |
+++ b/bin/tests/system/dlzexternal/tests.sh
|
|
|
a2a915 |
@@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
|
|
|
a2a915 |
status=`expr $status + $ret`
|
|
|
a2a915 |
|
|
|
a2a915 |
newtest "testing AXFR from DLZ drivers"
|
|
|
a2a915 |
-$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n
|
|
|
a2a915 |
-lines=`cat dig.out.ns1.test$n | wc -l`
|
|
|
a2a915 |
+$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
|
|
|
a2a915 |
+lines=`cat dig.out.example.ns1.test$n | wc -l`
|
|
|
a2a915 |
[ ${lines:-0} -eq 4 ] || ret=1
|
|
|
a2a915 |
-$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n
|
|
|
a2a915 |
-lines=`cat dig.out.ns1.test$n | wc -l`
|
|
|
a2a915 |
+$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
|
|
|
a2a915 |
+lines=`cat dig.out.alternate.ns1.test$n | wc -l`
|
|
|
a2a915 |
[ ${lines:-0} -eq 5 ] || ret=1
|
|
|
a2a915 |
[ "$ret" -eq 0 ] || echo_i "failed"
|
|
|
a2a915 |
status=`expr $status + $ret`
|
|
|
a2a915 |
|
|
|
a2a915 |
+newtest "testing AXFR denied from DLZ drivers"
|
|
|
a2a915 |
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
|
|
|
a2a915 |
+grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
|
|
|
a2a915 |
+$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
|
|
|
a2a915 |
+grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
|
|
|
a2a915 |
+[ "$ret" -eq 0 ] || echo_i "failed"
|
|
|
a2a915 |
+status=`expr $status + $ret`
|
|
|
a2a915 |
+
|
|
|
a2a915 |
newtest "testing unsearched/unregistered DLZ zone is not found"
|
|
|
a2a915 |
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
|
|
|
a2a915 |
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
|
|
|
a2a915 |
--
|
|
|
a2a915 |
2.20.1
|
|
|
a2a915 |
|