4ba560
From 93b8bd39145566053ad8b22cef597146e9175ea4 Mon Sep 17 00:00:00 2001
4ba560
From: Evan Hunt <each@isc.org>
4ba560
Date: Tue, 8 Nov 2022 17:32:41 -0800
4ba560
Subject: [PATCH] move update ACL and update-policy checks before quota
4ba560
4ba560
check allow-update, update-policy, and allow-update-forwarding before
4ba560
consuming quota slots, so that unauthorized clients can't fill the
4ba560
quota.
4ba560
4ba560
(this moves the access check before the prerequisite check, which
4ba560
violates the precise wording of RFC 2136. however, RFC co-author Paul
4ba560
Vixie has stated that the RFC is mistaken on this point; it should have
4ba560
said that access checking must happen *no later than* the completion of
4ba560
prerequisite checks, not that it must happen exactly then.)
4ba560
4ba560
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
4ba560
---
4ba560
 lib/ns/update.c | 335 ++++++++++++++++++++++++++----------------------
4ba560
 1 file changed, 181 insertions(+), 154 deletions(-)
4ba560
4ba560
diff --git a/lib/ns/update.c b/lib/ns/update.c
4ba560
index 9a8c309..036184b 100644
4ba560
--- a/lib/ns/update.c
4ba560
+++ b/lib/ns/update.c
4ba560
@@ -261,6 +261,9 @@ static void
4ba560
 forward_done(isc_task_t *task, isc_event_t *event);
4ba560
 static isc_result_t
4ba560
 add_rr_prepare_action(void *data, rr_t *rr);
4ba560
+static isc_result_t
4ba560
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
4ba560
+	  const dns_rdata_t *rdata, bool *flag);
4ba560
 
4ba560
 /**************************************************************************/
4ba560
 
4ba560
@@ -333,25 +336,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
4ba560
 static isc_result_t
4ba560
 checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
4ba560
 	      dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
4ba560
+	isc_result_t result;
4ba560
 	char namebuf[DNS_NAME_FORMATSIZE];
4ba560
 	char classbuf[DNS_RDATACLASS_FORMATSIZE];
4ba560
-	int level;
4ba560
-	isc_result_t result;
4ba560
+	bool update_possible =
4ba560
+		((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
4ba560
+		 ssutable != NULL);
4ba560
 
4ba560
 	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
4ba560
 	if (result != ISC_R_SUCCESS) {
4ba560
+		int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
4ba560
+
4ba560
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
4ba560
 		dns_rdataclass_format(client->view->rdclass, classbuf,
4ba560
 				      sizeof(classbuf));
4ba560
 
4ba560
-		level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO
4ba560
-								: ISC_LOG_ERROR;
4ba560
-
4ba560
 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
4ba560
 			      NS_LOGMODULE_UPDATE, level,
4ba560
 			      "update '%s/%s' denied due to allow-query",
4ba560
 			      namebuf, classbuf);
4ba560
-	} else if (updateacl == NULL && ssutable == NULL) {
4ba560
+	} else if (!update_possible) {
4ba560
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
4ba560
 		dns_rdataclass_format(client->view->rdclass, classbuf,
4ba560
 				      sizeof(classbuf));
4ba560
@@ -1543,6 +1547,156 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
4ba560
 	isc_result_t result = ISC_R_SUCCESS;
4ba560
 	update_event_t *event = NULL;
4ba560
 	isc_task_t *zonetask = NULL;
4ba560
+	dns_ssutable_t *ssutable = NULL;
4ba560
+	dns_message_t *request = client->message;
4ba560
+	dns_aclenv_t *env =
4ba560
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
4ba560
+	dns_rdataclass_t zoneclass;
4ba560
+	dns_rdatatype_t covers;
4ba560
+	dns_name_t *zonename = NULL;
4ba560
+	dns_db_t *db = NULL;
4ba560
+	dns_dbversion_t *ver = NULL;
4ba560
+
4ba560
+	CHECK(dns_zone_getdb(zone, &db);;
4ba560
+	zonename = dns_db_origin(db);
4ba560
+	zoneclass = dns_db_class(db);
4ba560
+	dns_zone_getssutable(zone, &ssutable);
4ba560
+	dns_db_currentversion(db, &ver);
4ba560
+
4ba560
+	/*
4ba560
+	 * Update message processing can leak record existence information
4ba560
+	 * so check that we are allowed to query this zone.  Additionally,
4ba560
+	 * if we would refuse all updates for this zone, we bail out here.
4ba560
+	 */
4ba560
+	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
4ba560
+			    dns_zone_getorigin(zone),
4ba560
+			    dns_zone_getupdateacl(zone), ssutable));
4ba560
+
4ba560
+	/*
4ba560
+	 * Check requestor's permissions.
4ba560
+	 */
4ba560
+	if (ssutable == NULL) {
4ba560
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
4ba560
+				     "update", dns_zone_getorigin(zone), false,
4ba560
+				     false));
4ba560
+	} else if (client->signer == NULL && !TCPCLIENT(client)) {
4ba560
+		CHECK(checkupdateacl(client, NULL, "update",
4ba560
+				     dns_zone_getorigin(zone), false, true));
4ba560
+	}
4ba560
+
4ba560
+	if (dns_zone_getupdatedisabled(zone)) {
4ba560
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
4ba560
+				     "because the zone is frozen.  Use "
4ba560
+				     "'rndc thaw' to re-enable updates.");
4ba560
+	}
4ba560
+
4ba560
+	/*
4ba560
+	 * Prescan the update section, checking for updates that
4ba560
+	 * are illegal or violate policy.
4ba560
+	 */
4ba560
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
4ba560
+	     result == ISC_R_SUCCESS;
4ba560
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
4ba560
+	{
4ba560
+		dns_name_t *name = NULL;
4ba560
+		dns_rdata_t rdata = DNS_RDATA_INIT;
4ba560
+		dns_ttl_t ttl;
4ba560
+		dns_rdataclass_t update_class;
4ba560
+
4ba560
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
4ba560
+			       &rdata, &covers, &ttl, &update_class);
4ba560
+
4ba560
+		if (!dns_name_issubdomain(name, zonename)) {
4ba560
+			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
4ba560
+		}
4ba560
+		if (update_class == zoneclass) {
4ba560
+			/*
4ba560
+			 * Check for meta-RRs.  The RFC2136 pseudocode says
4ba560
+			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
4ba560
+			 * "or any other QUERY metatype"
4ba560
+			 */
4ba560
+			if (dns_rdatatype_ismeta(rdata.type)) {
4ba560
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
4ba560
+			}
4ba560
+			result = dns_zone_checknames(zone, name, &rdata);
4ba560
+			if (result != ISC_R_SUCCESS) {
4ba560
+				FAIL(DNS_R_REFUSED);
4ba560
+			}
4ba560
+		} else if (update_class == dns_rdataclass_any) {
4ba560
+			if (ttl != 0 || rdata.length != 0 ||
4ba560
+			    (dns_rdatatype_ismeta(rdata.type) &&
4ba560
+			     rdata.type != dns_rdatatype_any))
4ba560
+			{
4ba560
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
4ba560
+			}
4ba560
+		} else if (update_class == dns_rdataclass_none) {
4ba560
+			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
4ba560
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
4ba560
+			}
4ba560
+		} else {
4ba560
+			update_log(client, zone, ISC_LOG_WARNING,
4ba560
+				   "update RR has incorrect class %d",
4ba560
+				   update_class);
4ba560
+			FAIL(DNS_R_FORMERR);
4ba560
+		}
4ba560
+
4ba560
+		/*
4ba560
+		 * draft-ietf-dnsind-simple-secure-update-01 says
4ba560
+		 * "Unlike traditional dynamic update, the client
4ba560
+		 * is forbidden from updating NSEC records."
4ba560
+		 */
4ba560
+		if (rdata.type == dns_rdatatype_nsec3) {
4ba560
+			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
4ba560
+					     "allowed "
4ba560
+					     "in secure zones");
4ba560
+		} else if (rdata.type == dns_rdatatype_nsec) {
4ba560
+			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
4ba560
+					     "allowed "
4ba560
+					     "in secure zones");
4ba560
+		} else if (rdata.type == dns_rdatatype_rrsig &&
4ba560
+			   !dns_name_equal(name, zonename))
4ba560
+		{
4ba560
+			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
4ba560
+					     "currently "
4ba560
+					     "not supported in secure zones "
4ba560
+					     "except "
4ba560
+					     "at the apex");
4ba560
+		}
4ba560
+
4ba560
+		if (ssutable != NULL) {
4ba560
+			isc_netaddr_t netaddr;
4ba560
+			dst_key_t *tsigkey = NULL;
4ba560
+			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
4ba560
+
4ba560
+			if (client->message->tsigkey != NULL) {
4ba560
+				tsigkey = client->message->tsigkey->key;
4ba560
+			}
4ba560
+
4ba560
+			if (rdata.type != dns_rdatatype_any) {
4ba560
+				if (!dns_ssutable_checkrules(
4ba560
+					    ssutable, client->signer, name,
4ba560
+					    &netaddr, TCPCLIENT(client), env,
4ba560
+					    rdata.type, tsigkey))
4ba560
+				{
4ba560
+					FAILC(DNS_R_REFUSED, "rejected by "
4ba560
+							     "secure update");
4ba560
+				}
4ba560
+			} else {
4ba560
+				if (!ssu_checkall(db, ver, name, ssutable,
4ba560
+						  client->signer, &netaddr, env,
4ba560
+						  TCPCLIENT(client), tsigkey))
4ba560
+				{
4ba560
+					FAILC(DNS_R_REFUSED, "rejected by "
4ba560
+							     "secure update");
4ba560
+				}
4ba560
+			}
4ba560
+		}
4ba560
+	}
4ba560
+	if (result != ISC_R_NOMORE) {
4ba560
+		FAIL(result);
4ba560
+	}
4ba560
+
4ba560
+	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
4ba560
 
4ba560
 	result = isc_quota_attach(&client->manager->sctx->updquota,
4ba560
 				  &(isc_quota_t *){ NULL });
4ba560
@@ -1552,9 +1706,7 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
4ba560
 			   isc_result_totext(result));
4ba560
 		ns_stats_increment(client->manager->sctx->nsstats,
4ba560
 				   ns_statscounter_updatequota);
4ba560
-		ns_client_drop(client, result);
4ba560
-		isc_nmhandle_detach(&client->reqhandle);
4ba560
-		return (DNS_R_DROP);
4ba560
+		CHECK(DNS_R_DROP);
4ba560
 	}
4ba560
 
4ba560
 	event = (update_event_t *)isc_event_allocate(
4ba560
@@ -1571,6 +1723,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
4ba560
 	dns_zone_gettask(zone, &zonetask);
4ba560
 	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
4ba560
 
4ba560
+failure:
4ba560
+	if (db != NULL) {
4ba560
+		dns_db_closeversion(db, &ver, false);
4ba560
+		dns_db_detach(&db);
4ba560
+	}
4ba560
+
4ba560
+	if (ssutable != NULL) {
4ba560
+		dns_ssutable_detach(&ssutable);
4ba560
+	}
4ba560
+
4ba560
 	return (result);
4ba560
 }
4ba560
 
4ba560
@@ -1671,9 +1833,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
4ba560
 		break;
4ba560
 	case dns_zone_secondary:
4ba560
 	case dns_zone_mirror:
4ba560
-		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
4ba560
-				     "update forwarding", zonename, true,
4ba560
-				     false));
4ba560
 		CHECK(send_forward_event(client, zone));
4ba560
 		break;
4ba560
 	default:
4ba560
@@ -1685,8 +1844,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
4ba560
 
4ba560
 failure:
4ba560
 	if (result == DNS_R_REFUSED) {
4ba560
-		INSIST(dns_zone_gettype(zone) == dns_zone_secondary ||
4ba560
-		       dns_zone_gettype(zone) == dns_zone_mirror);
4ba560
 		inc_stats(client, zone, ns_statscounter_updaterej);
4ba560
 	}
4ba560
 
4ba560
@@ -2578,7 +2735,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
4ba560
 	dns_rdatatype_t covers;
4ba560
 	dns_message_t *request = client->message;
4ba560
 	dns_rdataclass_t zoneclass;
4ba560
-	dns_name_t *zonename;
4ba560
+	dns_name_t *zonename = NULL;
4ba560
 	dns_ssutable_t *ssutable = NULL;
4ba560
 	dns_fixedname_t tmpnamefixed;
4ba560
 	dns_name_t *tmpname = NULL;
4ba560
@@ -2590,8 +2747,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
4ba560
 	dns_ttl_t maxttl = 0;
4ba560
 	uint32_t maxrecords;
4ba560
 	uint64_t records;
4ba560
-	dns_aclenv_t *env =
4ba560
-		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
4ba560
 
4ba560
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
4ba560
 
4ba560
@@ -2602,14 +2757,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
4ba560
 	zonename = dns_db_origin(db);
4ba560
 	zoneclass = dns_db_class(db);
4ba560
 	dns_zone_getssutable(zone, &ssutable);
4ba560
-
4ba560
-	/*
4ba560
-	 * Update message processing can leak record existence information
4ba560
-	 * so check that we are allowed to query this zone.  Additionally
4ba560
-	 * if we would refuse all updates for this zone we bail out here.
4ba560
-	 */
4ba560
-	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
4ba560
-			    dns_zone_getupdateacl(zone), ssutable));
4ba560
+	options = dns_zone_getoptions(zone);
4ba560
 
4ba560
 	/*
4ba560
 	 * Get old and new versions now that queryacl has been checked.
4ba560
@@ -2745,135 +2893,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
4ba560
 
4ba560
 	update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
4ba560
 
4ba560
-	/*
4ba560
-	 * Check Requestor's Permissions.  It seems a bit silly to do this
4ba560
-	 * only after prerequisite testing, but that is what RFC2136 says.
4ba560
-	 */
4ba560
-	if (ssutable == NULL) {
4ba560
-		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
4ba560
-				     "update", zonename, false, false));
4ba560
-	} else if (client->signer == NULL && !TCPCLIENT(client)) {
4ba560
-		CHECK(checkupdateacl(client, NULL, "update", zonename, false,
4ba560
-				     true));
4ba560
-	}
4ba560
-
4ba560
-	if (dns_zone_getupdatedisabled(zone)) {
4ba560
-		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
4ba560
-				     "because the zone is frozen.  Use "
4ba560
-				     "'rndc thaw' to re-enable updates.");
4ba560
-	}
4ba560
-
4ba560
-	/*
4ba560
-	 * Perform the Update Section Prescan.
4ba560
-	 */
4ba560
-
4ba560
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
4ba560
-	     result == ISC_R_SUCCESS;
4ba560
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
4ba560
-	{
4ba560
-		dns_name_t *name = NULL;
4ba560
-		dns_rdata_t rdata = DNS_RDATA_INIT;
4ba560
-		dns_ttl_t ttl;
4ba560
-		dns_rdataclass_t update_class;
4ba560
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
4ba560
-			       &rdata, &covers, &ttl, &update_class);
4ba560
-
4ba560
-		if (!dns_name_issubdomain(name, zonename)) {
4ba560
-			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
4ba560
-		}
4ba560
-		if (update_class == zoneclass) {
4ba560
-			/*
4ba560
-			 * Check for meta-RRs.  The RFC2136 pseudocode says
4ba560
-			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
4ba560
-			 * "or any other QUERY metatype"
4ba560
-			 */
4ba560
-			if (dns_rdatatype_ismeta(rdata.type)) {
4ba560
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
4ba560
-			}
4ba560
-			result = dns_zone_checknames(zone, name, &rdata);
4ba560
-			if (result != ISC_R_SUCCESS) {
4ba560
-				FAIL(DNS_R_REFUSED);
4ba560
-			}
4ba560
-		} else if (update_class == dns_rdataclass_any) {
4ba560
-			if (ttl != 0 || rdata.length != 0 ||
4ba560
-			    (dns_rdatatype_ismeta(rdata.type) &&
4ba560
-			     rdata.type != dns_rdatatype_any))
4ba560
-			{
4ba560
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
4ba560
-			}
4ba560
-		} else if (update_class == dns_rdataclass_none) {
4ba560
-			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
4ba560
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
4ba560
-			}
4ba560
-		} else {
4ba560
-			update_log(client, zone, ISC_LOG_WARNING,
4ba560
-				   "update RR has incorrect class %d",
4ba560
-				   update_class);
4ba560
-			FAIL(DNS_R_FORMERR);
4ba560
-		}
4ba560
-
4ba560
-		/*
4ba560
-		 * draft-ietf-dnsind-simple-secure-update-01 says
4ba560
-		 * "Unlike traditional dynamic update, the client
4ba560
-		 * is forbidden from updating NSEC records."
4ba560
-		 */
4ba560
-		if (rdata.type == dns_rdatatype_nsec3) {
4ba560
-			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
4ba560
-					     "allowed "
4ba560
-					     "in secure zones");
4ba560
-		} else if (rdata.type == dns_rdatatype_nsec) {
4ba560
-			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
4ba560
-					     "allowed "
4ba560
-					     "in secure zones");
4ba560
-		} else if (rdata.type == dns_rdatatype_rrsig &&
4ba560
-			   !dns_name_equal(name, zonename)) {
4ba560
-			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
4ba560
-					     "currently "
4ba560
-					     "not supported in secure zones "
4ba560
-					     "except "
4ba560
-					     "at the apex");
4ba560
-		}
4ba560
-
4ba560
-		if (ssutable != NULL) {
4ba560
-			isc_netaddr_t netaddr;
4ba560
-			dst_key_t *tsigkey = NULL;
4ba560
-			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
4ba560
-
4ba560
-			if (client->message->tsigkey != NULL) {
4ba560
-				tsigkey = client->message->tsigkey->key;
4ba560
-			}
4ba560
-
4ba560
-			if (rdata.type != dns_rdatatype_any) {
4ba560
-				if (!dns_ssutable_checkrules(
4ba560
-					    ssutable, client->signer, name,
4ba560
-					    &netaddr, TCPCLIENT(client), env,
4ba560
-					    rdata.type, tsigkey))
4ba560
-				{
4ba560
-					FAILC(DNS_R_REFUSED, "rejected by "
4ba560
-							     "secure update");
4ba560
-				}
4ba560
-			} else {
4ba560
-				if (!ssu_checkall(db, ver, name, ssutable,
4ba560
-						  client->signer, &netaddr, env,
4ba560
-						  TCPCLIENT(client), tsigkey))
4ba560
-				{
4ba560
-					FAILC(DNS_R_REFUSED, "rejected by "
4ba560
-							     "secure update");
4ba560
-				}
4ba560
-			}
4ba560
-		}
4ba560
-	}
4ba560
-	if (result != ISC_R_NOMORE) {
4ba560
-		FAIL(result);
4ba560
-	}
4ba560
-
4ba560
-	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
4ba560
-
4ba560
 	/*
4ba560
 	 * Process the Update Section.
4ba560
 	 */
4ba560
 
4ba560
-	options = dns_zone_getoptions(zone);
4ba560
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
4ba560
 	     result == ISC_R_SUCCESS;
4ba560
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
4ba560
@@ -3307,10 +3330,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
4ba560
 			if (result == ISC_R_SUCCESS && records > maxrecords) {
4ba560
 				update_log(client, zone, ISC_LOG_ERROR,
4ba560
 					   "records in zone (%" PRIu64 ") "
4ba560
-					   "exceeds"
4ba560
-					   " max-"
4ba560
-					   "records"
4ba560
-					   " (%u)",
4ba560
+					   "exceeds max-records (%u)",
4ba560
 					   records, maxrecords);
4ba560
 				result = DNS_R_TOOMANYRECORDS;
4ba560
 				goto failure;
4ba560
@@ -3601,6 +3621,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
4ba560
 	update_event_t *event = NULL;
4ba560
 	isc_task_t *zonetask = NULL;
4ba560
 
4ba560
+	result = checkupdateacl(client, dns_zone_getforwardacl(zone),
4ba560
+				"update forwarding", dns_zone_getorigin(zone),
4ba560
+				true, false);
4ba560
+	if (result != ISC_R_SUCCESS) {
4ba560
+		return (result);
4ba560
+	}
4ba560
+
4ba560
 	result = isc_quota_attach(&client->manager->sctx->updquota,
4ba560
 				  &(isc_quota_t *){ NULL });
4ba560
 	if (result != ISC_R_SUCCESS) {
4ba560
-- 
4ba560
2.39.1
4ba560