rpms / bind9.16

Clone
Source Code
GIT

Blame SOURCES/bind-9.16-CVE-2022-3094-3.patch

c8 c8-beta c8s
  1.   7e24dfe67f2c966604f432a9a73c6772198c3238
  2.   SOURCES
  3.   bind-9.16-CVE-2022-3094-3.patch
Blob History Raw
7e24df 
From 93b8bd39145566053ad8b22cef597146e9175ea4 Mon Sep 17 00:00:00 2001
7e24df 
From: Evan Hunt <each@isc.org>
7e24df 
Date: Tue, 8 Nov 2022 17:32:41 -0800
7e24df 
Subject: [PATCH] move update ACL and update-policy checks before quota
7e24df
7e24df 
check allow-update, update-policy, and allow-update-forwarding before
7e24df 
consuming quota slots, so that unauthorized clients can't fill the
7e24df 
quota.
7e24df
7e24df 
(this moves the access check before the prerequisite check, which
7e24df 
violates the precise wording of RFC 2136. however, RFC co-author Paul
7e24df 
Vixie has stated that the RFC is mistaken on this point; it should have
7e24df 
said that access checking must happen *no later than* the completion of
7e24df 
prerequisite checks, not that it must happen exactly then.)
7e24df
7e24df 
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
7e24df 
---
7e24df 
 lib/ns/update.c | 335 ++++++++++++++++++++++++++----------------------
7e24df 
 1 file changed, 181 insertions(+), 154 deletions(-)
7e24df
7e24df 
diff --git a/lib/ns/update.c b/lib/ns/update.c
7e24df 
index 9a8c309..036184b 100644
7e24df 
--- a/lib/ns/update.c
7e24df 
+++ b/lib/ns/update.c
7e24df 
@@ -261,6 +261,9 @@ static void
7e24df 
 forward_done(isc_task_t *task, isc_event_t *event);
7e24df 
 static isc_result_t
7e24df 
 add_rr_prepare_action(void *data, rr_t *rr);
7e24df 
+static isc_result_t
7e24df 
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
7e24df 
+	  const dns_rdata_t *rdata, bool *flag);
7e24df
7e24df 
 /**************************************************************************/
7e24df
7e24df 
@@ -333,25 +336,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
7e24df 
 static isc_result_t
7e24df 
 checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
7e24df 
 	      dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
7e24df 
+	isc_result_t result;
7e24df 
 	char namebuf[DNS_NAME_FORMATSIZE];
7e24df 
 	char classbuf[DNS_RDATACLASS_FORMATSIZE];
7e24df 
-	int level;
7e24df 
-	isc_result_t result;
7e24df 
+	bool update_possible =
7e24df 
+		((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
7e24df 
+		 ssutable != NULL);
7e24df
7e24df 
 	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
7e24df 
 	if (result != ISC_R_SUCCESS) {
7e24df 
+		int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
7e24df 
+
7e24df 
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
7e24df 
 		dns_rdataclass_format(client->view->rdclass, classbuf,
7e24df 
 				      sizeof(classbuf));
7e24df
7e24df 
-		level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO
7e24df 
-								: ISC_LOG_ERROR;
7e24df 
-
7e24df 
 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
7e24df 
 			      NS_LOGMODULE_UPDATE, level,
7e24df 
 			      "update '%s/%s' denied due to allow-query",
7e24df 
 			      namebuf, classbuf);
7e24df 
-	} else if (updateacl == NULL && ssutable == NULL) {
7e24df 
+	} else if (!update_possible) {
7e24df 
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
7e24df 
 		dns_rdataclass_format(client->view->rdclass, classbuf,
7e24df 
 				      sizeof(classbuf));
7e24df 
@@ -1543,6 +1547,156 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
7e24df 
 	isc_result_t result = ISC_R_SUCCESS;
7e24df 
 	update_event_t *event = NULL;
7e24df 
 	isc_task_t *zonetask = NULL;
7e24df 
+	dns_ssutable_t *ssutable = NULL;
7e24df 
+	dns_message_t *request = client->message;
7e24df 
+	dns_aclenv_t *env =
7e24df 
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
7e24df 
+	dns_rdataclass_t zoneclass;
7e24df 
+	dns_rdatatype_t covers;
7e24df 
+	dns_name_t *zonename = NULL;
7e24df 
+	dns_db_t *db = NULL;
7e24df 
+	dns_dbversion_t *ver = NULL;
7e24df 
+
7e24df 
+	CHECK(dns_zone_getdb(zone, &db);;
7e24df 
+	zonename = dns_db_origin(db);
7e24df 
+	zoneclass = dns_db_class(db);
7e24df 
+	dns_zone_getssutable(zone, &ssutable);
7e24df 
+	dns_db_currentversion(db, &ver);
7e24df 
+
7e24df 
+	/*
7e24df 
+	 * Update message processing can leak record existence information
7e24df 
+	 * so check that we are allowed to query this zone.  Additionally,
7e24df 
+	 * if we would refuse all updates for this zone, we bail out here.
7e24df 
+	 */
7e24df 
+	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
7e24df 
+			    dns_zone_getorigin(zone),
7e24df 
+			    dns_zone_getupdateacl(zone), ssutable));
7e24df 
+
7e24df 
+	/*
7e24df 
+	 * Check requestor's permissions.
7e24df 
+	 */
7e24df 
+	if (ssutable == NULL) {
7e24df 
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
7e24df 
+				     "update", dns_zone_getorigin(zone), false,
7e24df 
+				     false));
7e24df 
+	} else if (client->signer == NULL && !TCPCLIENT(client)) {
7e24df 
+		CHECK(checkupdateacl(client, NULL, "update",
7e24df 
+				     dns_zone_getorigin(zone), false, true));
7e24df 
+	}
7e24df 
+
7e24df 
+	if (dns_zone_getupdatedisabled(zone)) {
7e24df 
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
7e24df 
+				     "because the zone is frozen.  Use "
7e24df 
+				     "'rndc thaw' to re-enable updates.");
7e24df 
+	}
7e24df 
+
7e24df 
+	/*
7e24df 
+	 * Prescan the update section, checking for updates that
7e24df 
+	 * are illegal or violate policy.
7e24df 
+	 */
7e24df 
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
7e24df 
+	     result == ISC_R_SUCCESS;
7e24df 
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
7e24df 
+	{
7e24df 
+		dns_name_t *name = NULL;
7e24df 
+		dns_rdata_t rdata = DNS_RDATA_INIT;
7e24df 
+		dns_ttl_t ttl;
7e24df 
+		dns_rdataclass_t update_class;
7e24df 
+
7e24df 
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
7e24df 
+			       &rdata, &covers, &ttl, &update_class);
7e24df 
+
7e24df 
+		if (!dns_name_issubdomain(name, zonename)) {
7e24df 
+			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
7e24df 
+		}
7e24df 
+		if (update_class == zoneclass) {
7e24df 
+			/*
7e24df 
+			 * Check for meta-RRs.  The RFC2136 pseudocode says
7e24df 
+			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
7e24df 
+			 * "or any other QUERY metatype"
7e24df 
+			 */
7e24df 
+			if (dns_rdatatype_ismeta(rdata.type)) {
7e24df 
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
7e24df 
+			}
7e24df 
+			result = dns_zone_checknames(zone, name, &rdata);
7e24df 
+			if (result != ISC_R_SUCCESS) {
7e24df 
+				FAIL(DNS_R_REFUSED);
7e24df 
+			}
7e24df 
+		} else if (update_class == dns_rdataclass_any) {
7e24df 
+			if (ttl != 0 || rdata.length != 0 ||
7e24df 
+			    (dns_rdatatype_ismeta(rdata.type) &&
7e24df 
+			     rdata.type != dns_rdatatype_any))
7e24df 
+			{
7e24df 
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
7e24df 
+			}
7e24df 
+		} else if (update_class == dns_rdataclass_none) {
7e24df 
+			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
7e24df 
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
7e24df 
+			}
7e24df 
+		} else {
7e24df 
+			update_log(client, zone, ISC_LOG_WARNING,
7e24df 
+				   "update RR has incorrect class %d",
7e24df 
+				   update_class);
7e24df 
+			FAIL(DNS_R_FORMERR);
7e24df 
+		}
7e24df 
+
7e24df 
+		/*
7e24df 
+		 * draft-ietf-dnsind-simple-secure-update-01 says
7e24df 
+		 * "Unlike traditional dynamic update, the client
7e24df 
+		 * is forbidden from updating NSEC records."
7e24df 
+		 */
7e24df 
+		if (rdata.type == dns_rdatatype_nsec3) {
7e24df 
+			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
7e24df 
+					     "allowed "
7e24df 
+					     "in secure zones");
7e24df 
+		} else if (rdata.type == dns_rdatatype_nsec) {
7e24df 
+			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
7e24df 
+					     "allowed "
7e24df 
+					     "in secure zones");
7e24df 
+		} else if (rdata.type == dns_rdatatype_rrsig &&
7e24df 
+			   !dns_name_equal(name, zonename))
7e24df 
+		{
7e24df 
+			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
7e24df 
+					     "currently "
7e24df 
+					     "not supported in secure zones "
7e24df 
+					     "except "
7e24df 
+					     "at the apex");
7e24df 
+		}
7e24df 
+
7e24df 
+		if (ssutable != NULL) {
7e24df 
+			isc_netaddr_t netaddr;
7e24df 
+			dst_key_t *tsigkey = NULL;
7e24df 
+			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
7e24df 
+
7e24df 
+			if (client->message->tsigkey != NULL) {
7e24df 
+				tsigkey = client->message->tsigkey->key;
7e24df 
+			}
7e24df 
+
7e24df 
+			if (rdata.type != dns_rdatatype_any) {
7e24df 
+				if (!dns_ssutable_checkrules(
7e24df 
+					    ssutable, client->signer, name,
7e24df 
+					    &netaddr, TCPCLIENT(client), env,
7e24df 
+					    rdata.type, tsigkey))
7e24df 
+				{
7e24df 
+					FAILC(DNS_R_REFUSED, "rejected by "
7e24df 
+							     "secure update");
7e24df 
+				}
7e24df 
+			} else {
7e24df 
+				if (!ssu_checkall(db, ver, name, ssutable,
7e24df 
+						  client->signer, &netaddr, env,
7e24df 
+						  TCPCLIENT(client), tsigkey))
7e24df 
+				{
7e24df 
+					FAILC(DNS_R_REFUSED, "rejected by "
7e24df 
+							     "secure update");
7e24df 
+				}
7e24df 
+			}
7e24df 
+		}
7e24df 
+	}
7e24df 
+	if (result != ISC_R_NOMORE) {
7e24df 
+		FAIL(result);
7e24df 
+	}
7e24df 
+
7e24df 
+	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
7e24df
7e24df 
 	result = isc_quota_attach(&client->manager->sctx->updquota,
7e24df 
 				  &(isc_quota_t *){ NULL });
7e24df 
@@ -1552,9 +1706,7 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
7e24df 
 			   isc_result_totext(result));
7e24df 
 		ns_stats_increment(client->manager->sctx->nsstats,
7e24df 
 				   ns_statscounter_updatequota);
7e24df 
-		ns_client_drop(client, result);
7e24df 
-		isc_nmhandle_detach(&client->reqhandle);
7e24df 
-		return (DNS_R_DROP);
7e24df 
+		CHECK(DNS_R_DROP);
7e24df 
 	}
7e24df
7e24df 
 	event = (update_event_t *)isc_event_allocate(
7e24df 
@@ -1571,6 +1723,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
7e24df 
 	dns_zone_gettask(zone, &zonetask);
7e24df 
 	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
7e24df
7e24df 
+failure:
7e24df 
+	if (db != NULL) {
7e24df 
+		dns_db_closeversion(db, &ver, false);
7e24df 
+		dns_db_detach(&db);
7e24df 
+	}
7e24df 
+
7e24df 
+	if (ssutable != NULL) {
7e24df 
+		dns_ssutable_detach(&ssutable);
7e24df 
+	}
7e24df 
+
7e24df 
 	return (result);
7e24df 
 }
7e24df
7e24df 
@@ -1671,9 +1833,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
7e24df 
 		break;
7e24df 
 	case dns_zone_secondary:
7e24df 
 	case dns_zone_mirror:
7e24df 
-		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
7e24df 
-				     "update forwarding", zonename, true,
7e24df 
-				     false));
7e24df 
 		CHECK(send_forward_event(client, zone));
7e24df 
 		break;
7e24df 
 	default:
7e24df 
@@ -1685,8 +1844,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
7e24df
7e24df 
 failure:
7e24df 
 	if (result == DNS_R_REFUSED) {
7e24df 
-		INSIST(dns_zone_gettype(zone) == dns_zone_secondary ||
7e24df 
-		       dns_zone_gettype(zone) == dns_zone_mirror);
7e24df 
 		inc_stats(client, zone, ns_statscounter_updaterej);
7e24df 
 	}
7e24df
7e24df 
@@ -2578,7 +2735,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
7e24df 
 	dns_rdatatype_t covers;
7e24df 
 	dns_message_t *request = client->message;
7e24df 
 	dns_rdataclass_t zoneclass;
7e24df 
-	dns_name_t *zonename;
7e24df 
+	dns_name_t *zonename = NULL;
7e24df 
 	dns_ssutable_t *ssutable = NULL;
7e24df 
 	dns_fixedname_t tmpnamefixed;
7e24df 
 	dns_name_t *tmpname = NULL;
7e24df 
@@ -2590,8 +2747,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
7e24df 
 	dns_ttl_t maxttl = 0;
7e24df 
 	uint32_t maxrecords;
7e24df 
 	uint64_t records;
7e24df 
-	dns_aclenv_t *env =
7e24df 
-		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
7e24df
7e24df 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
7e24df
7e24df 
@@ -2602,14 +2757,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
7e24df 
 	zonename = dns_db_origin(db);
7e24df 
 	zoneclass = dns_db_class(db);
7e24df 
 	dns_zone_getssutable(zone, &ssutable);
7e24df 
-
7e24df 
-	/*
7e24df 
-	 * Update message processing can leak record existence information
7e24df 
-	 * so check that we are allowed to query this zone.  Additionally
7e24df 
-	 * if we would refuse all updates for this zone we bail out here.
7e24df 
-	 */
7e24df 
-	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
7e24df 
-			    dns_zone_getupdateacl(zone), ssutable));
7e24df 
+	options = dns_zone_getoptions(zone);
7e24df
7e24df 
 	/*
7e24df 
 	 * Get old and new versions now that queryacl has been checked.
7e24df 
@@ -2745,135 +2893,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
7e24df
7e24df 
 	update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
7e24df
7e24df 
-	/*
7e24df 
-	 * Check Requestor's Permissions.  It seems a bit silly to do this
7e24df 
-	 * only after prerequisite testing, but that is what RFC2136 says.
7e24df 
-	 */
7e24df 
-	if (ssutable == NULL) {
7e24df 
-		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
7e24df 
-				     "update", zonename, false, false));
7e24df 
-	} else if (client->signer == NULL && !TCPCLIENT(client)) {
7e24df 
-		CHECK(checkupdateacl(client, NULL, "update", zonename, false,
7e24df 
-				     true));
7e24df 
-	}
7e24df 
-
7e24df 
-	if (dns_zone_getupdatedisabled(zone)) {
7e24df 
-		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
7e24df 
-				     "because the zone is frozen.  Use "
7e24df 
-				     "'rndc thaw' to re-enable updates.");
7e24df 
-	}
7e24df 
-
7e24df 
-	/*
7e24df 
-	 * Perform the Update Section Prescan.
7e24df 
-	 */
7e24df 
-
7e24df 
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
7e24df 
-	     result == ISC_R_SUCCESS;
7e24df 
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
7e24df 
-	{
7e24df 
-		dns_name_t *name = NULL;
7e24df 
-		dns_rdata_t rdata = DNS_RDATA_INIT;
7e24df 
-		dns_ttl_t ttl;
7e24df 
-		dns_rdataclass_t update_class;
7e24df 
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
7e24df 
-			       &rdata, &covers, &ttl, &update_class);
7e24df 
-
7e24df 
-		if (!dns_name_issubdomain(name, zonename)) {
7e24df 
-			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
7e24df 
-		}
7e24df 
-		if (update_class == zoneclass) {
7e24df 
-			/*
7e24df 
-			 * Check for meta-RRs.  The RFC2136 pseudocode says
7e24df 
-			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
7e24df 
-			 * "or any other QUERY metatype"
7e24df 
-			 */
7e24df 
-			if (dns_rdatatype_ismeta(rdata.type)) {
7e24df 
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
7e24df 
-			}
7e24df 
-			result = dns_zone_checknames(zone, name, &rdata);
7e24df 
-			if (result != ISC_R_SUCCESS) {
7e24df 
-				FAIL(DNS_R_REFUSED);
7e24df 
-			}
7e24df 
-		} else if (update_class == dns_rdataclass_any) {
7e24df 
-			if (ttl != 0 || rdata.length != 0 ||
7e24df 
-			    (dns_rdatatype_ismeta(rdata.type) &&
7e24df 
-			     rdata.type != dns_rdatatype_any))
7e24df 
-			{
7e24df 
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
7e24df 
-			}
7e24df 
-		} else if (update_class == dns_rdataclass_none) {
7e24df 
-			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
7e24df 
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
7e24df 
-			}
7e24df 
-		} else {
7e24df 
-			update_log(client, zone, ISC_LOG_WARNING,
7e24df 
-				   "update RR has incorrect class %d",
7e24df 
-				   update_class);
7e24df 
-			FAIL(DNS_R_FORMERR);
7e24df 
-		}
7e24df 
-
7e24df 
-		/*
7e24df 
-		 * draft-ietf-dnsind-simple-secure-update-01 says
7e24df 
-		 * "Unlike traditional dynamic update, the client
7e24df 
-		 * is forbidden from updating NSEC records."
7e24df 
-		 */
7e24df 
-		if (rdata.type == dns_rdatatype_nsec3) {
7e24df 
-			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
7e24df 
-					     "allowed "
7e24df 
-					     "in secure zones");
7e24df 
-		} else if (rdata.type == dns_rdatatype_nsec) {
7e24df 
-			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
7e24df 
-					     "allowed "
7e24df 
-					     "in secure zones");
7e24df 
-		} else if (rdata.type == dns_rdatatype_rrsig &&
7e24df 
-			   !dns_name_equal(name, zonename)) {
7e24df 
-			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
7e24df 
-					     "currently "
7e24df 
-					     "not supported in secure zones "
7e24df 
-					     "except "
7e24df 
-					     "at the apex");
7e24df 
-		}
7e24df 
-
7e24df 
-		if (ssutable != NULL) {
7e24df 
-			isc_netaddr_t netaddr;
7e24df 
-			dst_key_t *tsigkey = NULL;
7e24df 
-			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
7e24df 
-
7e24df 
-			if (client->message->tsigkey != NULL) {
7e24df 
-				tsigkey = client->message->tsigkey->key;
7e24df 
-			}
7e24df 
-
7e24df 
-			if (rdata.type != dns_rdatatype_any) {
7e24df 
-				if (!dns_ssutable_checkrules(
7e24df 
-					    ssutable, client->signer, name,
7e24df 
-					    &netaddr, TCPCLIENT(client), env,
7e24df 
-					    rdata.type, tsigkey))
7e24df 
-				{
7e24df 
-					FAILC(DNS_R_REFUSED, "rejected by "
7e24df 
-							     "secure update");
7e24df 
-				}
7e24df 
-			} else {
7e24df 
-				if (!ssu_checkall(db, ver, name, ssutable,
7e24df 
-						  client->signer, &netaddr, env,
7e24df 
-						  TCPCLIENT(client), tsigkey))
7e24df 
-				{
7e24df 
-					FAILC(DNS_R_REFUSED, "rejected by "
7e24df 
-							     "secure update");
7e24df 
-				}
7e24df 
-			}
7e24df 
-		}
7e24df 
-	}
7e24df 
-	if (result != ISC_R_NOMORE) {
7e24df 
-		FAIL(result);
7e24df 
-	}
7e24df 
-
7e24df 
-	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
7e24df 
-
7e24df 
 	/*
7e24df 
 	 * Process the Update Section.
7e24df 
 	 */
7e24df
7e24df 
-	options = dns_zone_getoptions(zone);
7e24df 
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
7e24df 
 	     result == ISC_R_SUCCESS;
7e24df 
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
7e24df 
@@ -3307,10 +3330,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
7e24df 
 			if (result == ISC_R_SUCCESS && records > maxrecords) {
7e24df 
 				update_log(client, zone, ISC_LOG_ERROR,
7e24df 
 					   "records in zone (%" PRIu64 ") "
7e24df 
-					   "exceeds"
7e24df 
-					   " max-"
7e24df 
-					   "records"
7e24df 
-					   " (%u)",
7e24df 
+					   "exceeds max-records (%u)",
7e24df 
 					   records, maxrecords);
7e24df 
 				result = DNS_R_TOOMANYRECORDS;
7e24df 
 				goto failure;
7e24df 
@@ -3601,6 +3621,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
7e24df 
 	update_event_t *event = NULL;
7e24df 
 	isc_task_t *zonetask = NULL;
7e24df
7e24df 
+	result = checkupdateacl(client, dns_zone_getforwardacl(zone),
7e24df 
+				"update forwarding", dns_zone_getorigin(zone),
7e24df 
+				true, false);
7e24df 
+	if (result != ISC_R_SUCCESS) {
7e24df 
+		return (result);
7e24df 
+	}
7e24df 
+
7e24df 
 	result = isc_quota_attach(&client->manager->sctx->updquota,
7e24df 
 				  &(isc_quota_t *){ NULL });
7e24df 
 	if (result != ISC_R_SUCCESS) {
7e24df 
--
7e24df 
2.39.1
7e24df

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation