1913. [func] Integrate contibuted DLZ code into named. [RT #11382]

CHANGES

+1913.	[func]		Integrate contibuted DLZ code into named. [RT #11382]
+
 1912.	[port]		aix: atomic locking for powerpc. [RT #15020]
 
 1911.	[bug]		Update windows socket code. [RT #14965]

bin/check/check-tool.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.19 2005/08/24 23:53:54 marka Exp $ */
+/* $Id: check-tool.c,v 1.20 2005/09/05 00:10:51 marka Exp $ */
 
 /*! \file */
 
@@ -435,7 +435,7 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
 		dns_zone_setchecksrv(zone, checksrv);
 
 	CHECK(dns_zone_load(zone));
-	if (zonep != NULL){
+	if (zonep != NULL) {
 		*zonep = zone;
 		zone = NULL;
 	}

bin/named/Makefile.in

@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.86 2005/01/12 01:56:06 marka Exp $
+# $Id: Makefile.in,v 1.87 2005/09/05 00:10:51 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -31,12 +31,20 @@ DBDRIVER_SRCS =
 DBDRIVER_INCLUDES =
 DBDRIVER_LIBS =
 
+DLZ_DRIVER_DIR =	${top_srcdir}/contrib/dlz/drivers
+
+DLZDRIVER_OBJS =	@DLZ_DRIVER_OBJS@
+DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
+DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
+DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
+
 CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DBDRIVER_INCLUDES}
+		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
+
+CDEFINES =      @USE_DLZ@
 
-CDEFINES =
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
@@ -57,7 +65,8 @@ DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
 		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
-		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
+		${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
 
 SUBDIRS =	unix
 
@@ -71,7 +80,7 @@ OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
 		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-		$(DBDRIVER_OBJS)
+		${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
 
 UOBJS =		unix/os.@O@
 
@@ -83,7 +92,7 @@ SRCS =		builtin.c client.c config.c control.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
 		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-		$(DBDRIVER_SRCS)
+		${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
 
 MANPAGES =	named.8 lwresd.8 named.conf.5
 
@@ -133,3 +142,4 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
 	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
 
+@DLZ_DRIVER_RULES@

bin/named/main.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.147 2005/06/10 07:00:19 marka Exp $ */
+/* $Id: main.c,v 1.148 2005/09/05 00:10:52 marka Exp $ */
 
 /*! \file */
 
@@ -73,6 +73,13 @@
  */
 /* #include "xxdb.h" */
 
+/*
+ * Include DLZ drivers if appropriate.
+ */
+#ifdef DLZ
+#include <dlz/dlz_drivers.h>
+#endif
+
 static isc_boolean_t	want_stats = ISC_FALSE;
 static char		program_name[ISC_DIR_NAMEMAX] = "named";
 static char		absolute_conffile[ISC_DIR_PATHMAX];
@@ -675,6 +682,16 @@ setup(void) {
 	 */
 	/* xxdb_init(); */
 
+#ifdef DLZ
+	/*
+	 * Registyer any DLZ drivers.
+	 */
+	result = dlz_drivers_init();
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("dlz_drivers_init() failed: %s",
+				   isc_result_totext(result));
+#endif
+
 	ns_server_create(ns_g_mctx, &ns_g_server);
 }
 
@@ -691,6 +708,13 @@ cleanup(void) {
 	 */
 	/* xxdb_clear(); */
 
+#ifdef DLZ
+	/*
+	 * Unregister any DLZ drivers.
+	 */
+	dlz_drivers_clear();
+#endif
+
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
 		      ISC_LOG_NOTICE, "exiting");
 	ns_log_shutdown();

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.272 2005/08/18 00:57:26 marka Exp $ */
+/* $Id: query.c,v 1.273 2005/09/05 00:10:52 marka Exp $ */
 
 /*! \file */
 
@@ -29,6 +29,9 @@
 #include <dns/adb.h>
 #include <dns/byaddr.h>
 #include <dns/db.h>
+#ifdef DLZ
+#include <dns/dlz.h>
+#endif
 #include <dns/events.h>
 #include <dns/message.h>
 #include <dns/ncache.h>
@@ -508,7 +511,7 @@ ns_query_init(ns_client_t *client) {
 	client->query.authdb = NULL;
 	client->query.authzone = NULL;
 	client->query.authdbset = ISC_FALSE;
-	client->query.isreferral = ISC_FALSE;	
+	client->query.isreferral = ISC_FALSE;
 	query_reset(client, ISC_FALSE);
 	result = query_newdbversion(client, 3);
 	if (result != ISC_R_SUCCESS) {
@@ -577,7 +580,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 	/*
 	 * This limits our searching to the zone where the first name
 	 * (the query target) was looked for.  This prevents following
-	 * CNAMES or DNAMES into other zones and prevents returning 
+	 * CNAMES or DNAMES into other zones and prevents returning
 	 * additional data from other zones.
 	 */
 	if (!client->view->additionalfromauth &&
@@ -654,7 +657,7 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 						      ISC_LOG_DEBUG(3),
 						      "%s approved", msg);
 				}
-		    	} else {
+			} else {
 				ns_client_aclmsg("query", name, qtype,
 						 client->view->rdclass,
 						 msg, sizeof(msg));
@@ -733,7 +736,7 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
 
-	if (result != ISC_R_SUCCESS)		
+	if (result != ISC_R_SUCCESS)
 		goto fail;
 
 	result = query_validatezonedb(client, name, qtype, options, zone, db,
@@ -801,7 +804,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
-		
+
 		result = ns_client_checkaclsilent(client,
 						  client->view->queryacl,
 						  ISC_TRUE);
@@ -867,9 +870,85 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 {
 	isc_result_t result;
 
+#ifdef DLZ
+	isc_result_t tresult;
+	unsigned int namelabels;
+	unsigned int zonelabels;
+	dns_zone_t *zone = NULL;
+	dns_db_t *tdbp;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	tdbp = NULL;
+
+	/* Calculate how many labels are in name. */
+	namelabels = dns_name_countlabels(name);
+	zonelabels = 0;
+
+	/* Try to find name in bind's standard database. */
+	result = query_getzonedb(client, name, qtype, options, &zone,
+				 dbp, versionp);
+
+	/* See how many labels are in the zone's name.	  */
+	if (result == ISC_R_SUCCESS && zone != NULL)
+		zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
+	/*
+	 * If # zone labels < # name labels, try to find an even better match
+	 * Only try if a DLZ driver is loaded for this view
+	 */
+	if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
+		tresult = dns_dlzfindzone(client->view, name,
+					  zonelabels, &tdbp);
+		 /* If we successful, we found a better match. */
+		if (tresult == ISC_R_SUCCESS) {
+			/*
+			 * If the previous search returned a zone, detach it.
+			 */
+			if (zone != NULL)
+				dns_zone_detach(&zone);
+
+			/*
+			 * If the previous search returned a database,
+			 * detach it.
+			 */
+			if (*dbp != NULL)
+				dns_db_detach(dbp);
+
+			/*
+			 * If the previous search returned a version, clear it.
+			 */
+			*versionp = NULL;
+
+			/*
+			 * Get our database version.
+			 */
+			dns_db_currentversion(tdbp, versionp);
+
+			/*
+			 * Be sure to return our database.
+			 */
+			*dbp = tdbp;
+
+			/*
+			 * We return a null zone, No stats for DLZ zones.
+			 */
+			zone = NULL;
+			result = tresult;
+		}
+	}
+#else
 	result = query_getzonedb(client, name, qtype, options,
 				 zonep, dbp, versionp);
+#endif
+
+	/* If successfull, Transfer ownership of zone. */
 	if (result == ISC_R_SUCCESS) {
+#ifdef DLZ
+		*zonep = zone;
+#endif
+		/*
+		 * If neither attempt above succeeded, return the cache instead
+		 */
 		*is_zonep = ISC_TRUE;
 	} else if (result == ISC_R_NOTFOUND) {
 		result = query_getcachedb(client, name, qtype, dbp, options);
@@ -1032,7 +1111,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		 */
 		goto try_glue;
 
-	result = dns_db_find(db, name, version, type,  client->query.dboptions,
+	result = dns_db_find(db, name, version, type, client->query.dboptions,
 			     client->now, &node, fname, rdataset,
 			     sigrdataset);
 	if (result == ISC_R_SUCCESS)
@@ -1248,7 +1327,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 * recursing to add address records, which in turn can cause
 	 * recursion to add KEYs.
 	 */
- 	if (type == dns_rdatatype_srv && trdataset != NULL) {
+	if (type == dns_rdatatype_srv && trdataset != NULL) {
 		/*
 		 * If we're adding SRV records to the additional data
 		 * section, it's helpful if we add the SRV additional data
@@ -1325,7 +1404,7 @@ query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
 	dns_db_closeversion(db_current, &version_current, ISC_FALSE);
 	if (db0 == NULL && db_current != NULL)
 		dns_db_detach(&db_current);
-	
+
 	return (result);
 }
 
@@ -1391,7 +1470,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 * lookup and iterate over the node.
 	 * XXXJT: this approach can cause a suboptimal result when the cache
 	 * DB only has partial address types and the glue DB has remaining
-	 * ones. 
+	 * ones.
 	 */
 	type = dns_rdatatype_any;
 
@@ -1682,7 +1761,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
  setcache:
 	/*
 	 * Set the new result in the cache if required.  We do not support
-	 * caching additional data from a cache DB. 
+	 * caching additional data from a cache DB.
 	 */
 	if (needadditionalcache == ISC_TRUE &&
 	    (additionaltype == dns_rdatasetadditional_fromauth ||
@@ -2429,20 +2508,20 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	 *   Given:
 	 *	example SOA
 	 *	example NSEC b.example
-	 * 	b.example A
-	 * 	b.example NSEC a.d.example
-	 * 	a.d.example A
-	 * 	a.d.example NSEC g.f.example
-	 * 	g.f.example A
-	 * 	g.f.example NSEC z.i.example
-	 * 	z.i.example A
-	 * 	z.i.example NSEC example
+	 *	b.example A
+	 *	b.example NSEC a.d.example
+	 *	a.d.example A
+	 *	a.d.example NSEC g.f.example
+	 *	g.f.example A
+	 *	g.f.example NSEC z.i.example
+	 *	z.i.example A
+	 *	z.i.example NSEC example
 	 *
 	 *   QNAME:
 	 *   a.example -> example NSEC b.example
-	 * 	owner common example
-	 * 	next common example
-	 * 	wild *.example
+	 *	owner common example
+	 *	next common example
+	 *	wild *.example
 	 *   d.b.example -> b.example NSEC a.d.example
 	 *	owner common b.example
 	 *	next common example
@@ -2453,7 +2532,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	 *	wild *.f.example
 	 *  j.example -> z.i.example NSEC example
 	 *	owner common example
-	 * 	next common example
+	 *	next common example
 	 *	wild *.f.example
 	 */
 	options = client->query.dboptions | DNS_DBFIND_NOWILD;
@@ -2514,7 +2593,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 			name = wname;
 			goto again;
 		}
-	} 
+	}
  cleanup:
 	if (rdataset != NULL)
 		query_putrdataset(client, &rdataset);
@@ -2777,7 +2856,7 @@ static isc_result_t
 rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
 	struct in_addr ina;
 	struct in6_addr in6a;
-	
+
 	switch (rdata->type) {
 	case dns_rdatatype_a:
 		INSIST(rdata->length == 4);
@@ -2830,7 +2909,7 @@ setup_query_sortlist(ns_client_t *client) {
 	isc_netaddr_t netaddr;
 	dns_rdatasetorderfunc_t order = NULL;
 	void *order_arg = NULL;
-	
+
 	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
 	switch (ns_sortlist_setup(client->view->sortlist,
 			       &netaddr, &order_arg)) {
@@ -3121,7 +3200,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 		goto resume;
 	}
-	
+
 	/*
 	 * Not returning from recursion.
 	 */
@@ -3216,7 +3295,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 
 	if (event == NULL && client->query.restarts == 0) {
 		if (is_zone) {
-			dns_zone_attach(zone, &client->query.authzone);
+#ifdef DLZ
+			if (zone != NULL) {
+				/*
+				 * if is_zone = true, zone = NULL then this is
+				 * a DLZ zone.  Don't attempt to attach zone.
+				 */
+#endif
+				dns_zone_attach(zone, &client->query.authzone);
+#ifdef DLZ
+			}
+#endif
 			dns_db_attach(db, &client->query.authdb);
 		}
 		client->query.authdbset = ISC_TRUE;
@@ -4131,10 +4220,10 @@ ns_query_start(ns_client_t *client) {
 
 	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
 		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
-	
+
 	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
 		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
-	
+
 	if (client->view->minimalresponses)
 		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
 					     NS_QUERYATTR_NOADDITIONAL);

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.449 2005/08/23 02:36:07 marka Exp $ */
+/* $Id: server.c,v 1.450 2005/09/05 00:10:52 marka Exp $ */
 
 /*! \file */
 
@@ -48,6 +48,9 @@
 #include <dns/cache.h>
 #include <dns/db.h>
 #include <dns/dispatch.h>
+#ifdef DLZ
+#include <dns/dlz.h>
+#endif
 #include <dns/forward.h>
 #include <dns/journal.h>
 #include <dns/keytable.h>
@@ -826,6 +829,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	cfg_obj_t *forwarders;
 	cfg_obj_t *alternates;
 	cfg_obj_t *zonelist;
+#ifdef DLZ
+ 	cfg_obj_t *dlz;
+ 	unsigned int dlzargc;
+ 	char **dlzargv;
+#endif
 	cfg_obj_t *disabled;
 	cfg_obj_t *obj;
 	cfg_listelt_t *element;
@@ -954,6 +962,45 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 				     actx));
 	}
 
+#ifdef DLZ
+	/*
+	 * Create Dynamically Loadable Zone driver.
+	 */
+	dlz = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dlz", &dlz);
+	else
+		(void)cfg_map_get(config, "dlz", &dlz);
+
+	obj = NULL;
+	if (dlz != NULL) {
+		(void)cfg_map_get(cfg_tuple_get(dlz, "options"),
+				  "database", &obj);
+		if (obj != NULL) {
+			char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
+			if (s == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			
+			result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
+			if (result != ISC_R_SUCCESS) {
+				isc_mem_free(mctx, s);
+				goto cleanup;
+			}
+
+			obj = cfg_tuple_get(dlz, "name");
+			result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
+					       dlzargv[0], dlzargc, dlzargv,
+					       &view->dlzdatabase);
+			isc_mem_free(mctx, s);
+			isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
+			if (result == ISC_R_SUCCESS)
+				goto cleanup;
+		}
+	}
+#endif
+
 	/*
 	 * Configure the view's cache.  Try to reuse an existing
 	 * cache if possible, otherwise create a new cache.

bin/named/xfrout.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.119 2005/04/27 04:55:55 sra Exp $ */
+/* $Id: xfrout.c,v 1.120 2005/09/05 00:10:53 marka Exp $ */
 
 #include <config.h>
 
@@ -27,6 +27,9 @@
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#ifdef DLZ
+#include <dns/dlz.h>
+#endif
 #include <dns/fixedname.h>
 #include <dns/journal.h>
 #include <dns/message.h>
@@ -905,6 +908,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
 	char keyname[DNS_NAME_FORMATSIZE];
 	isc_boolean_t is_poll = ISC_FALSE;
+#ifdef DLZ
+	isc_boolean_t is_dlz = ISC_FALSE;
+#endif
 
 	switch (reqtype) {
 	case dns_rdatatype_axfr:
@@ -955,19 +961,71 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
 			     &zone);
+
 	if (result != ISC_R_SUCCESS)
-		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-		      question_name, question_class);
-	switch(dns_zone_gettype(zone)) {
-	case dns_zone_master:
-	case dns_zone_slave:
-		break;	/* Master and slave zones are OK for transfer. */
-	default:
-		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-		      question_name, question_class);
+#ifdef DLZ
+	{
+		/*
+		 * Normal zone table does not have a match.  Try the DLZ database
+		 */
+	    	if (client->view->dlzdatabase != NULL) {
+			result = dns_dlzallowzonexfr(client->view,
+						     question_name, &client->peeraddr,
+						     &db);
+
+			if (result == ISC_R_NOPERM) {
+				char _buf1[DNS_NAME_FORMATSIZE];
+				char _buf2[DNS_RDATACLASS_FORMATSIZE];
+
+				result = DNS_R_REFUSED;
+				dns_name_format(question_name, _buf1,
+						sizeof(_buf1));
+				dns_rdataclass_format(question_class,
+						      _buf2, sizeof(_buf2));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_XFER_OUT,
+					      ISC_LOG_ERROR,
+					      "zone transfer '%s/%s' denied",
+					      _buf1, _buf2);
+				goto failure;
+			}
+			if (result != ISC_R_SUCCESS)
+#endif
+			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+				  question_name, question_class);
+#ifdef DLZ
+			is_dlz = ISC_TRUE;
+			/*
+			 * DLZ only support full zone transfer, not incremental
+			 */
+			if (reqtype != dns_rdatatype_axfr) {
+				mnemonic = "AXFR-style IXFR";
+				reqtype = dns_rdatatype_axfr;
+			}
+
+		} else {
+			/*
+		 	 * not DLZ and not in normal zone table, we are
+			 * not authoritative
+			 */
+			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+			      question_name, question_class);
+		}
+	} else {
+		/* zone table has a match */
+#endif
+		switch(dns_zone_gettype(zone)) {
+			case dns_zone_master:
+			case dns_zone_slave:
+				break;	/* Master and slave zones are OK for transfer. */
+			default:
+				FAILQ(DNS_R_NOTAUTH, "non-authoritative zone", question_name, question_class);
+			}
+		CHECK(dns_zone_getdb(zone, &db));
+		dns_db_currentversion(db, &ver);
+#ifdef DLZ
 	}
-	CHECK(dns_zone_getdb(zone, &db));
-	dns_db_currentversion(db, &ver);
+#endif
 
 	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
 		    "%s question section OK", mnemonic);
@@ -1023,11 +1081,20 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	/*
 	 * Decide whether to allow this transfer.
 	 */
-	ns_client_aclmsg("zone transfer", question_name, reqtype,
-