Commit 0bfcec25 authored by Mark Andrews's avatar Mark Andrews
Browse files

254. [bug] suppress "query denied" messages on additional data

			lookups.
 ISC-Bugs #139
parent 1e98bdb4
254. [bug] suppress "query denied" messages on additional data
lookups.
--- 9.0.0b4 released ---
253. [func] resolv.conf parser now recognises ';' and '#' as
......
......@@ -1009,7 +1009,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
/* XXX this will log too much too early */
ns_client_checkacl(client, "recursion",
client->view->recursionacl,
ISC_TRUE) == ISC_R_SUCCESS)
ISC_TRUE, ISC_TRUE) == ISC_R_SUCCESS)
ra = ISC_TRUE;
if (ra == ISC_TRUE)
......@@ -1557,7 +1557,7 @@ ns_client_getsockaddr(ns_client_t *client) {
isc_result_t
ns_client_checkacl(ns_client_t *client,
const char *opname, dns_acl_t *acl,
isc_boolean_t default_allow)
isc_boolean_t default_allow, isc_boolean_t logfailure)
{
isc_result_t result;
int match;
......@@ -1589,7 +1589,8 @@ ns_client_checkacl(ns_client_t *client,
deny:
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
NS_LOGMODULE_CLIENT,
logfailure ? ISC_LOG_ERROR : ISC_LOG_DEBUG(3),
"%s denied", opname);
return (DNS_R_REFUSED);
}
......
......@@ -223,7 +223,8 @@ ns_client_getsockaddr(ns_client_t *client);
isc_result_t
ns_client_checkacl(ns_client_t *client,
const char *opname, dns_acl_t *acl,
isc_boolean_t default_allow);
isc_boolean_t default_allow,
isc_boolean_t logfailure);
/*
* Convenience function for client request ACL checking.
*
......
......@@ -67,6 +67,9 @@
#define QTRACE(m) ((void)m)
#endif
#define DNS_GETDB_NOEXACT 0x01U
#define DNS_GETDB_NOLOG 0x02U
static isc_result_t
query_simplefind(void *arg, dns_name_t *name, dns_rdatatype_t type,
......@@ -443,12 +446,14 @@ query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options,
isc_boolean_t check_acl, new_zone;
dns_acl_t *queryacl;
ns_dbversion_t *dbversion;
unsigned int ztoptions;
/*
* Find a database to answer the query.
*/
ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ? DNS_ZTFIND_NOEXACT : 0;
result = dns_zt_find(client->view->zonetable, name, options, NULL,
result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
zonep);
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
result = dns_zone_getdb(*zonep, dbp);
......@@ -515,11 +520,9 @@ query_getdb(ns_client_t *client, dns_name_t *name, unsigned int options,
}
if (check_acl) {
/*
* XXX RTH need a "should we log acl failure" flag.
*/
isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
result = ns_client_checkacl(client, "query", queryacl,
ISC_TRUE);
ISC_TRUE, log);
if (queryacl == client->view->queryacl) {
if (result == ISC_R_SUCCESS) {
/*
......@@ -769,7 +772,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
/*
* Find a database to answer the query.
*/
result = query_getdb(client, name, 0, &zone, &db, &version, &is_zone);
result = query_getdb(client, name, DNS_GETDB_NOLOG,
&zone, &db, &version, &is_zone);
if (result != ISC_R_SUCCESS) {
/*
* We don't want an ACL failure to fail the query.
......@@ -1871,7 +1875,7 @@ query_findparentkey(ns_client_t *client, dns_name_t *name,
is_zone = ISC_FALSE;
dns_fixedname_init(&pfoundname);
result = query_getdb(client, name, DNS_ZTFIND_NOEXACT,
result = query_getdb(client, name, DNS_GETDB_NOEXACT,
&pzone, &pdb, &pversion, &is_zone);
if (result != ISC_R_SUCCESS)
goto cleanup;
......
......@@ -2017,10 +2017,11 @@ update_action(isc_task_t *task, isc_event_t *event) {
if (ssutable == NULL)
CHECK(ns_client_checkacl(client, "update",
dns_zone_getupdateacl(zone),
ISC_FALSE));
ISC_FALSE, ISC_TRUE));
else if (client->signer == NULL) {
/* This gets us a free log message. */
CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE));
CHECK(ns_client_checkacl(client, "update", NULL, ISC_FALSE,
ISC_TRUE));
}
/*
......
......@@ -15,7 +15,7 @@
* SOFTWARE.
*/
/* $Id: xfrout.c,v 1.67 2000/06/15 00:08:53 bwelling Exp $ */
/* $Id: xfrout.c,v 1.68 2000/06/15 04:41:59 marka Exp $ */
#include <config.h>
......@@ -933,7 +933,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
* Decide whether to allow this transfer.
*/
CHECK(ns_client_checkacl(client, "zone transfer",
dns_zone_getxfracl(zone), ISC_TRUE));
dns_zone_getxfracl(zone), ISC_TRUE, ISC_TRUE));
/*
* AXFR over UDP is not possible.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment