Commit 3cb9bb66 authored by Mark Andrews's avatar Mark Andrews

move checks earlier

parent 52933924
......@@ -2741,9 +2741,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
if (ssutable == NULL) {
CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
"update", zonename, false, false));
} else if (client->signer == NULL && !TCPCLIENT(client)) {
CHECK(checkupdateacl(client, NULL, "update", zonename, false,
true));
}
if (dns_zone_getupdatedisabled(zone)) {
......@@ -2857,6 +2854,25 @@ update_action(isc_task_t *task, isc_event_t *event) {
FAILC(DNS_R_REFUSED,
"rejected by secure update");
}
/*
* There must be no records at the name except
* the the record to be added.
*/
if (IS_ADD_NEW(rules[rule])) {
bool flag;
result = rr_exists(db, ver, name,
&rdata, &flag);
if (result == ISC_R_SUCCESS && flag) {
continue;
}
CHECK(name_exists(db, ver, name,
&flag));
if (flag) {
FAILC(DNS_R_REFUSED,
"rejected by secure "
"update");
}
}
} else {
if (!ssu_checkall(db, ver, name, ssutable,
client->signer, zonename,
......@@ -2897,25 +2913,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
&rdata, &covers, &ttl, &update_class);
if (update_class == zoneclass) {
/*
* There must be no records at the name except the
* the record to be added.
*/
if (ssutable != NULL && IS_ADD_NEW(rules[rule])) {
result = foreach_rr(db, ver, name, rdata.type,
covers, rrset_exists_action,
NULL);
if (result == ISC_R_EXISTS) {
continue;
}
CHECK(result);
CHECK(name_exists(db, ver, name, &flag));
if (flag) {
FAILC(DNS_R_REFUSED,
"rejected by secure update");
}
}
/*
* RFC1123 doesn't allow MF and MD in master zones.
*/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment