don't fail when allow-update{,-forwarding} is used globally

91dca0f8 · Evan Hunt · 11c862ef · 91dca0f8 · 91dca0f8 · 91dca0f8
Commit 91dca0f8 authored Mar 19, 2019 by Evan Hunt
7 changed files
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -5074,8 +5074,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,

 	/*
 	 * Configure default allow-update and allow-update-forwarding ACLs,
-	 * so they can be inherited by zones.  (Note these cannot be set at
-	 * options/view level.)
+	 * so they can be inherited by zones. (XXX: These are not
+	 * read from the options/view level here. However, they may be
+	 * read from there in zoneconf.c:configure_zone_acl() later.)
 	 */
 	if (view->updateacl == NULL) {
 		CHECK(configure_view_acl(NULL, NULL, named_g_config,

--- a/bin/tests/system/checkconf/bad-allow-update-forwarding-view.conf
+++ b/bin/tests/system/checkconf/bad-allow-update-forwarding-view.conf
@@ -9,6 +9,6 @@
 * information regarding copyright ownership.
 */

-view {
+view one {
 	allow-update-forwarding { any; };
 };
--- a/bin/tests/system/checkconf/bad-allow-update-forwarding.conf
+++ b/bin/tests/system/checkconf/bad-allow-update-forwarding.conf
--- a/bin/tests/system/checkconf/bad-allow-update-view.conf
+++ b/bin/tests/system/checkconf/bad-allow-update-view.conf
@@ -9,6 +9,6 @@
 * information regarding copyright ownership.
 */

-view {
+view one {
 	allow-update { any; };
 };
--- a/bin/tests/system/checkconf/bad-allow-update.conf
+++ b/bin/tests/system/checkconf/bad-allow-update.conf
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -7025,15 +7025,21 @@ options {
 		  When set in the <command>zone</command> statement for
 		  a master zone, specifies which hosts are allowed to
 		  submit Dynamic DNS updates to that zone.  The default
-		  is to deny updates from all hosts.  This can only
-		  be set at the <command>zone</command> level, not in
-		  <command>options</command> or <command>view</command>.
+		  is to deny updates from all hosts.
 		</para>
 		<para>
 		  Note that allowing updates based on the
 		  requestor's IP address is insecure; see
 		  <xref linkend="dynamic_update_security"/> for details.
 		</para>
+		<para>
+		  In general this option should only be set at the
+		  <command>zone</command> level. While a default
+		  value can be set at the <command>options</command> or
+		  <command>view</command> level and inherited by zones,
+		  this could lead to some zones unintentionally allowing
+		  updates.
+		</para>
 	      </listitem>
 	    </varlistentry>

@@ -7046,9 +7052,7 @@ options {
 		  submit Dynamic DNS updates and have them be forwarded
 		  to the master.  The default is
 		  <userinput>{ none; }</userinput>, which means that no
-		  update forwarding will be performed.  This can only be
-		  set at the <command>zone</command> level, not in
-		  <command>options</command> or <command>view</command>.
+		  update forwarding will be performed.
 		</para>
 		<para>
 		  To enable update forwarding, specify
@@ -7066,6 +7070,14 @@ options {
 		  on insecure IP-address-based access control; see
 		  <xref linkend="dynamic_update_security"/> for more details.
 		</para>
+		<para>
+		  In general this option should only be set at the
+		  <command>zone</command> level. While a default
+		  value can be set at the <command>options</command> or
+		  <command>view</command> level and inherited by zones,
+		  this can lead to some zones unintentionally forwarding
+		  updates.
+		</para>
 	      </listitem>
 	    </varlistentry>


--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -482,43 +482,6 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }

-static isc_result_t
-check_non_viewacls(const cfg_obj_t *voptions, const cfg_obj_t *config,
-		   isc_log_t *logctx)
-{
-	const cfg_obj_t *aclobj = NULL;
-	const cfg_obj_t *options;
-	const char *where = NULL;
-	int i;
-
-	static const char *acls[] = {
-		"allow-update", "allow-update-forwarding", NULL
-	};
-
-	for (i = 0; acls[i] != NULL; i++) {
-		if (voptions != NULL && aclobj == NULL) {
-			cfg_map_get(voptions, acls[i], &aclobj);
-			where = "view";
-		}
-		if (config != NULL && aclobj == NULL) {
-			options = NULL;
-			cfg_map_get(config, "options", &options);
-			if (options != NULL) {
-				cfg_map_get(options, acls[i], &aclobj);
-				where = "options";
-			}
-		}
-		if (aclobj != NULL) {
-			cfg_obj_log(aclobj, logctx, ISC_LOG_ERROR,
-				    "'%s' can only be set per-zone, "
-				    "not in '%s'", acls[i], where);
-			return (ISC_R_FAILURE);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
 static const unsigned char zeros[16];

 static isc_result_t
@@ -3702,11 +3665,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;

-	tresult = check_non_viewacls(voptions, config, logctx);
-	if (tresult != ISC_R_SUCCESS) {
-		result = tresult;
-	}
-
 	tresult = check_recursionacls(actx, voptions, viewname,
 				      config, logctx, mctx);
 	if (tresult != ISC_R_SUCCESS)