Commit 91dca0f8 authored by Evan Hunt's avatar Evan Hunt
Browse files

don't fail when allow-update{,-forwarding} is used globally

parent 11c862ef
......@@ -5074,8 +5074,9 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
/*
* Configure default allow-update and allow-update-forwarding ACLs,
* so they can be inherited by zones. (Note these cannot be set at
* options/view level.)
* so they can be inherited by zones. (XXX: These are not
* read from the options/view level here. However, they may be
* read from there in zoneconf.c:configure_zone_acl() later.)
*/
if (view->updateacl == NULL) {
CHECK(configure_view_acl(NULL, NULL, named_g_config,
......
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
view {
view one {
allow-update-forwarding { any; };
};
......@@ -9,6 +9,6 @@
* information regarding copyright ownership.
*/
view {
view one {
allow-update { any; };
};
......@@ -7025,15 +7025,21 @@ options {
When set in the <command>zone</command> statement for
a master zone, specifies which hosts are allowed to
submit Dynamic DNS updates to that zone. The default
is to deny updates from all hosts. This can only
be set at the <command>zone</command> level, not in
<command>options</command> or <command>view</command>.
is to deny updates from all hosts.
</para>
<para>
Note that allowing updates based on the
requestor's IP address is insecure; see
<xref linkend="dynamic_update_security"/> for details.
</para>
<para>
In general this option should only be set at the
<command>zone</command> level. While a default
value can be set at the <command>options</command> or
<command>view</command> level and inherited by zones,
this could lead to some zones unintentionally allowing
updates.
</para>
</listitem>
</varlistentry>
......@@ -7046,9 +7052,7 @@ options {
submit Dynamic DNS updates and have them be forwarded
to the master. The default is
<userinput>{ none; }</userinput>, which means that no
update forwarding will be performed. This can only be
set at the <command>zone</command> level, not in
<command>options</command> or <command>view</command>.
update forwarding will be performed.
</para>
<para>
To enable update forwarding, specify
......@@ -7066,6 +7070,14 @@ options {
on insecure IP-address-based access control; see
<xref linkend="dynamic_update_security"/> for more details.
</para>
<para>
In general this option should only be set at the
<command>zone</command> level. While a default
value can be set at the <command>options</command> or
<command>view</command> level and inherited by zones,
this can lead to some zones unintentionally forwarding
updates.
</para>
</listitem>
</varlistentry>
......
......@@ -482,43 +482,6 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
return (result);
}
static isc_result_t
check_non_viewacls(const cfg_obj_t *voptions, const cfg_obj_t *config,
isc_log_t *logctx)
{
const cfg_obj_t *aclobj = NULL;
const cfg_obj_t *options;
const char *where = NULL;
int i;
static const char *acls[] = {
"allow-update", "allow-update-forwarding", NULL
};
for (i = 0; acls[i] != NULL; i++) {
if (voptions != NULL && aclobj == NULL) {
cfg_map_get(voptions, acls[i], &aclobj);
where = "view";
}
if (config != NULL && aclobj == NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL) {
cfg_map_get(options, acls[i], &aclobj);
where = "options";
}
}
if (aclobj != NULL) {
cfg_obj_log(aclobj, logctx, ISC_LOG_ERROR,
"'%s' can only be set per-zone, "
"not in '%s'", acls[i], where);
return (ISC_R_FAILURE);
}
}
return (ISC_R_SUCCESS);
}
static const unsigned char zeros[16];
static isc_result_t
......@@ -3702,11 +3665,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if (tresult != ISC_R_SUCCESS)
result = tresult;
tresult = check_non_viewacls(voptions, config, logctx);
if (tresult != ISC_R_SUCCESS) {
result = tresult;
}
tresult = check_recursionacls(actx, voptions, viewname,
config, logctx, mctx);
if (tresult != ISC_R_SUCCESS)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment