Commit aebdc6cd authored by Evan Hunt's avatar Evan Hunt
Browse files

[master] log when update-policy local gets a key match from a remote host

4788.	[cleanup]	When using "update-policy local", log a warning
			when an update matching the session key is received
			from a remote host. [RT #46213]

- this completes change #4762.
parent 910a0155
4788. [cleanup] When using "update-policy local", log a warning
when an update matching the session key is received
from a remote host. [RT #46213]
4787. [cleanup] Turn nsec3param_salt_totext() into a public function,
dns_nsec3param_salttotext(), and add unit tests for it.
[RT #46289]
......
......@@ -486,6 +486,7 @@ fi
n=`expr $n + 1`
ret=0
echo "I:check that 'update-policy local' fails from non-localhost address ($n)"
grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
$NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
server 10.53.0.5 5300
local 10.53.0.1
......@@ -493,6 +494,7 @@ update add nonlocal.local.nil. 600 A 4.3.2.1
send
END
grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
$DIG @10.53.0.5 -p 5300 \
+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
nonlocal.local.nil. > dig.out.ns5.$n || ret=1
......
......@@ -73,6 +73,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
#define DNS_LOGMODULE_NTA (&dns_modules[30])
#define DNS_LOGMODULE_DYNDB (&dns_modules[31])
#define DNS_LOGMODULE_DNSTAP (&dns_modules[32])
#define DNS_LOGMODULE_SSU (&dns_modules[33])
ISC_LANG_BEGINDECLS
......
......@@ -79,6 +79,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
{ "dns/nta", 0 },
{ "dns/dyndb", 0 },
{ "dns/dnstap", 0 },
{ "dns/ssu", 0 },
{ NULL, 0 }
};
......
......@@ -425,12 +425,21 @@ dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
continue;
}
if (!dns_name_issubdomain(name, rule->name)) {
continue;
}
dns_acl_match(addr, NULL, env->localhost,
NULL, &match, NULL);
if (match == 0) {
if (signer != NULL) {
isc_log_write(dns_lctx,
DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_SSU,
ISC_LOG_WARNING,
"update-policy local: "
"match on session "
"key not from "
"localhost");
}
continue;
}
break;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment