Clarify ACLs and their interaction in the ARM

Things I noticed in the ARM which I think are in need of clarification:

• allow-query*/allow-recursion* descriptions are just confusing.
• Sections 8.1.4. Address Match Lists and 7.1. Access Control Lists overlap and really should be merged

Summary how I believe ACLs work

Proceed with caution! Different sets of ACLs affect different queries, depending on whether the server has data in cache or if the data are in an authoritative zone on the server. Caveats:

• type mirror zone still counts as cache (cache ACLs apply, I think)
• type static-stub zones are not queriable without recursion desired bit anyway

With this in mind, I believe BIND checks this:

• blackhole acl checks client address and drops packets on the floor - highest priority
• for queries into authoritative zones check ONLY:
  • allow-query
  • allow-query-on
• for queries into cache
  • for data present in the cache check:
    • recursion (yes, even if no recursion is happening yet)
    • allow-query-cache
    • allow-query-cache-on
    • (no allow-query(-on) ACL here!)
  • for data NOT present in the cache additionally check (before a fetch is started):
    • allow-recursion
    • allow-recursion-on
  • I.e. a query which triggers a fetch from elsewhere must match all the allow-query-cache(-on) and allow-recursion(-on)

Fun fact: Data stay in cache even if recursion yes; is changed to recursion no;. Subsequent rndc reconfig will create configuration with data in cache but without any means to access it. Turning it back on will provide access to the old cache content.

Text problems/suggestions

• allow-query-cache(-on) does not "effectively control recursion". It control access to cache data WITHOUT doing recursion: I.e. queries allowed by these ACLs can get content of the cache but not necessarily trigger recursion for things which are missing in the cache. (equivalent of dig +norecurse queries)

• allow-recursion(-on) control what queries do trigger recursion for data not available in cache

• allow-query - also covers updates (must intersect with allow-update?) Relevant log message:

update 'example.com/IN' denied due to allow-query

(Implementation wise it makes sense because of prerequisites in the update messages, but it is not mentioned in the ARM. Basically it is impossible to make write-only client - no big deal, but better to mention that the ACLs must intersect.)