inconsistent comments, documentation and behavior with some ACLs
In 9.5.1, change #2373 (closed) had the unintended side effect of making it so that allow-transfer and allow-notify ACLs (in addition to allow-update and allow-update-forwarding, for which this behavior was desirable) could only be set in zone statements, not at the options or view level.
In 9.12.0, 9.11.3, 9.10.7, and 9.9.12, change #4836 fixed this. It was only meant to address a problem with rndc addzone but it fixed the broader problem at the same time; I simply didn't notice.
Later I noticed that the behavior for allow-notify had changed; I thought this was a bug and submitted MR !342 (closed) to fix it. After discussion with @marka it became clear that the current behavior is actually what we wanted all along. The code comments are still wrong, though, and I'm concerned that this behavior was able to change twice without a test catching it.
So I propose to do the following:
- for 9.13, move
allow-updateandallow-update-forwardingtozone_only_clausesso that they'll cause a configuration error when used; for 9.12 and earlier, make this log a warning - go over the documentation for all four ACLs and make sure it's completely clear
- fix the code comments
- add tests
An argument could be made that we should retroactively disclose the bug that existed from 9.5.1 until 9.12.0 in an operational notification, but we decided we were inclined against it in today's support meeting. Nevertheless, @McNally advised marking this issue confidential for the time being.