negative match on the 'blackhole' ACL could be treated as positive (!5853) · Merge requests · ISC Open Source Projects / BIND

Evan Hunt requested to merge 3157-blackhole-request into main Feb 16, 2022

There was a bug in checking of the "blackhole" ACL in dns_request_create*(), causing an address to be treated as included in the ACL if it was explicitly excluded. Thus, leaving "blackhole" unset had no effect, but setting it to "none" would cause any destination addresses to be rejected for dns_request purposes. This would cause zone transfer requests and SOA queries to fail, among other things.

The bug has been fixed, and "blackhole { none; };" was added to the xfer system test as a regression test.

Closes #3157 (closed)

negative match on the 'blackhole' ACL could be treated as positive

Merge request reports