Commit e2062879 authored by Evan Hunt's avatar Evan Hunt Committed by Mark Andrews

test the use of the view ACL in DLZ

parent a520662e
......@@ -534,21 +534,56 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
*/
isc_result_t
dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
struct dlz_example_data *state = (struct dlz_example_data *)dbdata;
isc_result_t result;
if (state->log != NULL) {
state->log(ISC_LOG_INFO,
"dlz_example: dlz_allowzonexfr called for %s",
name);
}
result = dlz_findzonedb(dbdata, name, NULL, NULL);
if (result != ISC_R_SUCCESS) {
if (state->log != NULL) {
state->log(ISC_LOG_INFO,
"dlz_example: findzonedb returned %s",
isc_result_totext(result));
}
return (result);
}
/*
* Exception for "example.org" so we can test the use of
* the view ACL.
*/
if (strcmp(name, "example.org") == 0) {
if (state->log != NULL) {
state->log(ISC_LOG_INFO,
"dlz_example: use view ACL "
"for example.org");
}
return (ISC_R_DEFAULT);
}
/*
* Exception for 10.53.0.5 so we can test that allow-transfer
* is effective.
*/
if (strcmp(client, "10.53.0.5") == 0) {
if (state->log != NULL) {
state->log(ISC_LOG_INFO,
"dlz_example: disallow transfer "
"to 10.53.0.5");
}
return (ISC_R_NOPERM);
}
if (state->log != NULL) {
state->log(ISC_LOG_INFO,
"dlz_example: transfer allowed for %s", name);
}
return (ISC_R_SUCCESS);
}
......
......@@ -17,6 +17,10 @@ dlz "example two" {
database "dlopen ../driver.@SO@ alternate.nil";
};
dlz "example three" {
database "dlopen ../driver.@SO@ example.org";
};
dlz "unsearched1" {
database "dlopen ../driver.@SO@ other.nil";
search no;
......
......@@ -18,6 +18,7 @@ options {
session-keyfile "session.key";
listen-on { 10.53.0.1; 127.0.0.1; };
listen-on-v6 { none; };
allow-transfer { !10.53.0.1; any; };
recursion no;
notify yes;
};
......
......@@ -125,6 +125,16 @@ grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
newtest "testing AXFR denied based on view ACL"
# 10.53.0.1 should be disallowed
$DIG $DIGOPTS -b 10.53.0.1 +noall +answer axfr example.org > dig.out.example.ns1.test$n.1
grep "; Transfer failed" dig.out.example.ns1.test$n.1 > /dev/null || ret=1
# 10.53.0.2 should be allowed
$DIG $DIGOPTS -b 10.53.0.2 +noall +answer axfr example.org > dig.out.example.ns1.test$n.2
grep "; Transfer failed" dig.out.example.ns1.test$n.2 > /dev/null && ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment