diff --git a/CHANGES b/CHANGES index 719a3e4db8..1438076aa1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6061. [bug] Fix unexpected "Prohibited" extended DNS error + on allow-recursion. [GL #3743] + 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() by detaching from the zone manager outside of the write lock. [GL #3768] diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh index 70ba727bc7..7201ff2399 100644 --- a/bin/tests/system/redirect/tests.sh +++ b/bin/tests/system/redirect/tests.sh @@ -534,5 +534,14 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking extended error is not set on allow-recursion ($n)" +ret=0 +$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa > dig.out.ns1.test$n || ret=1 +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1 +grep "EDE" dig.out.ns1.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f6c1447c11..3ea4eb49fe 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -66,6 +66,9 @@ Bug Fixes configured forwarders, resulting in SERVFAIL answers being sent to clients. This has been fixed. :gl:`#3752` +- Clients may see an unexpected "Prohibited" extended DNS error when ``named`` + is configured with :any:`allow-recursion`). :gl:`#3743` + Known Issues ~~~~~~~~~~~~ diff --git a/lib/ns/client.c b/lib/ns/client.c index 0bab7dbb51..ea94e45427 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2525,7 +2525,6 @@ allow: return (ISC_R_SUCCESS); deny: - ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); return (DNS_R_REFUSED); } @@ -2548,6 +2547,7 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), "%s approved", opname); } else { + ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, log_level, "%s denied", opname);