mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Merge branch '3743-unexpected-prohibited-ede' into 'main'

Browse Source 
Fix unexpected "Prohibited" extended DNS error on allow-recursion mismatch

Closes #3743

See merge request isc-projects/bind9!7223
This commit is contained in:
Matthijs Mekking
2023-01-09 14:40:31 +00:00
parent 680921c4ef 8db8ec1f6e
commit 05b781e2f0
4 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
6061. [bug] Fix unexpected "Prohibited" extended DNS error
on allow-recursion. [GL #3743]
6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone() 6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
by detaching from the zone manager outside of the write by detaching from the zone manager outside of the write
lock. [GL #3768] lock. [GL #3768]

9
bin/tests/system/redirect/tests.sh
View File

@@ -534,5 +534,14 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "checking extended error is not set on allow-recursion ($n)"
ret=0
$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa > dig.out.ns1.test$n || ret=1
grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
grep "EDE" dig.out.ns1.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

3
doc/notes/notes-current.rst
View File

@@ -66,6 +66,9 @@ Bug Fixes
configured forwarders, resulting in SERVFAIL answers being sent to clients. configured forwarders, resulting in SERVFAIL answers being sent to clients.
This has been fixed. :gl:`#3752` This has been fixed. :gl:`#3752`
- Clients may see an unexpected "Prohibited" extended DNS error when ``named``
is configured with :any:`allow-recursion`). :gl:`#3743`
Known Issues Known Issues
~~~~~~~~~~~~ ~~~~~~~~~~~~

2
lib/ns/client.c
View File

@@ -2525,7 +2525,6 @@ allow:
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
deny: deny:
ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
return (DNS_R_REFUSED); return (DNS_R_REFUSED);
} }
@@ -2548,6 +2547,7 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"%s approved", opname); "%s approved", opname);
} else { } else {
ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
ns_client_log(client, DNS_LOGCATEGORY_SECURITY, ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, log_level, "%s denied", NS_LOGMODULE_CLIENT, log_level, "%s denied",
opname); opname);