Merge branch '3743-unexpected-prohibited-ede' into 'main'

Fix unexpected "Prohibited" extended DNS error on allow-recursion mismatch Closes #3743 See merge request isc-projects/bind9!7223
2025-08-30 05:57:52 +00:00 · 2023-01-09 14:40:31 +00:00 · 2023-01-09 14:40:31 +00:00 · 05b781e2f0
commit 05b781e2f0
parent 680921c4ef 8db8ec1f6e
4 changed files with 16 additions and 1 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+6061.	[bug]		Fix unexpected "Prohibited" extended DNS error
+			on allow-recursion. [GL #3743]
+
 6060.	[bug]		Fix a use-after-free bug in dns_zonemgr_releasezone()
 			by detaching from the zone manager outside of the write
 			lock. [GL #3768]
--- a/bin/tests/system/redirect/tests.sh
+++ b/bin/tests/system/redirect/tests.sh
@ -534,5 +534,14 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

+echo_i "checking extended error is not set on allow-recursion ($n)"
+ret=0
+$DIG $DIGOPTS example. @10.53.0.1 -b 10.53.0.2 soa > dig.out.ns1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+grep "EDE" dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -66,6 +66,9 @@ Bug Fixes
  configured forwarders, resulting in SERVFAIL answers being sent to clients.
  This has been fixed. :gl:`#3752`

+- Clients may see an unexpected "Prohibited" extended DNS error when ``named``
+  is configured with :any:`allow-recursion`). :gl:`#3743`
+
 Known Issues
 ~~~~~~~~~~~~

--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@ -2525,7 +2525,6 @@ allow:
 	return (ISC_R_SUCCESS);

 deny:
-	ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
 	return (DNS_R_REFUSED);
 }

@ -2548,6 +2547,7 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
 			      "%s approved", opname);
 	} else {
+		ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL);
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, log_level, "%s denied",
 			      opname);