2165. [func] Allow the destination address of a query to determine

if we will answer the query or recurse.
                        allow-query-on, allow-recursion-on and
                        allow-query-cache-on. [RT #16291]

CHANGES

@@ -1,3 +1,8 @@
+2165.	[func]		Allow the destination address of a query to determine
+			if we will answer the query or recurse.
+			allow-query-on, allow-recursion-on and
+			allow-query-cache-on. [RT #16291]
+
 2164.	[bug]		The code to determine how named-checkzone / 
 			named-compilezone was called failed under windows.
 			[RT #16764]

bin/named/client.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.244 2007/03/06 01:14:27 marka Exp $ */
+/* $Id: client.c,v 1.245 2007/03/29 06:36:29 marka Exp $ */
 
 #include <config.h>
 
@@ -1724,9 +1724,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	ra = ISC_FALSE;
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
-	    ns_client_checkaclsilent(client, client->view->recursionacl,
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->recursionacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, client->view->queryacl,
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->queryacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->recursiononacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->queryonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
@@ -2452,8 +2460,8 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
+ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
-			 isc_boolean_t default_allow)
+			 dns_acl_t *acl, isc_boolean_t default_allow)
 {
 	isc_result_t result;
 	int match;
@@ -2466,11 +2474,16 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 			goto deny;
 	}
 
+  
+	if (sockaddr == NULL)
 		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	else
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
   
 	result = dns_acl_match(&netaddr, client->signer, acl,
 			       &ns_g_server->aclenv,
 			       &match, NULL);
+
 	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
 	if (match > 0)
@@ -2485,12 +2498,12 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 }
 
 isc_result_t
-ns_client_checkacl(ns_client_t *client,
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow, int log_level)
 {
 	isc_result_t result =
-		ns_client_checkaclsilent(client, acl, default_allow);
+		ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
 
 	if (result == ISC_R_SUCCESS) 
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,

bin/named/config.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.75 2006/06/04 23:17:06 marka Exp $ */
+/* $Id: config.c,v 1.76 2007/03/29 06:36:29 marka Exp $ */
 
 /*! \file */
 
@@ -104,7 +104,9 @@ options {\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
 	allow-query-cache { localnets; localhost; };\n\
+	allow-query-cache-on { any; };\n\
 	allow-recursion { localnets; localhost; };\n\
+	allow-recursion-on { any; };\n\
 #	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
@@ -145,6 +147,7 @@ options {\n\
 
 "	/* zone */\n\
 	allow-query {any;};\n\
+	allow-query-on {any;};\n\
 	allow-transfer {any;};\n\
 	notify yes;\n\
 #	also-notify <none>\n\

bin/named/include/named/client.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.79 2006/06/06 00:11:42 marka Exp $ */
+/* $Id: client.h,v 1.80 2007/03/29 06:36:30 marka Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -266,7 +266,9 @@ ns_client_getsockaddr(ns_client_t *client);
  */
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+ns_client_checkaclsilent(ns_client_t *client,
+			 isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl,
 			 isc_boolean_t default_allow);
 
 /*%
@@ -274,6 +276,8 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
  *
  * Check the current client request against 'acl'.  If 'acl'
  * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
  *
  * Notes:
  *\li	This is appropriate for checking allow-update,
@@ -284,6 +288,7 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
  *
  * Requires:
  *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
  *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
@@ -294,18 +299,19 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
 
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
+		   isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow,
 		   int log_level);
 /*%
- * Like ns_client_checkacl, but also logs the outcome of the
+ * Like ns_client_checkaclsilent, except the outcome of the check is
- * check at log level 'log_level' if denied, and at debug 3
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
- * if approved.  Log messages will refer to the request as
+ * Log messages will refer to the request as an 'opname' request.
- * an 'opname' request.
  *
  * Requires:
- *\li	Those of ns_client_checkaclsilent(), and:
+ *\li	'client' points to a valid client.
- *
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
  *\li	'opname' points to a null-terminated string.
  */
 

bin/named/named.conf.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.27 2007/02/02 02:18:04 marka Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.28 2007/03/29 06:36:29 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -219,6 +219,7 @@ options {
 	use-ixfr <replaceable>boolean</replaceable>;
 	version ( <replaceable>quoted_string</replaceable> | none );
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
@@ -281,7 +282,9 @@ options {
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -371,6 +374,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	};
 
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
@@ -433,7 +437,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -516,6 +522,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.293 2007/02/06 04:00:21 marka Exp $ */
+/* $Id: query.c,v 1.294 2007/03/29 06:36:29 marka Exp $ */
 
 /*! \file */
 
@@ -640,7 +640,8 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 
-		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
+		result = ns_client_checkaclsilent(client, NULL, queryacl,
+						  ISC_TRUE);
 		if (log) {
 			char msg[NS_CLIENT_ACLMSGSIZE("query")];
 			if (result == ISC_R_SUCCESS) {
@@ -804,7 +805,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
 
-		result = ns_client_checkaclsilent(client,
+		result = ns_client_checkaclsilent(client, NULL,
 						  client->view->queryacl,
 						  ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.479 2007/03/13 04:30:17 marka Exp $ */
+/* $Id: server.c,v 1.480 2007/03/29 06:36:29 marka Exp $ */
 
 /*! \file */
 
@@ -1550,29 +1550,36 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 					 "allow-query-cache", actx,
 					 ns_g_mctx, &view->queryacl));
 
-	if (strcmp(view->name, "_bind") != 0)
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
+				 actx, ns_g_mctx, &view->queryonacl));
+	if (view->queryonacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-query-cache-on", actx,
+					 ns_g_mctx, &view->queryonacl));
+
+	if (strcmp(view->name, "_bind") != 0) {
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 actx, ns_g_mctx, &view->recursionacl));
+					 actx, ns_g_mctx,
+					 &view->recursionacl));
+		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
+					 actx, ns_g_mctx,
+					 &view->recursiononacl));
+	}
 
 	/*
-	 * Warning if both "recursion no;" and allow-recursion are active
+	 * Set default "allow-recursion" and "allow-recursion-on" acls.
-	 * except for "allow-recursion { none; };".
-	 */
-	if (!view->recursion && view->recursionacl != NULL &&
-	    (view->recursionacl->length != 1 ||
-	     view->recursionacl->elements[0].type != dns_aclelementtype_any ||
-	     view->recursionacl->elements[0].negative != ISC_TRUE))
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "both \"recursion no;\" and \"allow-recursion\" "
-			      "active%s%s", forview, viewname);
-
-	/*
-	 * Set default "allow-recursion" acl.
 	 */
 	if (view->recursionacl == NULL && view->recursion)
-		CHECK(configure_view_acl(NULL, ns_g_defaults, "allow-recursion",
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
-					 actx, ns_g_mctx, &view->recursionacl));
+					 "allow-recursion",
+					 actx, ns_g_mctx,
+					 &view->recursionacl));
+
+	if (view->recursiononacl == NULL && view->recursion)
+		CHECK(configure_view_acl(NULL, ns_g_defaults,
+					 "allow-recursion-on",
+					 actx, ns_g_mctx,
+					 &view->recursiononacl));
 
 	CHECK(configure_view_acl(vconfig, config, "sortlist",
 				 actx, ns_g_mctx, &view->sortlist));
@@ -1878,6 +1885,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 						 empty_dbtype));
 			if (view->queryacl != NULL)
 				dns_zone_setqueryacl(zone, view->queryacl);
+			if (view->queryonacl != NULL)
+				dns_zone_setqueryonacl(zone, view->queryonacl);
 			dns_zone_setdialup(zone, dns_dialuptype_no);
 			dns_zone_setnotifytype(zone, dns_notifytype_no);
 			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,

bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.130 2006/12/04 01:52:45 marka Exp $ */
+/* $Id: update.c,v 1.131 2007/03/29 06:36:30 marka Exp $ */
 
 #include <config.h>
 
@@ -255,7 +255,7 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
 		level = ISC_LOG_DEBUG(3);
 		msg = "disabled";
 	} else
-		result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
+		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
 
 	if (result == ISC_R_SUCCESS) {
 		level = ISC_LOG_DEBUG(3);

bin/named/xfrout.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.123 2006/03/05 23:58:52 marka Exp $ */
+/* $Id: xfrout.c,v 1.124 2007/03/29 06:36:30 marka Exp $ */
 
 #include <config.h>
 
@@ -1090,9 +1090,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 #endif
 		ns_client_aclmsg("zone transfer", question_name, reqtype,
 				 client->view->rdclass, msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg,
+		CHECK(ns_client_checkacl(client, NULL, msg,
-					 dns_zone_getxfracl(zone), ISC_TRUE,
+					 dns_zone_getxfracl(zone),
-					 ISC_LOG_ERROR));
+					 ISC_TRUE, ISC_LOG_ERROR));
 #ifdef DLZ
 	}
 #endif

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.315 2007/03/05 04:57:57 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.316 2007/03/29 06:36:30 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -3082,8 +3082,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    allows access and a negated match denies access. If
 	    there is no match, access is denied. The clauses
 	    <command>allow-notify</command>,
+	    <command>allow-recursion</command>,
+	    <command>allow-recursion-on</command>,
 	    <command>allow-query</command>,
+	    <command>allow-query-on</command>,
 	    <command>allow-query-cache</command>,
+	    <command>allow-query-cache-on</command>,
 	    <command>allow-transfer</command>,
 	    <command>allow-update</command>,
 	    <command>allow-update-forwarding</command>, and
@@ -4426,9 +4430,12 @@ category notify { null; };
     <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
@@ -5865,6 +5872,35 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>allow-query-on</command></term>
+	      <listitem>
+		<para>
+		  Specifies which local addresses can accept ordinary
+		  DNS questions. This makes it possible, for instance,
+		  to allow queries on internal-facing interfaces but
+		  disallow them on external-facing ones, without
+		  necessarily knowing the internal network's addresses.
+		</para>
+		<para>
+		  <command>allow-query-on</command> may
+		  also be specified in the <command>zone</command>
+		  statement, in which case it overrides the
+		  <command>options allow-query-on</command> statement.
+		</para>
+		<para>
+		  If not specified, the default is to allow queries
+		  on all addresses.
+		</para>
+		<note>
+		  <para>
+		    <command>allow-query-cache</command> is
+		    used to specify access to the cache.
+		  </para>
+		</note>
+	      </listitem>
+	    </varlistentry>
+
 	    <varlistentry>
 	      <term><command>allow-query-cache</command></term>
 	      <listitem>
@@ -5874,11 +5910,18 @@ options {
 		  <command>localnets</command> and
 		  <command>localhost</command>.
 		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>allow-query-cache-on</command></term>
+	      <listitem>
 		<para>
-		  The way to set query access to the cache is now
+		  Specifies which local addresses can give answers
-		  via <command>allow-query-cache</command>.
+		  from the cache.  If not specified, the default is
-		  This differs from earlier versions which used
+		  to allow cache queries on any address.
-		  <command>allow-query</command>.
+		  <command>localnets</command> and
+		  <command>localhost</command>.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -5899,6 +5942,17 @@ options {
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><command>allow-recursion-on</command></term>
+              <listitem>
+                <para>
+		  Specifies which local addresses can accept recursive
+		  queries.  If not specified, the default is to allow
+		  recursive queries on all addresses.
+                </para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><command>allow-update</command></term>
               <listitem>
@@ -8095,6 +8149,7 @@ view "external" {
 <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type master;
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
@@ -8134,6 +8189,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     type slave;
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
@@ -8184,6 +8240,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type stub;
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
@@ -8483,6 +8540,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                 </listitem>
               </varlistentry>
 
+              <varlistentry>
+                <term><command>allow-query-on</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>allow-query-on</command> in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
               <varlistentry>
                 <term><command>allow-transfer</command></term>
                 <listitem>
@@ -10655,7 +10722,8 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
         <para>
           Access Control Lists (ACLs), are address match lists that
           you can set up and nickname for future use in <command>allow-notify</command>,
-          <command>allow-query</command>, <command>allow-recursion</command>,
+          <command>allow-query</command>, <command>allow-query-on</command>,
+	  <command>allow-recursion</command>, <command>allow-recursion-on</command>,
           <command>blackhole</command>, <command>allow-transfer</command>,
           etc.
         </para>

lib/bind9/check.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.78 2007/03/14 23:46:54 tbox Exp $ */
+/* $Id: check.c,v 1.79 2007/03/29 06:36:30 marka Exp $ */
 
 /*! \file */
 
@@ -392,9 +392,10 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 	int i = 0;
 	
-	static const char *acls[] = { "allow-query", "allow-query-cache",
+	static const char *acls[] = { "allow-query", "allow-query-on",
-		"allow-recursion", "blackhole", "match-clients",
+                "allow-query-cache", "allow-query-cache-on",
-		"match-destinations", "sortlist", NULL };
+		"blackhole", "match-clients", "match-destinations",
+		"sortlist", NULL };
 
 	while (acls[i] != NULL) {
 		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@@ -405,6 +406,84 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+/*
+ * Check allow-recursion and allow-recursion-on acls, and also log a
+ * warning if they're inconsistent with the "recursion" option.
+ */
+static isc_result_t
+check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		    const char *viewname, const cfg_obj_t *config,
+		    isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	isc_boolean_t recursion;
+	const char *forview = " for view ";
+	int i = 0;
+
+	static const char *acls[] = { "allow-recursion", "allow-recursion-on",
+		 		      NULL };
+	
+	if (voptions != NULL)
+		cfg_map_get(voptions, "recursion", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "recursion", &obj);
+	}
+	if (obj == NULL)
+		recursion = ISC_TRUE;
+	else
+		recursion = cfg_obj_asboolean(obj);
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	for (i = 0; acls[i] != NULL; i++) {
+		aclobj = options = NULL;
+		acl = NULL;
+
+		if (voptions != NULL)
+			cfg_map_get(voptions, acls[i], &aclobj);
+		if (config != NULL && aclobj == NULL) {
+			options = NULL;
+			cfg_map_get(config, "options", &options);
+			if (options != NULL)
+				cfg_map_get(options, acls[i], &aclobj);
+		}
+		if (aclobj == NULL) 
+			continue;
+
+		tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+					    actx, mctx, &acl);
+
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;  
+
+		if (acl == NULL)
+			continue;
+
+		if (recursion == ISC_FALSE &&
+		    (acl->length != 1 ||
+		     acl->elements[0].type != dns_aclelementtype_any ||
+		     acl->elements[0].negative != ISC_TRUE)) {
+			cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+				    "both \"recursion no;\" and "
+				    "\"%s\" active%s%s",
+				    acls[i], forview, viewname);
+		}
+
+		if (acl != NULL)
+			dns_acl_detach(&acl);
+	}	
+
+	return (result);
+}
+
 typedef struct {
 	const char *name;
 	unsigned int scale;
@@ -1393,7 +1472,8 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 		
 static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
-	       dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
+	       const char *viewname, dns_rdataclass_t vclass,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const cfg_obj_t *servers = NULL;
 	const cfg_obj_t *zones = NULL;
@@ -1548,6 +1628,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
+	tresult = check_recursionacls(&actx, voptions, viewname,
+				      config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
 	cfg_aclconfctx_destroy(&actx);
 
 	return (result);
@@ -1861,7 +1946,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			result = ISC_R_FAILURE;
 
 	if (views == NULL) {
-		if (check_viewconf(config, NULL, dns_rdataclass_in,
+		if (check_viewconf(config, NULL, NULL, dns_rdataclass_in,
 				   logctx, mctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	} else {
@@ -1933,7 +2018,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			}
 		}
 		if (tresult == ISC_R_SUCCESS)
-			tresult = check_viewconf(config, voptions,
+			tresult = check_viewconf(config, voptions, key,
 						 vclass, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;

lib/dns/include/dns/view.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.103 2006/12/22 01:45:00 marka Exp $ */
+/* $Id: view.h,v 1.104 2007/03/29 06:36:31 marka Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -118,7 +118,9 @@ struct dns_view {
 	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
+	dns_acl_t *			queryonacl;
 	dns_acl_t *			recursionacl;
+	dns_acl_t *			recursiononacl;
 	dns_acl_t *			sortlist;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;

lib/dns/include/dns/zone.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.149 2006/12/22 01:45:00 marka Exp $ */
+/* $Id: zone.h,v 1.150 2007/03/29 06:36:31 marka Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -702,6 +702,16 @@ dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
  *\li	'acl' to be a valid acl.
  */
 
+void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query-on acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
 void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
 /*%<
@@ -758,6 +768,19 @@ dns_zone_getqueryacl(dns_zone_t *zone);
  *\li	NULL
  */
 
+dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query-on acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
 dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone);
 /*%<
@@ -833,6 +856,15 @@ dns_zone_clearqueryacl(dns_zone_t *zone);
  *\li	'zone' to be a valid zone.
  */
 
+void
+dns_zone_clearqueryonacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query-on acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
 void
 dns_zone_clearxfracl(dns_zone_t *zone);
 /*%<

lib/dns/view.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.140 2007/03/06 02:12:39 tbox Exp $ */
+/* $Id: view.c,v 1.141 2007/03/29 06:36:30 marka Exp $ */
 
 /*! \file */
 
@@ -166,7 +166,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
+	view->queryonacl = NULL;
 	view->recursionacl = NULL;
+	view->recursiononacl = NULL;
 	view->sortlist = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
@@ -287,8 +289,12 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->matchdestinations);
 	if (view->queryacl != NULL)
 		dns_acl_detach(&view->queryacl);
+	if (view->queryonacl != NULL)
+		dns_acl_detach(&view->queryonacl);
 	if (view->recursionacl != NULL)
 		dns_acl_detach(&view->recursionacl);
+	if (view->recursiononacl != NULL)
+		dns_acl_detach(&view->recursiononacl);
 	if (view->sortlist != NULL)
 		dns_acl_detach(&view->sortlist);
 	if (view->delonly != NULL) {

lib/dns/zone.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.463 2007/02/26 23:46:54 tbox Exp $ */
+/* $Id: zone.c,v 1.464 2007/03/29 06:36:30 marka Exp $ */
 
 /*! \file */
 
@@ -216,6 +216,7 @@ struct dns_zone {
 	dns_acl_t		*forward_acl;
 	dns_acl_t		*notify_acl;
 	dns_acl_t		*query_acl;
+	dns_acl_t		*queryon_acl;
 	dns_acl_t		*xfr_acl;
 	isc_boolean_t		update_disabled;
 	isc_boolean_t		zero_no_soa_ttl;
@@ -623,6 +624,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->forward_acl = NULL;
 	zone->notify_acl = NULL;
 	zone->query_acl = NULL;
+	zone->queryon_acl = NULL;
 	zone->xfr_acl = NULL;
 	zone->update_disabled = ISC_FALSE;
 	zone->zero_no_soa_ttl = ISC_TRUE;
@@ -747,6 +749,8 @@ zone_free(dns_zone_t *zone) {
 		dns_acl_detach(&zone->notify_acl);
 	if (zone->query_acl != NULL)
 		dns_acl_detach(&zone->query_acl);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
 	if (zone->xfr_acl != NULL)
 		dns_acl_detach(&zone->xfr_acl);
 	if (dns_name_dynamic(&zone->origin))
@@ -5870,6 +5874,18 @@ dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
 	UNLOCK_ZONE(zone);
 }
 
+void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	dns_acl_attach(acl, &zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
 void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
 
@@ -5922,6 +5938,14 @@ dns_zone_getqueryacl(dns_zone_t *zone) {
 	return (zone->query_acl);
 }
 
+dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->queryon_acl);
+}
+
 dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone) {
 
@@ -5990,6 +6014,17 @@ dns_zone_clearqueryacl(dns_zone_t *zone) {
 	UNLOCK_ZONE(zone);
 }
 
+void
+dns_zone_clearqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
 void
 dns_zone_clearxfracl(dns_zone_t *zone) {
 

lib/isccfg/namedconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.74 2007/02/06 00:01:23 marka Exp $ */
+/* $Id: namedconf.c,v 1.75 2007/03/29 06:36:31 marka Exp $ */
 
 /*! \file */
 
@@ -735,7 +735,9 @@ static cfg_type_t cfg_type_lookaside = {
 static cfg_clausedef_t
 view_clauses[] = {
 	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
 	  CFG_CLAUSEFLAG_OBSOLETE },
 	{ "sortlist", &cfg_type_bracketed_aml, 0 },
@@ -814,6 +816,7 @@ view_only_clauses[] = {
 static cfg_clausedef_t
 zone_clauses[] = {
 	{ "allow-query", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },