obey the allow-update forwarding option for both signed and unsigned updates;

fold the upforwd system test README file and nsupdate input files into the tests.sh script;
other minor cleanup of the upforwd test

CHANGES

@@ -137,7 +137,10 @@
 
  543.	[doc]		The 'port' option is now documented.
 
- 542.	[func]		Add allow-update-forwarding support.
+ 542.	[func]		Add support for update forwarding as required for
+			full compliance with RFC2136.  It is turned off
+			by default and can be enabled using the
+			'allow-update-forwarding' option.
 
  541.	[func]		Add bogus server support.
 

bin/named/update.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.74 2000/11/22 02:49:57 gson Exp $ */
+/* $Id: update.c,v 1.75 2000/12/01 21:37:08 gson Exp $ */
 
 #include <config.h>
 
@@ -1889,31 +1889,13 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		if (sigresult != ISC_R_SUCCESS)
 			FAIL(sigresult);
 		CHECK(send_update_event(client, zone));
-		break;	/* OK. */
+		break;
 	case dns_zone_slave:
-		if (dns_message_gettsig(client->message, NULL) == NULL) {
+		CHECK(ns_client_checkacl(client, "update forwarding",
-			dns_acl_t *forwardacl;
+					 dns_zone_getforwardacl(zone),
-
+					 ISC_FALSE, ISC_LOG_ERROR));
-			/*
-			 * We only REFUSE if policy is explicitly set and
-			 * we fail to match.
-			 */
-			forwardacl = dns_zone_getforwardacl(zone);
-			if (forwardacl == NULL) {
-				FAILS(DNS_R_NOTIMP,
-				      "unsigned updates not forwarded (noacl)");
-			} else {
-				result = ns_client_checkacl(client,
-							    "update-forward",
-							    forwardacl,
-							    ISC_FALSE,
-							    ISC_LOG_INFO);
-				if (result != ISC_R_SUCCESS)
-					FAIL(DNS_R_REFUSED);
-			}
-		}
 		CHECK(send_forward_event(client, zone));
-		break;	/* OK. */
+		break;
 	default:
 		FAILC(DNS_R_NOTAUTH,
 		      "not authoritative for update zone");

bin/tests/system/upforwd/README

@@ -1,8 +0,0 @@
-Copyright (C) 2000  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: README,v 1.2 2000/11/06 08:33:06 marka Exp $
-
-ns1 stealth master
-ns2 slave
-ns3 slave

bin/tests/system/upforwd/ns3/named.conf

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3 2000/11/28 19:06:47 gson Exp $ */
+/* $Id: named.conf,v 1.4 2000/12/01 21:37:13 gson Exp $ */
 
 options {
 	query-source address 10.53.0.3;
@@ -32,6 +32,6 @@ options {
 zone "example" {
 	type slave;
 	file "example.bk";
-	allow-update-forwarding { 10.53.0.3; };
+	allow-update-forwarding { any; };
 	masters { 10.53.0.1; };
 };

bin/tests/system/upforwd/tests.sh

@@ -15,22 +15,26 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.5 2000/11/28 03:21:17 marka Exp $ 
+# $Id: tests.sh,v 1.6 2000/12/01 21:37:10 gson Exp $ 
+
+# ns1 = stealth master
+# ns2 = slave with update forwarding disabled; not currently used
+# ns3 = slave with update forwarding enabled
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 status=0
 
-echo "I:fetching first copy of zone before update"
+echo "I:fetching master copy of zone before update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
 
-echo "I:fetching second copy of zone before update"
+echo "I:fetching slave 1 copy of zone before update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
 
-echo "I:fetching third copy of zone before update"
+echo "I:fetching slave 2 copy of zone before update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
 
@@ -40,20 +44,25 @@ $PERL ../digcomp.pl knowngood.before dig.out.ns2 || status=1
 $PERL ../digcomp.pl knowngood.before dig.out.ns3 || status=1
 
 echo "I:updating zone (signed)"
-# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || status=1
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K update.scp > /dev/null
+server 10.53.0.3 5300
+update add updated.example. 600 A 10.10.10.1
+update add updated.example. 600 TXT Foo
+send
+EOF
+
 echo "I:sleeping 15 seconds for server to incorporate changes"
 sleep 15
 
-echo "I:fetching first copy of zone after update"
+echo "I:fetching master copy of zone after update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
 
-echo "I:fetching second copy of zone after update"
+echo "I:fetching slave 1 copy of zone after update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
 
-echo "I:fetching third copy of zone after update"
+echo "I:fetching slave 2 copy of zone after update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
 
@@ -63,20 +72,25 @@ $PERL ../digcomp.pl knowngood.after1 dig.out.ns2 || status=1
 $PERL ../digcomp.pl knowngood.after1 dig.out.ns3 || status=1
 
 echo "I:updating zone (unsigned)"
-# nsupdate will print a ">" prompt to stdout as it gets each input line.
+$NSUPDATE -- - <<EOF || status=1
-$NSUPDATE update.scp2 > /dev/null
+server 10.53.0.3 5300
+update add unsigned.example. 600 A 10.10.10.1
+update add unsigned.example. 600 TXT Foo
+send
+EOF
+
 echo "I:sleeping 15 seconds for server to incorporate changes"
 sleep 15
 
-echo "I:fetching first copy of zone after update"
+echo "I:fetching master copy of zone after update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.1 axfr -p 5300 > dig.out.ns1 || status=1
 
-echo "I:fetching second copy of zone after update"
+echo "I:fetching slave 1 copy of zone after update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.2 axfr -p 5300 > dig.out.ns2 || status=1
 
-echo "I:fetching third copy of zone after update"
+echo "I:fetching slave 2 copy of zone after update"
 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd example.\
 	@10.53.0.3 axfr -p 5300 > dig.out.ns3 || status=1
 

bin/tests/system/upforwd/update.scp

@@ -1,4 +0,0 @@
-server 10.53.0.2 5300
-update add updated.example. 600 A 10.10.10.1
-update add updated.example. 600 TXT Foo
-

bin/tests/system/upforwd/update.scp2

@@ -1,5 +0,0 @@
-server 10.53.0.3 5300
-local 10.53.0.3
-update add unsigned.example. 600 A 10.10.10.1
-update add unsigned.example. 600 TXT Foo
-

doc/arm/Bv9ARM-book.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.59 2000/11/30 21:33:22 gson Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.60 2000/12/01 21:37:15 gson Exp $ -->
 
 <book>
 
@@ -3741,14 +3741,21 @@ updates from all hosts.</para></entry>
               </row>
               <row rowsep = "0">
                 <entry colname = "1"><para><command>allow-update-forwarding</command></para></entry>
-                <entry colname = "2"><para>Specifies which hosts are allowed to
+
+<entry colname = "2"><para>Specifies which hosts are allowed to
 submit Dynamic DNS updates to slave zones to be forwarded to the
-master.
+master.  The default is <userinput>{ none; }</userinput>, which 
-This applies only to unsigned updates.
+means that no update forwarding will be performed.  To enable
-Signed updates are always forwarded.
+update forwarding, specify  <userinput>allow-update-forwarding { any; };</userinput>.
-If there is no acl defined then the server will return NOTIMPL, causing the
+Specifying values other than <userinput>{ none; }</userinput> or
-client to skip to the next server.  If an acl is defined and there is no
+<userinput>{ any; }</userinput> is usually counterproductive, since
-match then the default is to deny update forwarding.</para>
+the responsibility for update access control should rest with the 
+master server, not the slaves.</para>
+
+<para>Note that enabling the update forwarding feature on a slave server
+may expose master servers relying on insecure IP address based
+access control to attacks; see <xref linkend="dynamic_update_security">
+for more details.</para>
 </entry>
               </row>
               <row rowsep = "0">
@@ -4609,7 +4616,7 @@ the <command>touch</command> utility (to change file access and
 modification times) or the <command>chown</command> utility (to
 set the user id and/or group id) on files to which you want <acronym>BIND</acronym>
 to write.</para></sect2></sect1>
-<sect1><title>Dynamic Updates</title> 
+<sect1 id="dynamic_update_security"><title>Dynamic Updates</title> 
 <para>Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
 <acronym>BIND</acronym> the only way to do this was based on the IP

util/copyrights

@@ -522,7 +522,6 @@
 ./bin/tests/system/unknown/ns1/example-in.db	ZONE	2000
 ./bin/tests/system/unknown/ns1/named.conf	CONF-C	2000
 ./bin/tests/system/unknown/tests.sh		SH	2000
-./bin/tests/system/upforwd/README		TXT.BRIEF	2000
 ./bin/tests/system/upforwd/clean.sh		SH	2000
 ./bin/tests/system/upforwd/knowngood.after1	X	2000
 ./bin/tests/system/upforwd/knowngood.after2	X	2000
@@ -537,8 +536,6 @@
 ./bin/tests/system/upforwd/ns3/named.conf	CONF-C	2000
 ./bin/tests/system/upforwd/setup.sh		SH	2000
 ./bin/tests/system/upforwd/tests.sh		SH	2000
-./bin/tests/system/upforwd/update.scp		X	2000
-./bin/tests/system/upforwd/update.scp2		X	2000
 ./bin/tests/system/views/.cvsignore		X	2000
 ./bin/tests/system/views/clean.sh		SH	2000
 ./bin/tests/system/views/ns1/.cvsignore		X	2000