mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

denied axfr requests were not effective for writable DLZ zones

Browse Source
This commit is contained in:
Mark Andrews 2019-02-06 11:35:21 -08:00 committed by Evan Hunt
parent 5e7f1a8d67
commit a9307de85e
3 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
bin/tests/system/dlzexternal/driver.c
View File

@ -536,10 +536,22 @@ dlz_lookup(const char *zone, const char *name, void *dbdata,
*/
isc_result_t
dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
UNUSED(client);
isc_result_t result;
/* Just say yes for all our zones */
return (dlz_findzonedb(dbdata, name, NULL, NULL));
result = dlz_findzonedb(dbdata, name, NULL, NULL);
if (result != ISC_R_SUCCESS) {
return (result);
}
/*
* Exception for 10.53.0.5 so we can test that allow-transfer
* is effective.
*/
if (strcmp(client, "10.53.0.5") == 0) {
return (ISC_R_NOPERM);
}
return (ISC_R_SUCCESS);
}
/*

16
bin/tests/system/dlzexternal/tests.sh
View File

@ -108,15 +108,23 @@ test_update testdc1.alternate.nil. A "86400 A 10.53.0.10" "10.53.0.10" || ret=1
status=`expr $status + $ret`
newtest "testing AXFR from DLZ drivers"
$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.ns1.test$n
lines=`cat dig.out.ns1.test$n | wc -l`
$DIG $DIGOPTS +noall +answer axfr example.nil > dig.out.example.ns1.test$n
lines=`cat dig.out.example.ns1.test$n | wc -l`
[ ${lines:-0} -eq 4 ] || ret=1
$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.ns1.test$n
lines=`cat dig.out.ns1.test$n | wc -l`
$DIG $DIGOPTS +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
lines=`cat dig.out.alternate.ns1.test$n | wc -l`
[ ${lines:-0} -eq 5 ] || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
newtest "testing AXFR denied from DLZ drivers"
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr example.nil > dig.out.example.ns1.test$n
grep "; Transfer failed" dig.out.example.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS -b 10.53.0.5 +noall +answer axfr alternate.nil > dig.out.alternate.ns1.test$n
grep "; Transfer failed" dig.out.alternate.ns1.test$n > /dev/null || ret=1
[ "$ret" -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
newtest "testing unsearched/unregistered DLZ zone is not found"
$DIG $DIGOPTS +noall +answer ns other.nil > dig.out.ns1.test$n
grep "3600.IN.NS.other.nil." dig.out.ns1.test$n > /dev/null && ret=1

8
lib/ns/xfrout.c
View File

@ -817,12 +817,12 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
&zone);
if (result != ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
/*
* Normal zone table does not have a match.
* Try the DLZ database
* The normal zone table does not have a match, or this is
* marked in the zone table as a DLZ zone. Check the DLZ
* databases for a match.
*/
// Temporary: only searching the first DLZ database
if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
result = dns_dlzallowzonexfr(client->view,
question_name,