[master] log when update-policy local gets a key match from a remote host

4788. [cleanup] When using "update-policy local", log a warning when an update matching the session key is received from a remote host. [RT #46213] - this completes change #4762.
2025-08-30 05:57:52 +00:00 · 2017-10-25 00:58:00 -07:00 · 2017-10-25 00:58:00 -07:00 · aebdc6cd7d
commit aebdc6cd7d
parent 910a01550a
5 changed files with 18 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+4788.	[cleanup]	When using "update-policy local", log a warning
+			when an update matching the session key is received
+			from a remote host. [RT #46213]
+
 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 			dns_nsec3param_salttotext(), and add unit tests for it.
 			[RT #46289]
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@ -486,6 +486,7 @@ fi
 n=`expr $n + 1`
 ret=0
 echo "I:check that 'update-policy local' fails from non-localhost address ($n)"
+grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
 $NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
 server 10.53.0.5 5300
 local 10.53.0.1
@ -493,6 +494,7 @@ update add nonlocal.local.nil. 600 A 4.3.2.1
 send
 END
 grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
 $DIG @10.53.0.5 -p 5300 \
        +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
        nonlocal.local.nil. > dig.out.ns5.$n || ret=1
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@ -73,6 +73,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_NTA		(&dns_modules[30])
 #define DNS_LOGMODULE_DYNDB		(&dns_modules[31])
 #define DNS_LOGMODULE_DNSTAP		(&dns_modules[32])
+#define DNS_LOGMODULE_SSU		(&dns_modules[33])

 ISC_LANG_BEGINDECLS

--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@ -79,6 +79,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/nta",		0 },
 	{ "dns/dyndb",		0 },
 	{ "dns/dnstap",		0 },
+	{ "dns/ssu",		0 },
 	{ NULL, 		0 }
 };

--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@ -425,12 +425,21 @@ dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
 				continue;
 			}
 			if (!dns_name_issubdomain(name, rule->name)) {
-
 				continue;
 			}
 			dns_acl_match(addr, NULL, env->localhost,
 				      NULL, &match, NULL);
 			if (match == 0) {
+				if (signer != NULL) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_SSU,
+						      ISC_LOG_WARNING,
+						      "update-policy local: "
+						      "match on session "
+						      "key not from "
+						      "localhost");
+				}
 				continue;
 			}
 			break;