From 41efe04c1958fd1656b0f0567487edfc108f8918 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 30 Jan 2009 04:24:29 +0000 Subject: [PATCH] 2539. [security] Update the interaction between recursion, allow-query, allow-query-cache and allow-recursion. [RT #19198] --- CHANGES | 3 +++ README | 15 ++++++++------- bin/named/server.c | 23 ++++++++++++++++------- doc/arm/Bv9ARM-book.xml | 7 ++++--- 4 files changed, 31 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index 3a1aecbfc9..c9aa2c3fbc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2539. [security] Update the interaction between recursion, allow-query, + allow-query-cache and allow-recursion. [RT #19198] + 2536. [cleanup] Silence some warnings when -Werror=format-security is specified. [RT #19083] diff --git a/README b/README index 0a0bc9e86f..6ee3b60101 100644 --- a/README +++ b/README @@ -76,13 +76,14 @@ BIND 9.4.0 rndc now allows addresses to be set in the server clauses. - New option "allow-query-cache". This lets allow-query be - used to specify the default zone access level rather than - having to have every zone override the global value. - allow-query-cache can be set at both the options and view - levels. If allow-query-cache is not set then allow-recursion - is used if set, otherwise allow-query is used if set, otherwise - the default (localhost; localnets;) is used. + New option "allow-query-cache". This lets "allow-query" + be used to specify the default zone access level rather + than having to have every zone override the global value. + "allow-query-cache" can be set at both the options and view + levels. If "allow-query-cache" is not set then "allow-recursion" + is used if set, otherwise "allow-query" is used if set + unless "recursion no;" is set in which case "none;" is used, + otherwise the default (localhost; localnets;) is used. rndc: the source address can now be specified. diff --git a/bin/named/server.c b/bin/named/server.c index 7639e420d3..83467db42d 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.419.18.73 2009/01/19 00:36:26 marka Exp $ */ +/* $Id: server.c,v 1.419.18.74 2009/01/30 04:24:29 marka Exp $ */ /*! \file */ @@ -1561,10 +1561,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, */ if (view->queryacl == NULL && view->recursionacl != NULL) dns_acl_attach(view->recursionacl, &view->queryacl); - if (view->queryacl == NULL) + if (view->queryacl == NULL && view->recursion) CHECK(configure_view_acl(vconfig, config, "allow-query", actx, ns_g_mctx, &view->queryacl)); - if (view->recursionacl == NULL && view->queryacl != NULL) + if (view->recursion && + view->recursionacl == NULL && view->queryacl != NULL) dns_acl_attach(view->queryacl, &view->recursionacl); /* @@ -1573,10 +1574,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config, if (view->recursionacl == NULL && view->recursion) CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion", actx, ns_g_mctx, &view->recursionacl)); - if (view->queryacl == NULL) - CHECK(configure_view_acl(NULL, ns_g_config, - "allow-query-cache", actx, - ns_g_mctx, &view->queryacl)); + if (view->queryacl == NULL) { + if (view->recursion) + CHECK(configure_view_acl(NULL, ns_g_config, + "allow-query-cache", actx, + ns_g_mctx, &view->queryacl)); + else { + if (view->queryacl != NULL) + dns_acl_detach(&view->queryacl); + CHECK(dns_acl_none(ns_g_mctx, &view->queryacl)); + } + + } CHECK(configure_view_acl(vconfig, config, "sortlist", actx, ns_g_mctx, &view->sortlist)); diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index e9e0b59b8a..acf3180f2a 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -5884,8 +5884,9 @@ options { from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query - is used if set, otherwise the default - (localnets; + is used if set unless recursion no; is + set in which case none; is used, + otherwise the default (localnets; localhost;) is used.