Merge branch '3157-blackhole-request' into 'main'

negative match on the 'blackhole' ACL could be treated as positive

Closes #3157

See merge request isc-projects/bind9!5853

CHANGES

@@ -1,3 +1,8 @@
+5806.	[bug]		An error in checking the "blackhole" ACL could cause
+			DNS requests sent by named to fail if the
+			destination address or prefix was specifically
+			excluded from the ACL. [GL #3157]
+
 5805.	[func]		The result of each resolver priming attempt is now
 			included in the "resolver priming query complete" log
 			message. [GL #3139]

bin/tests/system/xfer/ns4/named.conf.base

@@ -21,6 +21,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
+	blackhole { none; };
 };
 
 key rndc_key {

doc/notes/notes-current.rst

@@ -62,3 +62,11 @@ Bug Fixes
 
 - Build errors were introduced in some DLZ modules due to an incomplete
   change in the previous release. This has been fixed. :gl:`#3111`
+
+- An error in the processing of the ``blackhole`` ACL could cause some DNS
+  requests sent by ``named`` to fail - for example, zone transfer requests
+  and SOA refresh queries - if the destination address or prefix was
+  specifically excluded from the ACL using ``!``, or if the ACL was set
+  to ``none``.  ``blackhole`` worked correctly when it was left unset, or
+  if only positive-match elements were included. This has now been fixed.
+  :gl:`#3157`

lib/dns/request.c

@@ -383,7 +383,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
 
 	isc_netaddr_fromsockaddr(&netaddr, destaddr);
 	result = dns_acl_match(&netaddr, NULL, blackhole, NULL, &match, NULL);
-	if (result != ISC_R_SUCCESS || match == 0) {
+	if (result != ISC_R_SUCCESS || match <= 0) {
 		return (false);
 	}