587. [func] A warning is now printed if the "allow-update"

option allows updates based on the source IP
                        address, to alert users to the fact that this
                        is insecure and becoming increasingly so as
                        servers capable of update forwarding are being
                        deployed.

CHANGES

@@ -1,3 +1,11 @@
+
+ 587.	[func]		A warning is now printed if the "allow-update"
+			option allows updates based on the source IP
+			address, to alert users to the fact that this
+			is insecure and becoming increasingly so as
+			servers capable of update forwarding are being
+			deployed.
+
  586.	[bug]		multiple views with the same name were fatal. [RT #516]
 
  585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()

bin/named/zoneconf.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.74 2000/11/28 19:15:12 gson Exp $ */
+/* $Id: zoneconf.c,v 1.75 2000/12/01 18:22:14 gson Exp $ */
 
 #include <config.h>
 
@@ -24,9 +24,12 @@
 #include <isc/util.h>
 
 #include <dns/acl.h>
+#include <dns/log.h>
 #include <dns/ssu.h>
 #include <dns/zone.h>
 
+#include <named/globals.h>
+#include <named/log.h>
 #include <named/zoneconf.h>
 
 /*
@@ -369,12 +372,21 @@ ns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
 	 * primary masters only.
 	 */
 	if (czone->ztype == dns_c_zone_master) {
+		dns_acl_t *updateacl;
 		RETERR(configure_zone_acl(czone, cctx, NULL, ac, zone,
 					  dns_c_zone_getallowupd,
 					  NULL, NULL,
 					  dns_zone_setupdateacl,
 					  dns_zone_clearupdateacl));
-
+		
+		updateacl = dns_zone_getupdateacl(zone);
+		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
+			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "zone '%s' allows updates by IP "
+				      "address, which is insecure",
+				      czone->name);
+		
 		result = dns_c_zone_getssuauth(czone, &ssutable);
 		if (result == ISC_R_SUCCESS)
 			dns_zone_setssutable(zone, ssutable);

lib/dns/acl.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.16 2000/11/15 22:59:55 tale Exp $ */
+/* $Id: acl.c,v 1.17 2000/12/01 18:22:15 gson Exp $ */
 
 #include <config.h>
 
@@ -316,6 +316,68 @@ dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
 	return (ISC_TRUE);
 }
 
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK (unsigned long)0x7F000001UL
+#endif
+
+static isc_boolean_t
+is_loopback(dns_aclipprefix_t *p) {
+	switch (p->address.family) {
+	case AF_INET:
+		if (p->prefixlen == 32 &&
+		    htonl(p->address.type.in.s_addr) == INADDR_LOOPBACK)
+			return (ISC_TRUE);
+		break;
+	case AF_INET6:
+		if (p->prefixlen == 128 &&
+		    IN6_IS_ADDR_LOOPBACK(&p->address.type.in6))
+			return (ISC_TRUE);
+		break;
+	default:
+		break;
+	}
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_acl_isinsecure(dns_acl_t *a) {
+	unsigned int i;
+	for (i = 0; i < a->length; i++) {
+		dns_aclelement_t *e = &a->elements[i];
+
+		/* A negated match can never be insecure. */
+		if (e->negative)
+			continue;
+
+		switch (e->type) {
+		case dns_aclelementtype_ipprefix:
+			/* The loopback address is considered secure. */
+			if (! is_loopback(&e->u.ip_prefix))
+				return (ISC_TRUE);
+			continue;
+			
+		case dns_aclelementtype_keyname:
+		case dns_aclelementtype_localhost:
+			continue;
+
+		case dns_aclelementtype_nestedacl:
+			if (dns_acl_isinsecure(e->u.nestedacl))
+				return (ISC_TRUE);
+			continue;
+			
+		case dns_aclelementtype_localnets:
+		case dns_aclelementtype_any:
+			return (ISC_TRUE);
+
+		default:
+			INSIST(0);
+			return (ISC_TRUE);
+		}
+	}
+	/* No insecure elements were found. */
+	return (ISC_FALSE);
+}
+
 isc_result_t
 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
 	isc_result_t result;

lib/dns/include/dns/acl.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.15 2000/11/10 03:16:23 gson Exp $ */
+/* $Id: acl.h,v 1.16 2000/12/01 18:22:17 gson Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -52,16 +52,20 @@ typedef enum {
 	dns_aclelementtype_any
 } dns_aclelemettype_t;
 
+typedef struct dns_aclipprefix dns_aclipprefix_t;
+
+struct dns_aclipprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int prefixlen;
+};
+
 struct dns_aclelement {
 	dns_aclelemettype_t type;
 	isc_boolean_t negative;
 	union {
-		struct {
-			isc_netaddr_t address; /* IP4/IP6 */
-			unsigned int prefixlen;
-		} ip_prefix;
-		dns_name_t keyname;
-		dns_acl_t *nestedacl;
+		dns_aclipprefix_t ip_prefix;
+		dns_name_t 	  keyname;
+		dns_acl_t 	  *nestedacl;
 	} u;
 };
 
@@ -127,6 +131,17 @@ dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
 isc_boolean_t
 dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
 
+isc_boolean_t
+dns_acl_isinsecure(dns_acl_t *a);
+/*
+ * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning 
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns ISC_FALSE is safe.
+ */
+
 isc_result_t
 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);