diff --git a/bin/tests/system/ixfr/tests.sh b/bin/tests/system/ixfr/tests.sh index ed63537b30..775e5f2e12 100644 --- a/bin/tests/system/ixfr/tests.sh +++ b/bin/tests/system/ixfr/tests.sh @@ -268,14 +268,41 @@ if [ $tret -eq 1 ]; then fi n=$((n+1)) -echo_i "test 'provide-ixfr no;' ($n)" +echo_i "test 'provide-ixfr no;' (serial < current) ($n)" ret=0 +nextpart ns5/named.run > /dev/null # Should be "AXFR style" response $DIG $DIGOPTS ixfr=1 test @10.53.0.5 > dig.out1.test$n || ret=1 # Should be "switch to TCP" response $DIG $DIGOPTS ixfr=1 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 2) exit(0); else exit(1);}' dig.out1.test$n || ret=1 awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 +msg="IXFR delta response disabled due to 'provide-ixfr no;' being set" +nextpart ns5/named.run | grep "$msg" > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "test 'provide-ixfr no;' (serial = current) ($n)" +ret=0 +# Should be "AXFR style" response +$DIG $DIGOPTS ixfr=3 test @10.53.0.5 > dig.out1.test$n || ret=1 +# Should be "switch to TCP" response +$DIG $DIGOPTS ixfr=3 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "test 'provide-ixfr no;' (serial > current) ($n)" +ret=0 +# Should be "AXFR style" response +$DIG $DIGOPTS ixfr=4 test @10.53.0.5 > dig.out1.test$n || ret=1 +# Should be "switch to TCP" response +$DIG $DIGOPTS ixfr=4 +notcp test @10.53.0.5 > dig.out2.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out1.test$n || ret=1 +awk '$4 == "SOA" { soacnt++} END {if (soacnt == 1) exit(0); else exit(1);}' dig.out2.test$n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c index 89bddad338..01db8f3051 100644 --- a/lib/ns/xfrout.c +++ b/lib/ns/xfrout.c @@ -967,23 +967,6 @@ got_soa: size_t jsize; uint64_t dbsize; - /* - * Outgoing IXFR may have been disabled for this peer - * or globally. - */ - if ((client->attributes & NS_CLIENTATTR_TCP) != 0) { - bool provide_ixfr; - - provide_ixfr = client->view->provideixfr; - if (peer != NULL) { - (void)dns_peer_getprovideixfr(peer, - &provide_ixfr); - } - if (provide_ixfr == false) { - goto axfr_fallback; - } - } - if (!have_soa) { FAILC(DNS_R_FORMERR, "IXFR request missing SOA"); } @@ -1008,6 +991,29 @@ got_soa: is_poll = true; goto have_stream; } + + /* + * Outgoing IXFR may have been disabled for this peer + * or globally. + */ + if ((client->attributes & NS_CLIENTATTR_TCP) != 0) { + bool provide_ixfr; + + provide_ixfr = client->view->provideixfr; + if (peer != NULL) { + (void)dns_peer_getprovideixfr(peer, + &provide_ixfr); + } + if (!provide_ixfr) { + xfrout_log1(client, question_name, + question_class, ISC_LOG_DEBUG(4), + "IXFR delta response disabled due " + "to 'provide-ixfr no;' being set"); + mnemonic = "AXFR-style IXFR"; + goto axfr_fallback; + } + } + journalfile = is_dlz ? NULL : dns_zone_getjournal(zone); if (journalfile != NULL) { result = ixfr_rrstream_create(