Fri Apr 19 12:35:28 2024 UTC (20d)
PR/58170: Yoshitaka Tokugawa: Remove blocking statement when the requestor
asks for for an address that is in the cache and that access is prevented
by a cache acl because the querier has no way to know that this access is
denied, so it is not an abuse.


(christos)
diff -r1.20 -r1.21 src/external/mpl/bind/dist/lib/ns/query.c
cvs diff -r1.20 -r1.21 src/external/mpl/bind/dist/lib/ns/query.c (expand / switch to unified diff)

--- src/external/mpl/bind/dist/lib/ns/query.c 2024/02/21 22:52:46 1.20
+++ src/external/mpl/bind/dist/lib/ns/query.c 2024/04/19 12:35:28 1.21
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: query.c,v 1.20 2024/02/21 22:52:46 christos Exp $ */ 1/* $NetBSD: query.c,v 1.21 2024/04/19 12:35:28 christos Exp $ */
2 2
3/* 3/*
4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5 * 5 *
6 * SPDX-License-Identifier: MPL-2.0 6 * SPDX-License-Identifier: MPL-2.0
7 * 7 *
8 * This Source Code Form is subject to the terms of the Mozilla Public 8 * This Source Code Form is subject to the terms of the Mozilla Public
9 * License, v. 2.0. If a copy of the MPL was not distributed with this 9 * License, v. 2.0. If a copy of the MPL was not distributed with this
10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11 * 11 *
12 * See the COPYRIGHT file distributed with this work for additional 12 * See the COPYRIGHT file distributed with this work for additional
13 * information regarding copyright ownership. 13 * information regarding copyright ownership.
14 */ 14 */
@@ -899,27 +899,26 @@ query_checkcacheaccess(ns_client_t *clie @@ -899,27 +899,26 @@ query_checkcacheaccess(ns_client_t *clie
899 */ 899 */
900 client->query.attributes |= NS_QUERYATTR_CACHEACLOK; 900 client->query.attributes |= NS_QUERYATTR_CACHEACLOK;
901 if (log && isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) 901 if (log && isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3)))
902 { 902 {
903 ns_client_aclmsg("query (cache)", name, qtype, 903 ns_client_aclmsg("query (cache)", name, qtype,
904 client->view->rdclass, msg, 904 client->view->rdclass, msg,
905 sizeof(msg)); 905 sizeof(msg));
906 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 906 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
907 NS_LOGMODULE_QUERY, 907 NS_LOGMODULE_QUERY,
908 ISC_LOG_DEBUG(3), "%s approved", 908 ISC_LOG_DEBUG(3), "%s approved",
909 msg); 909 msg);
910 } 910 }
911 } else { 911 } else {
912 pfilter_notify(result, client, "checkcacheaccess"); 
913 /* 912 /*
914 * We were denied by the "allow-query-cache" ACL. 913 * We were denied by the "allow-query-cache" ACL.
915 * There is no need to clear NS_QUERYATTR_CACHEACLOK 914 * There is no need to clear NS_QUERYATTR_CACHEACLOK
916 * since it is cleared by query_reset(), before query 915 * since it is cleared by query_reset(), before query
917 * processing starts. 916 * processing starts.
918 */ 917 */
919 ns_client_extendederror(client, DNS_EDE_PROHIBITED, 918 ns_client_extendederror(client, DNS_EDE_PROHIBITED,
920 NULL); 919 NULL);
921 920
922 if (log) { 921 if (log) {
923 ns_client_aclmsg("query (cache)", name, qtype, 922 ns_client_aclmsg("query (cache)", name, qtype,
924 client->view->rdclass, msg, 923 client->view->rdclass, msg,
925 sizeof(msg)); 924 sizeof(msg));