From 84c4eb02e7a4599acfb5d2abc0e62e7d64fd1bd6 Mon Sep 17 00:00:00 2001 From: Tony Finch Date: Tue, 15 Mar 2022 17:57:43 +0000 Subject: [PATCH] Log "not authoritative for update zone" more clearly Ensure the update zone name is mentioned in the NOTAUTH error message in the server log, so that it is easier to track down problematic update clients. There are two cases: either the update zone is unrelated to any of the server's zones (previously no zone was mentioned); or the update zone is a subdomain of one or more of the server's zones (previously the name of the irrelevant parent zone was misleadingly logged). Closes #3209 --- CHANGES | 5 +++++ bin/tests/system/nsupdate/tests.sh | 26 ++++++++++++++++++++++++++ lib/ns/update.c | 10 +++++++++- 3 files changed, 40 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 57df1e27a1..61cf97dab9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +5843. [bug] When an UPDATE targets a zone that is not configured, + the requested zone name is now logged in the "not + authoritative" error message, so that it is easier to + track down problematic update clients. [GL #3209] + 5842. [cleanup] Remove the task exclusive mode use in ns_clientmgr. [GL #3230] diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 7316fe327c..0863d0a1ad 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -82,6 +82,32 @@ digcomp knowngood.ns1.before dig.out.ns1 || ret=1 digcomp knowngood.ns1.before dig.out.ns2 || ret=1 [ $ret = 0 ] || { echo_i "failed"; status=1; } +ret=0 +echo_i "ensure an unrelated zone is mentioned in its NOTAUTH log" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +zone unconfigured.test +update add unconfigured.test 600 IN A 10.53.0.1 +send +END +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep ' unconfigured.test: not authoritative' ns1/named.run \ + > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + +ret=0 +echo_i "ensure a subdomain is mentioned in its NOTAUTH log" +$NSUPDATE -k ns1/ddns.key > nsupdate.out 2>&1 << END && ret=1 +server 10.53.0.1 ${PORT} +zone sub.sub.example.nil +update add sub.sub.sub.example.nil 600 IN A 10.53.0.1 +send +END +grep NOTAUTH nsupdate.out > /dev/null 2>&1 || ret=1 +grep ' sub.sub.example.nil: not authoritative' ns1/named.run \ + > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + ret=0 echo_i "updating zone" # nsupdate will print a ">" prompt to stdout as it gets each input line. diff --git a/lib/ns/update.c b/lib/ns/update.c index c96d87071d..5659a8c916 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -1726,7 +1726,15 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle, result = dns_zt_find(client->view->zonetable, zonename, 0, NULL, &zone); if (result != ISC_R_SUCCESS) { - FAILC(DNS_R_NOTAUTH, "not authoritative for update zone"); + /* + * If we found a zone that is a parent of the update zonename, + * detach it so it isn't mentioned in log - it is irrelevant. + */ + if (zone != NULL) { + dns_zone_detach(&zone); + } + FAILN(DNS_R_NOTAUTH, zonename, + "not authoritative for update zone"); } /*