Date: Thu, 14 Jun 2018 15:54:34 +0000 (UTC) From: Mathieu Arnold <mat@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r472384 - in branches/2018Q2/dns: bind910 bind910/files bind911 bind911/files bind912 bind912/files bind99 bind99/files Message-ID: <201806141554.w5EFsYKp051683@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mat Date: Thu Jun 14 15:54:33 2018 New Revision: 472384 URL: https://svnweb.freebsd.org/changeset/ports/472384 Log: MFH: r472383 Include a patch to fix CVE-2018-5738 in all the BIND9 ports. Security: CVE-2018-5738 Sponsored by: Absolight Added: branches/2018Q2/dns/bind910/files/patch-CVE-2018-5738 - copied unchanged from r472383, head/dns/bind910/files/patch-CVE-2018-5738 branches/2018Q2/dns/bind911/files/patch-CVE-2018-5738 - copied unchanged from r472383, head/dns/bind911/files/patch-CVE-2018-5738 branches/2018Q2/dns/bind912/files/patch-CVE-2018-5738 - copied unchanged from r472383, head/dns/bind912/files/patch-CVE-2018-5738 branches/2018Q2/dns/bind99/files/patch-CVE-2018-5738 - copied unchanged from r472383, head/dns/bind99/files/patch-CVE-2018-5738 Modified: branches/2018Q2/dns/bind910/Makefile branches/2018Q2/dns/bind911/Makefile branches/2018Q2/dns/bind912/Makefile branches/2018Q2/dns/bind99/Makefile Directory Properties: branches/2018Q2/ (props changed) Modified: branches/2018Q2/dns/bind910/Makefile ============================================================================== --- branches/2018Q2/dns/bind910/Makefile Thu Jun 14 15:42:52 2018 (r472383) +++ branches/2018Q2/dns/bind910/Makefile Thu Jun 14 15:54:33 2018 (r472384) @@ -3,7 +3,7 @@ PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} PKGNAMESUFFIX= 910 Copied: branches/2018Q2/dns/bind910/files/patch-CVE-2018-5738 (from r472383, head/dns/bind910/files/patch-CVE-2018-5738) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q2/dns/bind910/files/patch-CVE-2018-5738 Thu Jun 14 15:54:33 2018 (r472384, copy of r472383, head/dns/bind910/files/patch-CVE-2018-5738) @@ -0,0 +1,127 @@ +commit 97600626c711585e7bb26cbc67711d072e87a62a +Author: Evan Hunt <each@isc.org> +Date: 2018-06-04 21:57:49 -0700 + + allow-recursion could incorrectly inherit from the default allow-query + +--- CHANGES.orig 2018-03-08 20:55:52 UTC ++++ CHANGES +@@ -1,3 +1,10 @@ ++4960. [security] When recursion is enabled, but the "allow-recursion" ++ and "allow-query-cache" ACLs are not specified, ++ they should be limited to local networks, ++ but were inadvertently set to match the default ++ "allow-query", thus allowing remote queries. ++ (CVE-2018-5738) [GL #309] ++ + --- 9.10.7 released --- + --- 9.10.7rc2 released --- + +--- bin/named/server.c.orig 2018-03-08 20:55:52 UTC ++++ bin/named/server.c +@@ -2565,10 +2565,6 @@ configure_view(dns_view_t *view, dns_vie + dns_acache_setcachesize(view->acache, max_acache_size); + } + +- CHECK(configure_view_acl(vconfig, config, ns_g_config, +- "allow-query", NULL, actx, +- ns_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -3399,9 +3395,6 @@ configure_view(dns_view_t *view, dns_vie + INSIST(result == ISC_R_SUCCESS); + view->trust_anchor_telemetry = cfg_obj_asboolean(obj); + +- CHECK(configure_view_acl(vconfig, config, ns_g_config, +- "allow-query-cache-on", NULL, actx, +- ns_g_mctx, &view->cacheonacl)); + /* + * Set sources where additional data and CNAME/DNAME + * targets for authoritative answers may be found. +@@ -3428,22 +3421,40 @@ configure_view(dns_view_t *view, dns_vie + view->additionalfromcache = ISC_TRUE; + } + ++ CHECK(configure_view_acl(vconfig, config, ns_g_config, ++ "allow-query-cache-on", NULL, actx, ++ ns_g_mctx, &view->cacheonacl)); ++ + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, ns_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ ns_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ ns_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + ns_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + ns_g_mctx, &view->recursiononacl)); +@@ -3481,18 +3492,21 @@ configure_view(dns_view_t *view, dns_vie + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-recursion", NULL, + actx, ns_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-recursion-on", NULL, + actx, ns_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-query-cache", NULL, + actx, ns_g_mctx, +@@ -3506,6 +3520,14 @@ configure_view(dns_view_t *view, dns_vie + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, ns_g_config, ++ "allow-query", NULL, ++ actx, ns_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved, Modified: branches/2018Q2/dns/bind911/Makefile ============================================================================== --- branches/2018Q2/dns/bind911/Makefile Thu Jun 14 15:42:52 2018 (r472383) +++ branches/2018Q2/dns/bind911/Makefile Thu Jun 14 15:54:33 2018 (r472384) @@ -3,7 +3,7 @@ PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} PKGNAMESUFFIX= 911 Copied: branches/2018Q2/dns/bind911/files/patch-CVE-2018-5738 (from r472383, head/dns/bind911/files/patch-CVE-2018-5738) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q2/dns/bind911/files/patch-CVE-2018-5738 Thu Jun 14 15:54:33 2018 (r472384, copy of r472383, head/dns/bind911/files/patch-CVE-2018-5738) @@ -0,0 +1,127 @@ +commit 3d71785ef143b670409affee203145eb39266d87 +Author: Evan Hunt <each@isc.org> +Date: 2018-06-04 21:55:41 -0700 + + allow-recursion could incorrectly inherit from the default allow-query + +--- CHANGES.orig 2018-03-08 20:55:28 UTC ++++ CHANGES +@@ -1,3 +1,10 @@ ++4960. [security] When recursion is enabled, but the "allow-recursion" ++ and "allow-query-cache" ACLs are not specified, ++ they should be limited to local networks, ++ but were inadvertently set to match the default ++ "allow-query", thus allowing remote queries. ++ (CVE-2018-5738) [GL #309] ++ + --- 9.11.3 released --- + --- 9.11.3rc2 released --- + +--- bin/named/server.c.orig 2018-03-08 20:55:28 UTC ++++ bin/named/server.c +@@ -3376,10 +3376,6 @@ configure_view(dns_view_t *view, dns_vie + dns_acache_setcachesize(view->acache, max_acache_size); + } + +- CHECK(configure_view_acl(vconfig, config, ns_g_config, +- "allow-query", NULL, actx, +- ns_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -4258,9 +4254,6 @@ configure_view(dns_view_t *view, dns_vie + INSIST(result == ISC_R_SUCCESS); + view->trust_anchor_telemetry = cfg_obj_asboolean(obj); + +- CHECK(configure_view_acl(vconfig, config, ns_g_config, +- "allow-query-cache-on", NULL, actx, +- ns_g_mctx, &view->cacheonacl)); + /* + * Set sources where additional data and CNAME/DNAME + * targets for authoritative answers may be found. +@@ -4287,22 +4280,40 @@ configure_view(dns_view_t *view, dns_vie + view->additionalfromcache = ISC_TRUE; + } + ++ CHECK(configure_view_acl(vconfig, config, ns_g_config, ++ "allow-query-cache-on", NULL, actx, ++ ns_g_mctx, &view->cacheonacl)); ++ + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, ns_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ ns_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ ns_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + ns_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + ns_g_mctx, &view->recursiononacl)); +@@ -4340,18 +4351,21 @@ configure_view(dns_view_t *view, dns_vie + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-recursion", NULL, + actx, ns_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-recursion-on", NULL, + actx, ns_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-query-cache", NULL, + actx, ns_g_mctx, +@@ -4365,6 +4379,14 @@ configure_view(dns_view_t *view, dns_vie + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, ns_g_config, ++ "allow-query", NULL, ++ actx, ns_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved, Modified: branches/2018Q2/dns/bind912/Makefile ============================================================================== --- branches/2018Q2/dns/bind912/Makefile Thu Jun 14 15:42:52 2018 (r472383) +++ branches/2018Q2/dns/bind912/Makefile Thu Jun 14 15:54:33 2018 (r472384) @@ -8,7 +8,7 @@ PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc PORTREVISION= 0 .else # dns/bind912 here -PORTREVISION= 0 +PORTREVISION= 1 .endif CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} Copied: branches/2018Q2/dns/bind912/files/patch-CVE-2018-5738 (from r472383, head/dns/bind912/files/patch-CVE-2018-5738) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q2/dns/bind912/files/patch-CVE-2018-5738 Thu Jun 14 15:54:33 2018 (r472384, copy of r472383, head/dns/bind912/files/patch-CVE-2018-5738) @@ -0,0 +1,112 @@ +commit be02bf65712ee54148496aac3edb3ca7d061327f +Author: Evan Hunt <each@isc.org> +Date: 2018-06-04 21:46:23 -0700 + + allow-recursion could incorrectly inherit from the default allow-query + +--- CHANGES.orig 2018-05-16 18:06:47 UTC ++++ CHANGES +@@ -1,3 +1,10 @@ ++4960. [security] When recursion is enabled, but the "allow-recursion" ++ and "allow-query-cache" ACLs are not specified, ++ they should be limited to local networks, ++ but were inadvertently set to match the default ++ "allow-query", thus allowing remote queries. ++ (CVE-2018-5738) [GL #309] ++ + --- 9.12.1-P2 released --- + + --- 9.12.1-P1 (withdrawn) --- +--- bin/named/server.c.orig 2018-05-16 18:06:47 UTC ++++ bin/named/server.c +@@ -3725,10 +3725,6 @@ configure_view(dns_view_t *view, dns_vie + CHECKM(named_config_getport(config, &port), "port"); + dns_view_setdstport(view, port); + +- CHECK(configure_view_acl(vconfig, config, named_g_config, +- "allow-query", NULL, actx, +- named_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -4692,21 +4688,35 @@ configure_view(dns_view_t *view, dns_vie + "allow-query-cache-on", NULL, actx, + named_g_mctx, &view->cacheonacl)); + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, named_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ named_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ named_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + named_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + named_g_mctx, &view->recursiononacl)); +@@ -4744,18 +4754,21 @@ configure_view(dns_view_t *view, dns_vie + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion", NULL, + actx, named_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-recursion-on", NULL, + actx, named_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, named_g_config, + "allow-query-cache", NULL, + actx, named_g_mctx, +@@ -4769,6 +4782,14 @@ configure_view(dns_view_t *view, dns_vie + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, named_g_config, ++ "allow-query", NULL, ++ actx, named_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved, Modified: branches/2018Q2/dns/bind99/Makefile ============================================================================== --- branches/2018Q2/dns/bind99/Makefile Thu Jun 14 15:42:52 2018 (r472383) +++ branches/2018Q2/dns/bind99/Makefile Thu Jun 14 15:54:33 2018 (r472384) @@ -3,7 +3,7 @@ PORTNAME= bind PORTVERSION= ${ISCVERSION:S/-P/P/:S/b/.b/:S/a/.a/:S/rc/.rc/} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= dns net ipv6 MASTER_SITES= ISC/bind9/${ISCVERSION} PKGNAMESUFFIX= 99 Copied: branches/2018Q2/dns/bind99/files/patch-CVE-2018-5738 (from r472383, head/dns/bind99/files/patch-CVE-2018-5738) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2018Q2/dns/bind99/files/patch-CVE-2018-5738 Thu Jun 14 15:54:33 2018 (r472384, copy of r472383, head/dns/bind99/files/patch-CVE-2018-5738) @@ -0,0 +1,112 @@ +commit fae03da5cb6370fd823d03818871ef70e4049543 +Author: Evan Hunt <each@isc.org> +Date: 2018-06-04 21:59:33 -0700 + + allow-recursion could incorrectly inherit from the default allow-query + +--- CHANGES.orig 2018-03-08 20:56:13 UTC ++++ CHANGES +@@ -1,3 +1,10 @@ ++4960. [security] When recursion is enabled, but the "allow-recursion" ++ and "allow-query-cache" ACLs are not specified, ++ they should be limited to local networks, ++ but were inadvertently set to match the default ++ "allow-query", thus allowing remote queries. ++ (CVE-2018-5738) [GL #309] ++ + --- 9.9.12 released --- + --- 9.9.12rc2 released --- + +--- bin/named/server.c.orig 2018-03-08 20:56:13 UTC ++++ bin/named/server.c +@@ -2306,10 +2306,6 @@ configure_view(dns_view_t *view, cfg_obj + dns_acache_setcachesize(view->acache, max_acache_size); + } + +- CHECK(configure_view_acl(vconfig, config, ns_g_config, +- "allow-query", NULL, actx, +- ns_g_mctx, &view->queryacl)); +- + /* + * Make the list of response policy zone names for a view that + * is used for real lookups and so cares about hints. +@@ -3140,21 +3136,35 @@ configure_view(dns_view_t *view, cfg_obj + } + + /* +- * Set "allow-query-cache", "allow-recursion", and +- * "allow-recursion-on" acls if configured in named.conf. +- * (Ignore the global defaults for now, because these ACLs +- * can inherit from each other when only some of them set at +- * the options/view level.) ++ * Set the "allow-query", "allow-query-cache", "allow-recursion", ++ * and "allow-recursion-on" ACLs if configured in named.conf, but ++ * NOT from the global defaults. This is done by leaving the third ++ * argument to configure_view_acl() NULL. ++ * ++ * We ignore the global defaults here because these ACLs ++ * can inherit from each other. If any are still unset after ++ * applying the inheritance rules, we'll look up the defaults at ++ * that time. + */ +- CHECK(configure_view_acl(vconfig, config, NULL, "allow-query-cache", +- NULL, actx, ns_g_mctx, &view->cacheacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query", NULL, actx, ++ ns_g_mctx, &view->queryacl)); ++ ++ /* named.conf only */ ++ CHECK(configure_view_acl(vconfig, config, NULL, ++ "allow-query-cache", NULL, actx, ++ ns_g_mctx, &view->cacheacl)); + + if (strcmp(view->name, "_bind") != 0 && + view->rdclass != dns_rdataclass_chaos) + { ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion", NULL, actx, + ns_g_mctx, &view->recursionacl)); ++ /* named.conf only */ + CHECK(configure_view_acl(vconfig, config, NULL, + "allow-recursion-on", NULL, actx, + ns_g_mctx, &view->recursiononacl)); +@@ -3192,18 +3202,21 @@ configure_view(dns_view_t *view, cfg_obj + * the global config. + */ + if (view->recursionacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-recursion", NULL, + actx, ns_g_mctx, + &view->recursionacl)); + } + if (view->recursiononacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-recursion-on", NULL, + actx, ns_g_mctx, + &view->recursiononacl)); + } + if (view->cacheacl == NULL) { ++ /* global default only */ + CHECK(configure_view_acl(NULL, NULL, ns_g_config, + "allow-query-cache", NULL, + actx, ns_g_mctx, +@@ -3217,6 +3230,14 @@ configure_view(dns_view_t *view, cfg_obj + CHECK(dns_acl_none(mctx, &view->cacheacl)); + } + ++ if (view->queryacl == NULL) { ++ /* global default only */ ++ CHECK(configure_view_acl(NULL, NULL, ns_g_config, ++ "allow-query", NULL, ++ actx, ns_g_mctx, ++ &view->queryacl)); ++ } ++ + /* + * Ignore case when compressing responses to the specified + * clients. This causes case not always to be preserved,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806141554.w5EFsYKp051683>