From 01cabbebc15e7facad243e177ab905a9f2d8fbf7 Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 1 Sep 2008 13:48:24 +0000
Subject: [PATCH] do not allow cache snooping by default.

git-svn-id: file:///svn/unbound/trunk@1220 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 daemon/acl_list.c                |   2 ++
 daemon/acl_list.h                |   6 ++--
 daemon/worker.c                  |  13 ++++++++
 doc/Changelog                    |   6 ++++
 doc/example.conf.in              |   3 +-
 doc/plan                         |   5 +--
 doc/unbound.conf.5.in            |  38 +++++++++++++++++-----
 testcode/fake_event.c            |   6 ++--
 testdata/fwd.rpl                 |   1 +
 testdata/fwd_error.rpl           |   3 +-
 testdata/fwd_notcached.rpl       |   2 ++
 testdata/fwd_timeout.rpl         |   3 +-
 testdata/fwd_two.rpl             |   2 ++
 testdata/local_norec.tpkg        | Bin 0 -> 1821 bytes
 testdata/local_nosnoop.tpkg      | Bin 0 -> 1958 bytes
 testdata/val_refer_unsignadd.rpl |   1 +
 testdata/val_referd.rpl          |   1 +
 testdata/val_referglue.rpl       |   1 +
 testdata/version_bind_hide.rpl   |  12 ++++---
 util/configparser.c              |  53 ++++++++++++++++---------------
 util/configparser.y              |   7 ++--
 21 files changed, 115 insertions(+), 50 deletions(-)
 create mode 100644 testdata/local_norec.tpkg
 create mode 100644 testdata/local_nosnoop.tpkg

diff --git a/daemon/acl_list.c b/daemon/acl_list.c
index ab28bb066..436dc59e3 100644
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@@ -124,6 +124,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 		control = acl_deny;
 	else if(strcmp(s2, "refuse") == 0)
 		control = acl_refuse;
+	else if(strcmp(s2, "allow_snoop") == 0)
+		control = acl_allow_snoop;
 	else {
 		log_err("access control type %s unknown", str);
 		return 0;
diff --git a/daemon/acl_list.h b/daemon/acl_list.h
index 704b5b2ac..e6082ad7e 100644
--- a/daemon/acl_list.h
+++ b/daemon/acl_list.h
@@ -55,8 +55,10 @@ enum acl_access {
 	acl_deny = 0,
 	/** disallow access, send a polite 'REFUSED' reply */
 	acl_refuse,
-	/** allow full access */
-	acl_allow
+	/** allow full access for recursion (+RD) queries */
+	acl_allow,
+	/** allow full access for all queries, recursion and cache snooping */
+	acl_allow_snoop
 };
 
 /**
diff --git a/daemon/worker.c b/daemon/worker.c
index 910ca1ecc..e90508bc3 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -785,6 +785,19 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		c->buffer, worker->scratchpad)) {
 		return (ldns_buffer_limit(c->buffer) != 0);
 	}
+	if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
+		acl != acl_allow_snoop ) {
+		ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
+		ldns_buffer_write_at(c->buffer, 4, 
+			(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
+		LDNS_QR_SET(ldns_buffer_begin(c->buffer));
+		LDNS_RCODE_SET(ldns_buffer_begin(c->buffer), 
+			LDNS_RCODE_REFUSED);
+		ldns_buffer_flip(c->buffer);
+		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
+			&repinfo->addr, repinfo->addrlen);
+		return 1;
+	}
 	h = query_info_hash(&qinfo);
 	if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
 		/* answer from cache - we have acquired a readlock on it */
diff --git a/doc/Changelog b/doc/Changelog
index 6c550490a..874b19b59 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+1 September 2008: Wouter
+	- disallow nonrecursive queries for cache snooping by default.
+	  You can allow is using access-control: <subnet> allow_snoop.
+	  The defaults do allow access no authoritative data without RD bit.
+	- two tests for it and fixups of tests for nonrec refused.
+
 29 August 2008: Wouter
 	- version 1.1 number in trunk.
 	- harden-referral-path option for query for NS records.
diff --git a/doc/example.conf.in b/doc/example.conf.in
index d1d8f163f..17b01e778 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -134,7 +134,8 @@ server:
 	# control which clients are allowed to make (recursive) queries
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
-	# Choose deny (drop message), refuse (polite error reply), allow.
+	# Choose deny (drop message), refuse (polite error reply),
+	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
 	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
 	# access-control: ::0/0 refuse
diff --git a/doc/plan b/doc/plan
index 781fcbb80..a8d3b679f 100644
--- a/doc/plan
+++ b/doc/plan
@@ -31,8 +31,6 @@ total 6 of 8 weeks; 2 weeks for maintenance activities.
   because of the added load to 3rd parties.
 * block nonRD queries, acl like.
 	what about our authority features, those are allowed.
-	one option that controls on/off of all private space.
-	note in config/man that we may consider turning on by default.
 * DoS vector, flush more.
 	50% of max is for run-to-completion
 	50% rest is for lifo queue with 100 msec timeout.
@@ -41,6 +39,8 @@ if they have no signer or a different signed. Validate if you can,
 otherwise leave unchecked.
 * block DNS rebinding attacks, block all A records from 1918 IP blocks,
 like dnswall does.  Allow certain subdomains to do it, config options.
+	one option that controls on/off of all private space.
+	note in config/man that we may consider turning on by default.
 
 *** Remote control feature
 * remote control using a TCP unbound-control commandline app.  
@@ -64,6 +64,7 @@ like dnswall does.  Allow certain subdomains to do it, config options.
 *** Requested
 * fallback to noEDNS if all queries are dropped.
 * dnssec lameness fixen. Check to make sure.
+* negative caching to avoid DS queries, NSEC, NSEC3 (w params).
 * SHA256 supported fully.
 * Make stub to localhost on different port work.
 * IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index af627b37d..11a3ec82d 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -238,14 +238,36 @@ a daemon. Default is yes.
 .TP
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a 
-classless network block. The action can be deny, refuse or allow.
-Deny stops queries from hosts from that netblock.
-Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
-Allow gives access to clients from that netblock.
-By default only localhost is allowed, the rest is refused.
-The default is refused, because that is protocol\-friendly. The DNS protocol
-is not designed to handle dropped packets due to policy, and dropping may 
-result in (possibly excessive) retried queries.
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
+\fIallow\fR or \fIallow_snoop\fR.
+.IP
+The action \fIdeny\fR stops queries from hosts from that netblock.
+.IP
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 
+error message back.
+.IP
+The action \fIallow\fR gives access to clients from that netblock.  
+It gives only access for recursion clients (which is 
+what almost all clients need).  Nonrecursive queries are refused.
+.IP
+The \fIallow\fR action does allow nonrecursive queries to access the 
+local\-data that is configured.  The reason is that this does not involve
+the unbound server recursive lookup algorithm, and static data is served 
+in the reply.  This supports normal operations where nonrecursive queries 
+are made for the authoritative data.  For nonrecursive queries any replies 
+from the dynamic cache are refused.
+.IP
+The action \fIallow_snoop\fR gives nonrecursive access too.  This give 
+both recursive and non recursive access.  The name \fIallow_snoop\fR refers 
+to cache snooping, a technique to use nonrecursive queries to examine
+the cache contents (for malicious acts).  However, nonrecursive queries can 
+also be a valuable debugging tool (when you want to examine the cache 
+contents). In that case use \fIallow_snoop\fR for your administration host.
+.IP
+By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
+The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
+protocol is not designed to handle dropped packets due to policy, and 
+dropping may result in (possibly excessive) retried queries.
 .TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 06f62a724..70471c928 100644
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -381,11 +381,13 @@ fake_pending_callback(struct replay_runtime* runtime,
 	struct fake_pending* p = runtime->pending_list;
 	struct comm_reply repinfo;
 	struct comm_point c;
-	void* cb_arg = p->cb_arg;
-	comm_point_callback_t* cb = p->callback;
+	void* cb_arg;
+	comm_point_callback_t* cb;
 
 	memset(&c, 0, sizeof(c));
 	if(!p) fatal_exit("No pending queries.");
+	cb_arg = p->cb_arg;
+	cb = p->callback;
 	log_assert(todo->qname == NULL); /* or find that one */
 	c.buffer = ldns_buffer_new(runtime->bufsize);
 	c.type = comm_udp;
diff --git a/testdata/fwd.rpl b/testdata/fwd.rpl
index ab843bb33..53b6f9ad1 100644
--- a/testdata/fwd.rpl
+++ b/testdata/fwd.rpl
@@ -24,6 +24,7 @@ RANGE_END
 
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
diff --git a/testdata/fwd_error.rpl b/testdata/fwd_error.rpl
index 73648c57c..6f5d25a20 100644
--- a/testdata/fwd_error.rpl
+++ b/testdata/fwd_error.rpl
@@ -4,6 +4,7 @@ CONFIG_END
 SCENARIO_BEGIN Forwarder and an error happens on server query.
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode qname qtype
 SECTION QUESTION
-REPLY SERVFAIL QR RA
+REPLY SERVFAIL QR RD RA
 MATCH all
 www.example.com. IN A
 ENTRY_END
diff --git a/testdata/fwd_notcached.rpl b/testdata/fwd_notcached.rpl
index c731299ee..d937bb2df 100644
--- a/testdata/fwd_notcached.rpl
+++ b/testdata/fwd_notcached.rpl
@@ -14,6 +14,7 @@ SCENARIO_BEGIN Query receives answer not from the cache
 
 STEP 1 QUERY
 ENTRY_BEGIN
+	REPLY RD
 	SECTION QUESTION
 	www.example.com. IN A
 ENTRY_END
@@ -50,6 +51,7 @@ ENTRY_END
 ; another query, different, so not from cache.
 STEP 5 QUERY
 ENTRY_BEGIN
+	REPLY RD
 	SECTION QUESTION
 	www.example.net. IN A
 ENTRY_END
diff --git a/testdata/fwd_timeout.rpl b/testdata/fwd_timeout.rpl
index c132eb3e6..c42c0caf9 100644
--- a/testdata/fwd_timeout.rpl
+++ b/testdata/fwd_timeout.rpl
@@ -4,6 +4,7 @@ CONFIG_END
 SCENARIO_BEGIN Forwarder and a timeout happens on server query.
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode qname qtype
 SECTION QUESTION
-REPLY SERVFAIL QR RA
+REPLY SERVFAIL QR RA RD
 MATCH all
 www.example.com. IN A
 ENTRY_END
diff --git a/testdata/fwd_two.rpl b/testdata/fwd_two.rpl
index 96ee6e4c0..5243e331f 100644
--- a/testdata/fwd_two.rpl
+++ b/testdata/fwd_two.rpl
@@ -26,6 +26,7 @@ RANGE_END
 
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@@ -43,6 +44,7 @@ STEP 3 NOTHING
 ; another query
 STEP 4 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
diff --git a/testdata/local_norec.tpkg b/testdata/local_norec.tpkg
new file mode 100644
index 0000000000000000000000000000000000000000..383b7d0d1a6f975f56e5c9707b5e5811e0ba59f7
GIT binary patch
literal 1821
zcmV+&2jci2iwFSU;k!rx1MM08ciKkMziR)AiOh?Wmr6)rK_3Y`6GJY(#^B2Ma(UN2
zDoYEf2Cbr%LfrQL_nTcwAiy@wtL<J|1{+qp^RYX#^RcTbbDilhU=ek7&yUJ`4*&*2
zy>6wywZoO)4E9XZuxj<1QLEPX46|z05BI=&h{>!&!eb`_*qgH?rqS(q+s40An6BBs
z_#9In2mFuA5C*QT*}Z6gt7>NUx9asnVgGuyV(o$P$3<_4zq$QiLg36Or_m=GfiO6X
z{3#`+zJ2nKlOE8|&Mcf#-DNYKlm>%$P^}pTA>H1<{xE#qMI3V49vr^~7P`!%@G-s)
z@mnw@cK7Vv2l(EGb{l&Au5I^i((e58;(P!u3$KU1N6x#)gOh#_zQ5?6iw2p`=gLV>
zX)i|Fz4P~7d(p3$hF&rBs-Yhm*(|!f&I3+p#Mq4!%KMiSvQ{SaXB+l+!d?FFvS4%{
zGPe1Dy<#rnzjata|F6}}+RpzU15(d#5Cy+48TaGs22_Z$4?!~1;z>juk2k<1O30$P
z0Y_(jdvHXQgj0=Q^C=rQAYeqntwY_IMM$lxi0peJjNn5OT(TtabnL-?cM>rcr#Q$W
z5?+};c}xpftbI&qbgjuvIAJ_anG;2JXr2>0h>f177vmDN!PMnPB}8#tmvXM*-i;$R
zZGfT6PuT!xI%V@A4;TwK(acIcL;Ut`#71K)uSUb%hA={C<T6*WF|tH+C-SskSU}M*
znT~W+Qa<8%UW8o>`lF*kUm8aJ;<$5{|A%OS``BaK{J&PIEb_lqHKhO7%$@%~2JFMW
zrop<^LDTlhK5&*qE`@kPVdijLK72x53D1W4ga+Wp2V9Isl>7&@5$JkZkHf36j%a#D
z@gqEanlrj#d{v4pK(@$OFp$VA>{o_}Sb@jj8V8Xv`VE^0AQ|Dnl|P-rXzt+*WV7_<
zeP?)f(!rsbb47tCh_^BVt+Gcym4gKPDy^sHf=d?SGVF`q>;6UWHeQ9%4Sw{qAA|A8
zg~MI`?{W8DWNfYf3+F$pBJ;mht?vB)G2pesX-{UDg5}A-XvBRMU|Q4-(xKdq{4kas
z?-rRDoWO%Lvq6^Gig`@>vQCb%f)JD)Cq@~kEP!(w0+?VPHY&A-VZbpK+E6i!Z^^0S
z2QmI*Jpx{&!+ZT$Z{v^ub1-($e>piuE@N3`kYhFrF+m1#gB;Ji4h?A_DiyM9y`|Hz
zLC&Jpwdo-`<C&~2)}tO7(DiN^NZQHgHyDou&ohT}>NUt4$Dg8CH@=oK|5n&`{=W|y
zTl~Lb)z<HSL~G~&j{%$cU#8W^%>Q^0SkLNM=z<?C$^qZGM3Eu-o*#_Av<x6;cDJbt
z(O5#uiXg8vWQ8!F&x@xC@Hsf2(7UBbJOHs|JOR{8A|s-X6l>>?n<<tj7I-EC<&uN0
zKSwTvx)TO!3p{_kJ_j9M*d3LKk)y>?2(++JK47uGN%b49iURIad4-b;aGe-uGZuYZ
zCE^Lo9vyo?KI8{9>{yaasC$L+ozH2c5`P5a2!pm-xO!1@F)xKS1EQp){qIylr<~@`
zJr;xLQ)F#pl95lgEL`rvjkTxUe@PW=oMwNQ?Kh|%eBs#%`=J*7Wp@7>m;Yx}_uJvl
z^M6F|MaGu=Uo{S`_4B`l!@K<d2ynysKcau7>~Ci=qgi_P3`%yp*Xf_a3$UuzAv}Lh
zieaT$%8`jY^Ji3xUL-S-B=zxC!s3$(t=9T9Qko^#ymb?<P(AKRsRwc0hiXFfuHBq^
z0oT%(aw0Oxr9TnsP=A_Fe0L(RD!TShY95_Zvhsw@XgS@#<x4*(7x`dlN~vU!&8M|d
z5C$AtdF&LI74Vc~*CNf*lj7<`N7lGyZSqP)yjl=>KtyXiP=Q9_fS2X%@()MlgB5)q
zln?Up^qNy*<Wm)+uVDSP1+*Z!l&ys}vuH1O7H;WF$GsXy^5UjgAeQi<oTF;^=jM!{
zRmc~)5(@V@OGT`779MU?h)6`6N}4-<>IeCoIR;|}N%)QQ19+8XHE}oGf>%6_&@}|o
z+=<;ui;R-M6{l{=XPELBCgHQ^@GDVH+y5S3oDB!|ho)IEi1NODG8hit+THVJ)sUCW
zfUXip*G&UnieGrugwm2K?R@b9-3OZ<BZ`vmM%;@fQ#j)&O`D~PDms=oUHQ&bvP|jW
z5gu@!LP`n0R55fJQRnI<ws3PUd5dA(2Oo=5S!Z{iY70$_Qa#^;05h>v+!M)JD7$1z
ze3_YV5i+JwT54q}gik51%FKww+{u4ethMl1VGArwC`y(aP}=9<osU5;5KUaNc%gD2
zri!-I$*Q3ib&9${qOJ(ccj}Ge&gH&mBe{uum)<I^xUp5fM)l?I6n3zK9qeES|Nrnm
LBO|zb04M+ewFs3g

literal 0
HcmV?d00001

diff --git a/testdata/local_nosnoop.tpkg b/testdata/local_nosnoop.tpkg
new file mode 100644
index 0000000000000000000000000000000000000000..2f07f499820931d2b99e23e43f695a634801cb7c
GIT binary patch
literal 1958
zcmV;X2U++ZiwFRO;=4!y1MOM=ciK1-&#&mOm^!@DzAVOu0Q+d+g$8=fZUb3EuGe?F
zFYDL>d;!a~OlfxS{`VWnHkdCd?MpU&z0-#T<dJ4Z8qJJH_LMpH^vY-4XDrZNFDxBA
zI1EI+UX6ci$7{a{4ouUi*6KCWtQ!Z0d2Ck82T*<Zscd7;BRd2*Sg?6S!@I}r>;FzM
z-P-?kN<?|&^ZV%#8(iDi_w4>xD`vX?M*SH5q->OH^#d>-W{IE2|M~vE0N<WbPQ#Bh
z1hLsL@}`vJ`_|dt&U!#U*|T6ub%)J#k{=G=LZxOHgmimD>;2WME{-AR?cwPgV1dJ2
z3Lm1|0KbJ$Vs$UxzK35dXt$x)?^;&hBJIvkmxCcVEV#Y$Tr%jM4$t~M_~o)Y5Dl_e
zEOKYPTzlEm?hW2`ttCBY8hY8#D~5h-B(v!DI)CAWMvU#8P)c7-sJb?xZ@sZ!h<)+z
zFn@Gk9sA<HR;w)YKjwbS|MeQ)22}h%0^-PTkQ{zrGwwyV4Jeb`A^7uIF`9(bc6kF#
zk_%WEHQ?l;Zw*gKZq8|u-|{INH^65khmJ#?h=s_lX*k$(MH<12xqr>(zN;ez>CPl%
zEQ-gVh)_gjeC4vD&!XaoISp@%(gi1sN3n2{lZ2vcM>dYe$kVfV3EE)l@}m)wvmJ+W
zUPQl*LN;xHq03Ln0DC%Ri|qksxt<L9@vb3_#%K5&4fF1<5u%Z5NXKFB2p4wf7XM&A
zMbjr%(9sNOkL|i4l9rq&C&Rupz4pMFWncWe+_|@oz4w2!vbz7*>mvTE<*JJR$G|I_
z)1LIdwS6alry=*4kKv&kq(iwAdO;)!Z<nzMw(mmh^N{#_?BN)-AjQavLMNw~Mg()m
zj!@A#^I<>(029pPMy1xMR^Sxxwoo>VAIZ7x`4RqOQUW*B;hlb}xADjOmp`^KG&ng$
zDPx&x$SIoz7(;&4Ag438Lj&rIbVXLJH*^{_$VIrhKs^X4xsWMlgN`&Zq}v^0DWpCB
z^coYJkbGftPTdB1ZF|!>%Ku*O`0MzR`v1N<_QZb$4*;w4U#%wMzh17X_<sx>!eOzv
z!_%QyJS2y}**tV8L=y@#o1+2XBU($`+hH-GK6p`qi(U+-e?oBtx?a+w;AX7jFg@Y;
z4W2$t1?}iZEm#V`iX5LpSO}gUpGc7C+1IEtz>xF&aiVISVNJ_g7a<o`x2Xx$c#Ay*
zm&x_WF0n>DT4d`9@Hp5XF{q_VEP>d3JOM0k<}xGd$gxp@?B-b2EbvSu%9R9Nf3B0*
zx<A0eizZNzX|o{b<=75>$LW(tEa0$U;SDakfgD(9jp4{=C`_6N=Z@>495Zet$6-#s
zg&Fn>4b+)1&{`mvHdd*_k=4<N=s8)ITTl!jf7yH0zwC9cM7goe^>4Hr1&jrGOiUFx
zc7*F43mVsmxEd{79Vs9$(jpKEE0zg$#BBM3h8pokFb?sapk<DCTB_!Su!~P}F>C*4
zjnFBl>2(iRE@(OW$&0X39eHHW!ln7P)}C1P+nd1ZzP=oEJ9jQ0LUFL&WrVaRYl^S1
z?4~8N3Iu)AvRj4t7rE3H*I({Z$>HE(+-ZB!U*}HW<MKt*_&)0!h0kMO{U^%d`|8;H
z{HJ`p{`?o~zlwVP`zY8|{{`%k>%WYawBY-kjxR3!4&!R?7CTWe9v<1k2Pp_UZoKJK
zBvqV&Z029T!xVki!LFHogB2Ja>ehRpRdVUal0QdUx%JdsN=dSDGJ2Wrcgo82Zpr%w
ziFR-NhxFb$zT*6s#(!1C|Knh1{D<^^>GWqMrB^fm>>1>(cCXVvha;#~s>ksBImuRM
z&3rnT$e2&KmQ-XjktHsb))})`8njxQ(};OiQq$J1vBLD|mC_F4aWI+*hj*>!)b)8W
zekCgkJh}8I!W`P~i;3q<WUA^~ziVlc7qgWnY(`752bZorzm%1O6<*9GYt?jGJ01!6
z99n4+D$*4^B}rmz=AUHOCkRR7j@8MeC|)gzf?AZloVrk?P~au`hT+$fQen-ag;F8y
zj~|4~5$R+_?@QQzaRn`yU(43gqDiWj-i2;`Z96yPP$uu}LxMbBl+vL^{Bu%4(8`qF
zsTndkePxO@V&-C}NkmP*ZKj3o#j%jSpJgy+Fb{r^u>dcV1A=&e(1Mpd3NbvypoJYd
zlNK4xeMdZYm2$3P8CUb**>m`l<j&jwxVpT!8d~q0X4xRQckQ#`)$ong9W*P3d=UW{
zE>U>fG~k8!g_ljpuef63(Gi9aHeE(?xzr=kAM>UN$WeR($(J=jSl#VX@608K4ww0O
z0`jGnJbr1S>pG<N%?oUygRW$YZuEo?*{N)b8^qSaEk>=b=gNm8(r{0tWMS;QDaXr0
z&K*j|6!I&ptd#I6#Z{RJlbAdC&)RM+qgLz%p7AJZmJTTQr|{Op#OI49E?K-*D~PG$
zUg~6hqn1ZLZHq-)Q<!?{PIUw6_iQAc$aCnO+Om$V@eQtre($89prD|jprD|jprD|j
sprD|jprD|jprD|jprD|jprD|jprD|jprD|jpz!thFAmp^TmVo20QJrLTL1t6

literal 0
HcmV?d00001

diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl
index 43949681d..8d174a2d6 100644
--- a/testdata/val_refer_unsignadd.rpl
+++ b/testdata/val_refer_unsignadd.rpl
@@ -4,6 +4,7 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
 	val-override-date: "20070916134226"
+	access-control: 127.0.0.1 allow_snoop
 
 stub-zone:
 	name: "."
diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl
index 614775b14..26cef9995 100644
--- a/testdata/val_referd.rpl
+++ b/testdata/val_referd.rpl
@@ -4,6 +4,7 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	harden-referral-path: yes
+	access-control: 127.0.0.1 allow_snoop
 
 stub-zone:
 	name: "."
diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl
index 0834f62eb..c067eae72 100644
--- a/testdata/val_referglue.rpl
+++ b/testdata/val_referglue.rpl
@@ -4,6 +4,7 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	directory: ""
+	access-control: 127.0.0.1 allow_snoop
 
 stub-zone:
 	name: "."
diff --git a/testdata/version_bind_hide.rpl b/testdata/version_bind_hide.rpl
index 08ba86a92..02376461f 100644
--- a/testdata/version_bind_hide.rpl
+++ b/testdata/version_bind_hide.rpl
@@ -11,13 +11,14 @@ SCENARIO_BEGIN Test config hide options for identity and version queries
 ; version.bind.
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 version.bind. CH TXT
 ENTRY_END
 STEP 2 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 version.bind. CH TXT
 ENTRY_END
@@ -25,13 +26,14 @@ ENTRY_END
 ; version.server.
 STEP 3 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 version.server. CH TXT
 ENTRY_END
 STEP 4 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 version.server. CH TXT
 ENTRY_END
@@ -39,13 +41,14 @@ ENTRY_END
 ; hostname.bind.
 STEP 5 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 hostname.bind. CH TXT
 ENTRY_END
 STEP 6 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 hostname.bind. CH TXT
 ENTRY_END
@@ -53,13 +56,14 @@ ENTRY_END
 ; id.server.
 STEP 7 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 id.server. CH TXT
 ENTRY_END
 STEP 8 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 id.server. CH TXT
 ENTRY_END
diff --git a/util/configparser.c b/util/configparser.c
index f98957cf6..1acb876ea 100644
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -666,9 +666,9 @@ static const yytype_uint16 yyrline[] =
      374,   381,   389,   396,   403,   410,   417,   425,   433,   440,
      449,   458,   465,   472,   483,   491,   504,   513,   521,   534,
      543,   552,   561,   570,   583,   590,   600,   610,   620,   630,
-     640,   650,   657,   667,   680,   687,   705,   714,   723,   733,
-     743,   750,   758,   771,   779,   798,   805,   812,   819,   826,
-     833,   840
+     640,   650,   657,   667,   681,   688,   706,   715,   724,   734,
+     744,   751,   759,   772,   780,   799,   806,   813,   820,   827,
+     834,   841
 };
 #endif
 
@@ -2420,9 +2420,10 @@ yyreduce:
     {
 		OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
 		if(strcmp((yyvsp[(3) - (3)].str), "deny")!=0 && strcmp((yyvsp[(3) - (3)].str), "refuse")!=0 &&
-			strcmp((yyvsp[(3) - (3)].str), "allow")!=0) {
-			yyerror("expected deny, refuse or allow in "
-				"access control action");
+			strcmp((yyvsp[(3) - (3)].str), "allow")!=0 && 
+			strcmp((yyvsp[(3) - (3)].str), "allow_snoop")!=0) {
+			yyerror("expected deny, refuse, allow or allow_snoop "
+				"in access control action");
 		} else {
 			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)))
 				fatal_exit("out of memory adding acl");
@@ -2431,7 +2432,7 @@ yyreduce:
     break;
 
   case 144:
-#line 681 "util/configparser.y"
+#line 682 "util/configparser.y"
     {
 		OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->module_conf);
@@ -2440,7 +2441,7 @@ yyreduce:
     break;
 
   case 145:
-#line 688 "util/configparser.y"
+#line 689 "util/configparser.y"
     {
 		OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(strlen((yyvsp[(2) - (2)].str)) == 0 || strcmp((yyvsp[(2) - (2)].str), "0") == 0) {
@@ -2460,7 +2461,7 @@ yyreduce:
     break;
 
   case 146:
-#line 706 "util/configparser.y"
+#line 707 "util/configparser.y"
     {
 		OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
@@ -2471,7 +2472,7 @@ yyreduce:
     break;
 
   case 147:
-#line 715 "util/configparser.y"
+#line 716 "util/configparser.y"
     {
 		OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
@@ -2482,7 +2483,7 @@ yyreduce:
     break;
 
   case 148:
-#line 724 "util/configparser.y"
+#line 725 "util/configparser.y"
     {
 		OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
@@ -2494,7 +2495,7 @@ yyreduce:
     break;
 
   case 149:
-#line 734 "util/configparser.y"
+#line 735 "util/configparser.y"
     {
 		OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
@@ -2506,7 +2507,7 @@ yyreduce:
     break;
 
   case 150:
-#line 744 "util/configparser.y"
+#line 745 "util/configparser.y"
     {
 		OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->val_nsec3_key_iterations);
@@ -2515,7 +2516,7 @@ yyreduce:
     break;
 
   case 151:
-#line 751 "util/configparser.y"
+#line 752 "util/configparser.y"
     {
 		OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->key_cache_size))
@@ -2525,7 +2526,7 @@ yyreduce:
     break;
 
   case 152:
-#line 759 "util/configparser.y"
+#line 760 "util/configparser.y"
     {
 		OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(atoi((yyvsp[(2) - (2)].str)) == 0)
@@ -2540,7 +2541,7 @@ yyreduce:
     break;
 
   case 153:
-#line 772 "util/configparser.y"
+#line 773 "util/configparser.y"
     {
 		OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->neg_cache_size))
@@ -2550,7 +2551,7 @@ yyreduce:
     break;
 
   case 154:
-#line 780 "util/configparser.y"
+#line 781 "util/configparser.y"
     {
 		OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
 		if(strcmp((yyvsp[(3) - (3)].str), "static")!=0 && strcmp((yyvsp[(3) - (3)].str), "deny")!=0 &&
@@ -2571,7 +2572,7 @@ yyreduce:
     break;
 
   case 155:
-#line 799 "util/configparser.y"
+#line 800 "util/configparser.y"
     {
 		OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[(2) - (2)].str)))
@@ -2580,7 +2581,7 @@ yyreduce:
     break;
 
   case 156:
-#line 806 "util/configparser.y"
+#line 807 "util/configparser.y"
     {
 		OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->stubs->name);
@@ -2589,7 +2590,7 @@ yyreduce:
     break;
 
   case 157:
-#line 813 "util/configparser.y"
+#line 814 "util/configparser.y"
     {
 		OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[(2) - (2)].str)))
@@ -2598,7 +2599,7 @@ yyreduce:
     break;
 
   case 158:
-#line 820 "util/configparser.y"
+#line 821 "util/configparser.y"
     {
 		OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[(2) - (2)].str)))
@@ -2607,7 +2608,7 @@ yyreduce:
     break;
 
   case 159:
-#line 827 "util/configparser.y"
+#line 828 "util/configparser.y"
     {
 		OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->forwards->name);
@@ -2616,7 +2617,7 @@ yyreduce:
     break;
 
   case 160:
-#line 834 "util/configparser.y"
+#line 835 "util/configparser.y"
     {
 		OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[(2) - (2)].str)))
@@ -2625,7 +2626,7 @@ yyreduce:
     break;
 
   case 161:
-#line 841 "util/configparser.y"
+#line 842 "util/configparser.y"
     {
 		OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[(2) - (2)].str)))
@@ -2635,7 +2636,7 @@ yyreduce:
 
 
 /* Line 1267 of yacc.c.  */
-#line 2639 "util/configparser.c"
+#line 2640 "util/configparser.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -2849,7 +2850,7 @@ yyreturn:
 }
 
 
-#line 847 "util/configparser.y"
+#line 848 "util/configparser.y"
 
 
 /* parse helper routines could be here */
diff --git a/util/configparser.y b/util/configparser.y
index 785652676..2d597fbec 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -668,9 +668,10 @@ server_access_control: VAR_ACCESS_CONTROL STRING STRING
 	{
 		OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
 		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
-			strcmp($3, "allow")!=0) {
-			yyerror("expected deny, refuse or allow in "
-				"access control action");
+			strcmp($3, "allow")!=0 && 
+			strcmp($3, "allow_snoop")!=0) {
+			yyerror("expected deny, refuse, allow or allow_snoop "
+				"in access control action");
 		} else {
 			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
 				fatal_exit("out of memory adding acl");