catalog: only allow normal queries to catalog zone over TCP

doc/configuration.rst

@@ -599,7 +599,7 @@ DNSSEC signing would be useless), including master/slave configuration
 and ACLs. Being a catalog zone is indicated by setting the option
 :ref:`zone_catalog-template`. The difference is that standard DNS
 queries to a catalog zone are answered with REFUSED as if such a zone
-wouldn't exist, unless querying from an address with transfers enabled
+wouldn't exist, unless querying over TCP from an address with transfers enabled
 by ACL. The name of the catalog zone is arbitrary. It's however required to
 include version record ``version 0 IN TXT "2"``.
 It's possible to configure more catalog zones.

src/knot/nameserver/process_query.c

@@ -423,9 +423,11 @@ static int prepare_answer(knot_pkt_t *query, knot_pkt_t *resp, knot_layer_t *ctx
 		qdata->extra->contents = qdata->extra->zone->contents;
 	}
 
-	if (query_type(query) == KNOTD_QUERY_TYPE_NORMAL &&
-	    qdata->extra->zone != NULL && (qdata->extra->zone->flags & ZONE_IS_CATALOG)) {
-		if (!process_query_acl_check(conf(), ACL_ACTION_TRANSFER, qdata)) {
+	/* Allow normal queries to catalog only over TCP and if allowed by ACL. */
+	if (qdata->extra->zone != NULL && (qdata->extra->zone->flags & ZONE_IS_CATALOG) &&
+	    query_type(query) == KNOTD_QUERY_TYPE_NORMAL) {
+		if ((qdata->params->flags & KNOTD_QUERY_FLAG_LIMIT_SIZE) ||
+		    !process_query_acl_check(conf(), ACL_ACTION_TRANSFER, qdata)) {
 			qdata->extra->zone = NULL;
 			qdata->extra->contents = NULL;
 		}