summaryrefslogtreecommitdiffstats
path: root/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch40
1 files changed, 40 insertions, 0 deletions
diff --git a/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch b/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch
new file mode 100644
index 0000000..5af5d36
--- /dev/null
+++ b/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch
@@ -0,0 +1,40 @@
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 3 Feb 2021 11:10:20 +1100
+Subject: Check SOA owner names in zone transfers
+
+An IXFR containing SOA records with owner names different than the
+transferred zone's origin can result in named serving a version of that
+zone without an SOA record at the apex. This causes a RUNTIME_CHECK
+assertion failure the next time such a zone is refreshed. Fix by
+immediately rejecting a zone transfer (either an incremental or
+non-incremental one) upon detecting an SOA record not placed at the apex
+of the transferred zone.
+---
+ lib/dns/xfrin.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
+index d39ca26..0baf170 100644
+--- a/lib/dns/xfrin.c
++++ b/lib/dns/xfrin.c
+@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
+ dns_rdatatype_ismeta(rdata->type))
+ FAIL(DNS_R_FORMERR);
+
++ /*
++ * Immediately reject the entire transfer if the RR that is currently
++ * being processed is an SOA record that is not placed at the zone
++ * apex.
++ */
++ if (rdata->type == dns_rdatatype_soa &&
++ !dns_name_equal(&xfr->name, name)) {
++ char namebuf[DNS_NAME_FORMATSIZE];
++ dns_name_format(name, namebuf, sizeof(namebuf));
++ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
++ namebuf);
++ FAIL(DNS_R_NOTZONETOP);
++ }
++
+ redo:
+ switch (xfr->state) {
+ case XFRST_SOAQUERY: