diff options
Diffstat (limited to 'debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch')
-rw-r--r-- | debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch b/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch new file mode 100644 index 0000000..5af5d36 --- /dev/null +++ b/debian/patches/0029-Check-SOA-owner-names-in-zone-transfers.patch @@ -0,0 +1,40 @@ +From: Mark Andrews <marka@isc.org> +Date: Wed, 3 Feb 2021 11:10:20 +1100 +Subject: Check SOA owner names in zone transfers + +An IXFR containing SOA records with owner names different than the +transferred zone's origin can result in named serving a version of that +zone without an SOA record at the apex. This causes a RUNTIME_CHECK +assertion failure the next time such a zone is refreshed. Fix by +immediately rejecting a zone transfer (either an incremental or +non-incremental one) upon detecting an SOA record not placed at the apex +of the transferred zone. +--- + lib/dns/xfrin.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c +index d39ca26..0baf170 100644 +--- a/lib/dns/xfrin.c ++++ b/lib/dns/xfrin.c +@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl, + dns_rdatatype_ismeta(rdata->type)) + FAIL(DNS_R_FORMERR); + ++ /* ++ * Immediately reject the entire transfer if the RR that is currently ++ * being processed is an SOA record that is not placed at the zone ++ * apex. ++ */ ++ if (rdata->type == dns_rdatatype_soa && ++ !dns_name_equal(&xfr->name, name)) { ++ char namebuf[DNS_NAME_FORMATSIZE]; ++ dns_name_format(name, namebuf, sizeof(namebuf)); ++ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'", ++ namebuf); ++ FAIL(DNS_R_NOTZONETOP); ++ } ++ + redo: + switch (xfr->state) { + case XFRST_SOAQUERY: |