1 files changed, 46 insertions, 0 deletions

diff --git a/debian/patches/0030-Address-inconsistencies-in-checking-added-RRsets.patch b/debian/patches/0030-Address-inconsistencies-in-checking-added-RRsets.patch
new file mode 100644
index 0000000..23a1b29
--- /dev/null
+++ b/debian/patches/0030-Address-inconsistencies-in-checking-added-RRsets.patch
@@ -0,0 +1,46 @@
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 12 Feb 2021 14:51:28 +1100
+Subject: Address inconsistencies in checking added RRsets
+
+loading_addrdataset() rejects SOA RRsets which are not at top of zone.
+addrdataset() should similarly reject such RRsets.
+---
+ lib/dns/rbtdb.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 792c443..b1b928c 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -117,7 +117,7 @@ struct rbtdb_file_header {
+ /*%
+  * Note that "impmagic" is not the first four bytes of the struct, so
+  * ISC_MAGIC_VALID cannot be used.
+- */
++a */
+ #define VALID_RBTDB(rbtdb)      ((rbtdb) != NULL && \
+ 				 (rbtdb)->common.impmagic == RBTDB_MAGIC)
+ 
+@@ -6806,13 +6806,21 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ 	REQUIRE(VALID_RBTDB(rbtdb));
+ 	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+ 
+-	if (rbtdb->common.methods == &zone_methods)
++	if (rbtdb->common.methods == &zone_methods) {
++		/*
++		 * SOA records are only allowed at top of zone.
++		 */
++		if (rdataset->type == dns_rdatatype_soa &&
++		    node != rbtdb->origin_node) {
++			return (DNS_R_NOTZONETOP);
++		}
+ 		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
+ 			  (rdataset->type == dns_rdatatype_nsec3 ||
+ 			   rdataset->covers == dns_rdatatype_nsec3)) ||
+ 			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
+ 			   rdataset->type != dns_rdatatype_nsec3 &&
+ 			   rdataset->covers != dns_rdatatype_nsec3)));
++	}
+ 
+ 	if (rbtversion == NULL) {
+ 		if (now == 0)