blob: 5af5d36950dcbd2aa215b74346f7aa72d330c923 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From: Mark Andrews <marka@isc.org>
Date: Wed, 3 Feb 2021 11:10:20 +1100
Subject: Check SOA owner names in zone transfers
An IXFR containing SOA records with owner names different than the
transferred zone's origin can result in named serving a version of that
zone without an SOA record at the apex. This causes a RUNTIME_CHECK
assertion failure the next time such a zone is refreshed. Fix by
immediately rejecting a zone transfer (either an incremental or
non-incremental one) upon detecting an SOA record not placed at the apex
of the transferred zone.
---
lib/dns/xfrin.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index d39ca26..0baf170 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
dns_rdatatype_ismeta(rdata->type))
FAIL(DNS_R_FORMERR);
+ /*
+ * Immediately reject the entire transfer if the RR that is currently
+ * being processed is an SOA record that is not placed at the zone
+ * apex.
+ */
+ if (rdata->type == dns_rdatatype_soa &&
+ !dns_name_equal(&xfr->name, name)) {
+ char namebuf[DNS_NAME_FORMATSIZE];
+ dns_name_format(name, namebuf, sizeof(namebuf));
+ xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+ namebuf);
+ FAIL(DNS_R_NOTZONETOP);
+ }
+
redo:
switch (xfr->state) {
case XFRST_SOAQUERY:
|
