blob: 23a1b29058cea49273c44ac3650d5f44a86d8d68 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From: Mark Andrews <marka@isc.org>
Date: Fri, 12 Feb 2021 14:51:28 +1100
Subject: Address inconsistencies in checking added RRsets
loading_addrdataset() rejects SOA RRsets which are not at top of zone.
addrdataset() should similarly reject such RRsets.
---
lib/dns/rbtdb.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 792c443..b1b928c 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -117,7 +117,7 @@ struct rbtdb_file_header {
/*%
* Note that "impmagic" is not the first four bytes of the struct, so
* ISC_MAGIC_VALID cannot be used.
- */
+a */
#define VALID_RBTDB(rbtdb) ((rbtdb) != NULL && \
(rbtdb)->common.impmagic == RBTDB_MAGIC)
@@ -6806,13 +6806,21 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
REQUIRE(VALID_RBTDB(rbtdb));
INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
- if (rbtdb->common.methods == &zone_methods)
+ if (rbtdb->common.methods == &zone_methods) {
+ /*
+ * SOA records are only allowed at top of zone.
+ */
+ if (rdataset->type == dns_rdatatype_soa &&
+ node != rbtdb->origin_node) {
+ return (DNS_R_NOTZONETOP);
+ }
REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
(rdataset->type == dns_rdatatype_nsec3 ||
rdataset->covers == dns_rdatatype_nsec3)) ||
(rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
rdataset->type != dns_rdatatype_nsec3 &&
rdataset->covers != dns_rdatatype_nsec3)));
+ }
if (rbtversion == NULL) {
if (now == 0)
|
