From 4eff09c6b1e524b0efc393ee948b5c4cdf16ccb8 Mon Sep 17 00:00:00 2001

From: Mark Andrews <marka@isc.org>

Date: Wed, 3 Feb 2021 11:10:20 +1100

Subject: [PATCH] Check SOA owner names in zone transfers

An IXFR containing SOA records with owner names different than the

transferred zone's origin can result in named serving a version of that

zone without an SOA record at the apex.  This causes a RUNTIME_CHECK

assertion failure the next time such a zone is refreshed.  Fix by

immediately rejecting a zone transfer (either an incremental or

non-incremental one) upon detecting an SOA record not placed at the apex

of the transferred zone.

---

 lib/dns/xfrin.c | 14 ++++++++++++++

 1 file changed, 14 insertions(+)

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c

index 3a3f407289..0ba82e4974 100644

--- a/lib/dns/xfrin.c

+++ b/lib/dns/xfrin.c

@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,

 	    dns_rdatatype_ismeta(rdata->type))

 		FAIL(DNS_R_FORMERR);

+	/*

+	 * Immediately reject the entire transfer if the RR that is currently

+	 * being processed is an SOA record that is not placed at the zone

+	 * apex.

+	 */

+	if (rdata->type == dns_rdatatype_soa &&

+	    !dns_name_equal(&xfr->name, name)) {

+		char namebuf[DNS_NAME_FORMATSIZE];

+		dns_name_format(name, namebuf, sizeof(namebuf));

+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",

+			  namebuf);

+		FAIL(DNS_R_NOTZONETOP);

+	}

+

  redo:

 	switch (xfr->state) {

 	case XFRST_SOAQUERY:

-- 

2.26.3