Check SOA owner names in zone transfers

An IXFR containing SOA records with owner names different than the
transferred zone's origin can result in named serving a version of that
zone without an SOA record at the apex.  This causes a RUNTIME_CHECK
assertion failure the next time such a zone is refreshed.  Fix by
immediately rejecting a zone transfer (either an incremental or
non-incremental one) upon detecting an SOA record not placed at the apex
of the transferred zone.

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 03ccb115a2c70f92d2af8bead8f7c53bad9b7ea8..e314dfa4aeecbe83558c1e5089d4154bfc1789d3 100644 (file)
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -498,6 +498,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
                FAIL(DNS_R_FORMERR);
        }
 
+       /*
+        * Immediately reject the entire transfer if the RR that is currently
+        * being processed is an SOA record that is not placed at the zone
+        * apex.
+        */
+       if (rdata->type == dns_rdatatype_soa &&
+           !dns_name_equal(&xfr->name, name)) {
+               char namebuf[DNS_NAME_FORMATSIZE];
+               dns_name_format(name, namebuf, sizeof(namebuf));
+               xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+                         namebuf);
+               FAIL(DNS_R_NOTZONETOP);
+       }
+
 redo:
        switch (xfr->state) {
        case XFRST_SOAQUERY: