Address inconsistencies in checking added RRsets

loading_addrdataset() rejects SOA RRsets which are not at top of zone.
addrdataset() should similarly reject such RRsets.

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 34fc404b2ed0c60424ab9de08b23520449d1ee0b..9d27a1519f9abe88e154e95e343ece4f3e757936 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6839,6 +6839,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
        INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
 
        if (rbtdb->common.methods == &zone_methods) {
+               /*
+                * SOA records are only allowed at top of zone.
+                */
+               if (rdataset->type == dns_rdatatype_soa &&
+                   node != rbtdb->origin_node) {
+                       return (DNS_R_NOTZONETOP);
+               }
                RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
                REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
                          (rdataset->type == dns_rdatatype_nsec3 ||