Check SOA owner names in zone transfers

An IXFR containing SOA records with owner names different than the
transferred zone's origin can result in named serving a version of that
zone without an SOA record at the apex.  This causes a RUNTIME_CHECK
assertion failure the next time such a zone is refreshed.  Fix by
immediately rejecting a zone transfer (either an incremental or
non-incremental one) upon detecting an SOA record not placed at the apex
of the transferred zone.

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 3a3f40728993357292316e87076bd7b206d503f7..0ba82e4974f7a2333f9beb640919b34340b4c603 100644 (file)
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -477,6 +477,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
            dns_rdatatype_ismeta(rdata->type))
                FAIL(DNS_R_FORMERR);
 
+       /*
+        * Immediately reject the entire transfer if the RR that is currently
+        * being processed is an SOA record that is not placed at the zone
+        * apex.
+        */
+       if (rdata->type == dns_rdatatype_soa &&
+           !dns_name_equal(&xfr->name, name)) {
+               char namebuf[DNS_NAME_FORMATSIZE];
+               dns_name_format(name, namebuf, sizeof(namebuf));
+               xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+                         namebuf);
+               FAIL(DNS_R_NOTZONETOP);
+       }
+
  redo:
        switch (xfr->state) {
        case XFRST_SOAQUERY: