Check SOA owner names in zone transfers

An IXFR containing SOA records with owner names different than the transferred zone's origin can result in named serving a version of that zone without an SOA record at the apex. This causes a RUNTIME_CHECK assertion failure the next time such a zone is refreshed. Fix by immediately rejecting a zone transfer (either an incremental or non-incremental one) upon detecting an SOA record not placed at the apex of the transferred zone.
2025-08-30 14:07:59 +00:00 · 2021-02-03 11:10:20 +11:00
parent 0695a42adb
commit 01209dfa49
1 changed files with 14 additions and 0 deletions
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -498,6 +498,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
 		FAIL(DNS_R_FORMERR);
 	}

+	/*
+	 * Immediately reject the entire transfer if the RR that is currently
+	 * being processed is an SOA record that is not placed at the zone
+	 * apex.
+	 */
+	if (rdata->type == dns_rdatatype_soa &&
+	    !dns_name_equal(&xfr->name, name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+			  namebuf);
+		FAIL(DNS_R_NOTZONETOP);
+	}
+
 redo:
 	switch (xfr->state) {
 	case XFRST_SOAQUERY: