mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Require "dot" ALPN token for incoming xfrs over XoT

Browse Source 
This commit make the code handling incoming zone transfers to verify
if they are allowed to be done over the underlying connections. As a
result the check ensures that the "dot" ALPN token has been negotiated
over the underlying connection.
This commit is contained in:
Artem Boldariev
2021-08-30 17:13:00 +03:00
parent 382098198e
commit 79d8af7354
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/dns/xfrin.c
View File

@@ -947,6 +947,7 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
break;
case DNS_TRANSPORT_TLS:
CHECK(isc_tlsctx_createclient(&xfr->tlsctx));
isc_tlsctx_enable_dot_client_alpn(xfr->tlsctx);
isc_nm_tlsdnsconnect(xfr->netmgr, &xfr->sourceaddr,
&xfr->masteraddr, xfrin_connect_done,
connect_xfr, 30000, 0, xfr->tlsctx);
@@ -1018,6 +1019,10 @@ xfrin_connect_done(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
CHECK(result);
if (!isc_nm_xfr_allowed(handle)) {
goto failure;
}
zmgr = dns_zone_getmgr(xfr->zone);
if (zmgr != NULL) {
if (result != ISC_R_SUCCESS) {