named does not check RDATA of the SOA record ending an AXFR
While lib/dns/xfrin.c:xfr_rr()
checks whether the last RR in the
AXFR stream is an SOA record, it does not check its RDATA.
RFC 5936 section 2.2 says:
An AXFR response that is transferring the zone's contents will
consist of a series (which could be a series of length 1) of DNS
messages. In such a series, the first message MUST begin with the
SOA resource record of the zone, and the last message MUST conclude
with the same SOA resource record.
Meanwhile, named
accepts the following AXFR stream as valid:
nil. 300 SOA localhost. root.nil. 3 300 300 604800 300
nil. 300 NS localhost.
nil. 300 SOA localhost. root.nil. 1 300 300 604800 300
This results in the following (rather confusing) set of log messages being generated (note the serial number discrepancies):
24-Feb-2021 22:36:49.732 zone nil/IN: transferred serial 1
24-Feb-2021 22:36:49.732 transfer of 'nil/IN' from 10.53.0.2#5300: Transfer status: success
24-Feb-2021 22:36:49.732 transfer of 'nil/IN' from 10.53.0.2#5300: Transfer completed: 1 messages, 3 records, 121 bytes, 0.001 secs (121000 bytes/sec) (serial 3)
After processing the above transfer, named
puts the SOA record with
serial number 1 into the zone database.
I do not think this problem poses a security threat, but I am reporting it in a confidential issue to rather be safe than sorry.
Edited by Michał Kępień