diff --git a/CHANGES b/CHANGES index 5954a389e8..7aebc442e8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4993. [cleanup] Remove support for silently ignoring 'no-change' deltas + from BIND 8 when processing an IXFR stream. 'no-change' + deltas will now trigger a fallback to AXFR as the + recovery mechanism. [GL #369] + 4992. [bug] The wrong address was being logged for trust anchor telemetry queries. [GL #379] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index b6c3fdbfc7..6f30ff9e68 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -241,6 +241,11 @@ abundance of caution. DNS COOKIE is an important security mechanism, and should not be disabled unless absolutely necessary. + + Remove support for silently ignoring 'no-change' deltas from + BIND 8 when processing an IXFR stream. 'no-change' deltas + will now trigger a fallback to AXFR as the recovery mechanism. + diff --git a/lib/dns/journal.c b/lib/dns/journal.c index ff974cfb78..409b3957a8 100644 --- a/lib/dns/journal.c +++ b/lib/dns/journal.c @@ -71,12 +71,6 @@ * the "end" position in the header. The latter will * be overwritten when new transactions are added. */ -/*% - * When true, accept IXFR difference sequences where the - * SOA serial number does not change (BIND 8 sends such - * sequences). - */ -static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */ /**************************************************************************/ /* @@ -1130,13 +1124,10 @@ dns_journal_commit(dns_journal_t *j) { j->filename, j->x.n_soa); return (ISC_R_UNEXPECTED); } - if (! (DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial) || - (bind8_compat && - j->x.pos[1].serial == j->x.pos[0].serial))) - { + if (! DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial)) { isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR, "%s: malformed transaction: serial number " - "would decrease", j->filename); + "did not increase", j->filename); return (ISC_R_UNEXPECTED); } if (! JOURNAL_EMPTY(&j->header)) {