From 0325e4a1fbe1439d2e899126d84bdae57693be8a Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 1 Sep 2023 10:17:00 +1000 Subject: [PATCH 1/2] Adjust level of log messages when transferring in a zone This raises the log level of messages treated as FORMERR to NOTICE when transfering in a zone. This also adds a missing log message for TYPE0 and meta types received during a zone transfer. (cherry picked from commit 6c3414739de8a0bb0549ca7a172314edd78597ac) --- lib/dns/xfrin.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 53572774b3..393b55787d 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -393,7 +393,7 @@ ixfr_init(dns_xfrin_ctx_t *xfr) { char *journalfile = NULL; if (xfr->reqtype != dns_rdatatype_ixfr) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "got incremental response to AXFR request"); return (DNS_R_FORMERR); } @@ -510,6 +510,10 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl, if (rdata->type == dns_rdatatype_none || dns_rdatatype_ismeta(rdata->type)) { + char buf[64]; + dns_rdatatype_format(rdata->type, buf, sizeof(buf)); + xfrin_log(xfr, ISC_LOG_NOTICE, + "Unexpected %s record in zone transfer", buf); FAIL(DNS_R_FORMERR); } @@ -532,7 +536,7 @@ redo: switch (xfr->state) { case XFRST_SOAQUERY: if (rdata->type != dns_rdatatype_soa) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "non-SOA response to SOA query"); FAIL(DNS_R_FORMERR); } @@ -557,7 +561,7 @@ redo: case XFRST_INITIALSOA: if (rdata->type != dns_rdatatype_soa) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "first RR in zone transfer must be SOA"); FAIL(DNS_R_FORMERR); } @@ -642,7 +646,7 @@ redo: xfr->state = XFRST_IXFR_END; break; } else if (soa_serial != xfr->ixfr.current_serial) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "IXFR out of sync: " "expected serial %u, got %u", xfr->ixfr.current_serial, soa_serial); @@ -678,7 +682,7 @@ redo: * allow for case differences. */ if (dns_rdata_compare(rdata, &xfr->firstsoa) != 0) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "start and ending SOA records " "mismatch"); FAIL(DNS_R_FORMERR); @@ -1650,7 +1654,7 @@ xfrin_recv_done(isc_nmhandle_t *handle, isc_result_t result, * match the question that was sent. */ if (msg->counts[DNS_SECTION_QUESTION] > 1) { - xfrin_log(xfr, ISC_LOG_DEBUG(3), "too many questions (%u)", + xfrin_log(xfr, ISC_LOG_NOTICE, "too many questions (%u)", msg->counts[DNS_SECTION_QUESTION]); result = DNS_R_FORMERR; goto failure; @@ -1659,7 +1663,7 @@ xfrin_recv_done(isc_nmhandle_t *handle, isc_result_t result, if ((xfr->state == XFRST_SOAQUERY || xfr->state == XFRST_INITIALSOA) && msg->counts[DNS_SECTION_QUESTION] != 1) { - xfrin_log(xfr, ISC_LOG_DEBUG(3), "missing question section"); + xfrin_log(xfr, ISC_LOG_NOTICE, "missing question section"); result = DNS_R_FORMERR; goto failure; } @@ -1674,7 +1678,7 @@ xfrin_recv_done(isc_nmhandle_t *handle, isc_result_t result, dns_message_currentname(msg, DNS_SECTION_QUESTION, &name); if (!dns_name_equal(name, &xfr->name)) { result = DNS_R_FORMERR; - xfrin_log(xfr, ISC_LOG_DEBUG(3), + xfrin_log(xfr, ISC_LOG_NOTICE, "question name mismatch"); goto failure; } @@ -1682,13 +1686,13 @@ xfrin_recv_done(isc_nmhandle_t *handle, isc_result_t result, INSIST(rds != NULL); if (rds->type != xfr->reqtype) { result = DNS_R_FORMERR; - xfrin_log(xfr, ISC_LOG_DEBUG(3), + xfrin_log(xfr, ISC_LOG_NOTICE, "question type mismatch"); goto failure; } if (rds->rdclass != xfr->rdclass) { result = DNS_R_FORMERR; - xfrin_log(xfr, ISC_LOG_DEBUG(3), + xfrin_log(xfr, ISC_LOG_NOTICE, "question class mismatch"); goto failure; } From dd9f205c1315b276b74efbc7a14eaa031001b2a2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 1 Sep 2023 10:26:45 +1000 Subject: [PATCH 2/2] Add a CHANGES note for [GL #4290] (cherry picked from commit b867244305ba3a542ddab9e6e4bc5996a014a61d) --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 238f14e607..a62a2dc690 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6244. [bug] Adjust log levels on malformed messages to NOTICE when + transferring in a zone. [GL #4290] + 6241. [bug] Take into account the possibility of partial TLS writes in TLS DNS code. That helps to prevent DNS messages corruption on long DNS over TLS streams. [GL #4255]