[svn] commit: r2479 - /branches/trac221b/src/bin/xfrin/xfrin.py.in

[BIND 10 source code commits]

Author: jinmei
Date: Sat Jul 10 18:59:36 2010
New Revision: 2479

Log:
disabled xfrin triggerred by a notify.  the original implementation naively trusts the notify sender and uses it as the transfer master, which is very dangerous from security point of view.

Modified:
    branches/trac221b/src/bin/xfrin/xfrin.py.in

Modified: branches/trac221b/src/bin/xfrin/xfrin.py.in
==============================================================================
--- branches/trac221b/src/bin/xfrin/xfrin.py.in (original)
+++ branches/trac221b/src/bin/xfrin/xfrin.py.in Sat Jul 10 18:59:36 2010
@@ -418,8 +418,22 @@
                 # share the code.
                 (zone_name, rrclass,
                  master_addr, db_file) = self._parse_cmd_params(args)
-                ret = self.xfrin_start(zone_name, rrclass, db_file,
-                                       master_addr, True)
+
+                # XXX: master_addr is the sender of the notify message.
+                # It's very dangerous to naively trust it as the source of
+                # subsequent zone transfer; any remote node can easily exploit
+                # it to mount zone poisoning or DoS attacks.  We should
+                # locally identify the appropriate set of master servers.
+                # For now, we disable the code below.
+                master_is_valid = False
+
+                if master_is_valid:
+                    ret = self.xfrin_start(zone_name, rrclass, db_file,
+                                           master_addr, True)
+                else:
+                    errmsg = 'Failed to validate the master address ('
+                    errmsg += args['master'] + '), ignoring notify'
+                    ret = [1, errmsg]
                 answer = create_answer(ret[0], ret[1])
             else:
                 answer = create_answer(1, 'unknown command: ' + command)