From 59ab128c972622f5aeafe3229966dcba73b62243 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 12 Nov 2002 20:16:30 +0000
Subject: [PATCH] 1400.   [bug]           Block the addition of wildcard NS
 records by IXFR                         or UPDATE. [RT #3502] developer:
 marka reveiwer: ogud

---
 CHANGES            |  3 +++
 bin/named/update.c | 10 +++++++++-
 lib/dns/xfrin.c    |  5 ++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 43f7710582..20eb72c9ce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1400.	[bug]		Block the addition of wildcard NS records by IXFR
+			or UPDATE. [RT #3502]
+
 1399.	[bug]		Use serial number arithmetic when testing SIG
 			timestamps. [RT #4268]
 
diff --git a/bin/named/update.c b/bin/named/update.c
index 43cc468eac..d4241aa002 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.101 2002/08/29 05:40:07 marka Exp $ */
+/* $Id: update.c,v 1.102 2002/11/12 20:16:30 marka Exp $ */
 
 #include <config.h>
 
@@ -2321,6 +2321,14 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   typebuf);
 				continue;
 			}
+			if (rdata.type == dns_rdatatype_ns &&
+			    dns_name_iswildcard(name)) {
+				update_log(client, zone,
+					   LOGLEVEL_PROTOCOL,
+					   "attempt to add wildcard NS record"
+					   "ignored");
+				continue;
+			}
 			if (rdata.type == dns_rdatatype_cname) {
 				CHECK(cname_incompatible_rrset_exists(db, ver,
 								      name,
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 8f2b9a4369..36314e96a3 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.130 2002/09/24 01:04:03 marka Exp $ */
+/* $Id: xfrin.c,v 1.131 2002/11/12 20:16:30 marka Exp $ */
 
 #include <config.h>
 
@@ -510,6 +510,9 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 				goto redo;
 			}
 		}
+		if (rdata->type == dns_rdatatype_ns &&
+		    dns_name_iswildcard(name))
+			FAIL(DNS_R_INVALIDNS);
 		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
 		break;