diff --git a/CHANGES b/CHANGES index 9069b19b4b..72ce74151f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6244. [bug] Adjust log levels on malformed messages to NOTICE when + transferring in a zone. [GL #4290] + 6243. [bug] Restore the call order of dns_validator_destroy and fetchctx_detach to prevent use after free. [GL #4214] diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index 079d75a083..0ee5d3ac57 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -380,7 +380,7 @@ ixfr_init(dns_xfrin_t *xfr) { char *journalfile = NULL; if (xfr->reqtype != dns_rdatatype_ixfr) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "got incremental response to AXFR request"); return (DNS_R_FORMERR); } @@ -496,6 +496,10 @@ xfr_rr(dns_xfrin_t *xfr, dns_name_t *name, uint32_t ttl, dns_rdata_t *rdata) { if (rdata->type == dns_rdatatype_none || dns_rdatatype_ismeta(rdata->type)) { + char buf[64]; + dns_rdatatype_format(rdata->type, buf, sizeof(buf)); + xfrin_log(xfr, ISC_LOG_NOTICE, + "Unexpected %s record in zone transfer", buf); FAIL(DNS_R_FORMERR); } @@ -518,7 +522,7 @@ redo: switch (xfr->state) { case XFRST_SOAQUERY: if (rdata->type != dns_rdatatype_soa) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "non-SOA response to SOA query"); FAIL(DNS_R_FORMERR); } @@ -543,7 +547,7 @@ redo: case XFRST_INITIALSOA: if (rdata->type != dns_rdatatype_soa) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "first RR in zone transfer must be SOA"); FAIL(DNS_R_FORMERR); } @@ -628,7 +632,7 @@ redo: xfr->state = XFRST_IXFR_END; break; } else if (soa_serial != xfr->ixfr.current_serial) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "IXFR out of sync: " "expected serial %u, got %u", xfr->ixfr.current_serial, soa_serial); @@ -664,7 +668,7 @@ redo: * allow for case differences. */ if (dns_rdata_compare(rdata, &xfr->firstsoa) != 0) { - xfrin_log(xfr, ISC_LOG_ERROR, + xfrin_log(xfr, ISC_LOG_NOTICE, "start and ending SOA records " "mismatch"); FAIL(DNS_R_FORMERR); @@ -1471,7 +1475,7 @@ xfrin_recv_done(isc_result_t result, isc_region_t *region, void *arg) { * match the question that was sent. */ if (msg->counts[DNS_SECTION_QUESTION] > 1) { - xfrin_log(xfr, ISC_LOG_DEBUG(3), "too many questions (%u)", + xfrin_log(xfr, ISC_LOG_NOTICE, "too many questions (%u)", msg->counts[DNS_SECTION_QUESTION]); result = DNS_R_FORMERR; goto failure; @@ -1480,7 +1484,7 @@ xfrin_recv_done(isc_result_t result, isc_region_t *region, void *arg) { if ((xfr->state == XFRST_SOAQUERY || xfr->state == XFRST_INITIALSOA) && msg->counts[DNS_SECTION_QUESTION] != 1) { - xfrin_log(xfr, ISC_LOG_DEBUG(3), "missing question section"); + xfrin_log(xfr, ISC_LOG_NOTICE, "missing question section"); result = DNS_R_FORMERR; goto failure; } @@ -1497,7 +1501,7 @@ xfrin_recv_done(isc_result_t result, isc_region_t *region, void *arg) { dns_message_currentname(msg, DNS_SECTION_QUESTION, &name); if (!dns_name_equal(name, &xfr->name)) { result = DNS_R_FORMERR; - xfrin_log(xfr, ISC_LOG_DEBUG(3), + xfrin_log(xfr, ISC_LOG_NOTICE, "question name mismatch"); goto failure; } @@ -1505,13 +1509,13 @@ xfrin_recv_done(isc_result_t result, isc_region_t *region, void *arg) { INSIST(rds != NULL); if (rds->type != xfr->reqtype) { result = DNS_R_FORMERR; - xfrin_log(xfr, ISC_LOG_DEBUG(3), + xfrin_log(xfr, ISC_LOG_NOTICE, "question type mismatch"); goto failure; } if (rds->rdclass != xfr->rdclass) { result = DNS_R_FORMERR; - xfrin_log(xfr, ISC_LOG_DEBUG(3), + xfrin_log(xfr, ISC_LOG_NOTICE, "question class mismatch"); goto failure; }