From aaf95c8a1336b953d9ef682c32e0a097a4be75be Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 14 Aug 2017 22:47:14 +0200
Subject: [PATCH] auth: first and last SOA in an AXFR must be identical

---
 pdns/dnsseckeeper.hh  | 2 +-
 pdns/serialtweaker.cc | 4 ++--
 pdns/tcpreceiver.cc   | 7 +++++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 3473a4e46..a84e49762 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -284,7 +284,7 @@ uint32_t localtime_format_YYYYMMDDSS(time_t t, uint32_t seq);
 uint32_t calculateEditSOA(const DNSZoneRecord& rr, const string& kind);
 uint32_t calculateEditSOA(const SOAData& sd, const string& kind);
 bool editSOA(DNSSECKeeper& dk, const DNSName& qname, DNSPacket* dp);
-bool editSOARecord(DNSZoneRecord& rr, const string& kind, const DNSName& qname);
+bool editSOARecord(DNSZoneRecord& rr, const string& kind);
 // for SOA-EDIT-DNSUPDATE/API
 uint32_t calculateIncreaseSOA(SOAData sd, const string& increaseKind, const string& editKind);
 bool increaseSOARecord(DNSResourceRecord& rr, const string& increaseKind, const string& editKind);
diff --git a/pdns/serialtweaker.cc b/pdns/serialtweaker.cc
index f072c7a2b..f55b5b688 100644
--- a/pdns/serialtweaker.cc
+++ b/pdns/serialtweaker.cc
@@ -45,13 +45,13 @@ bool editSOA(DNSSECKeeper& dk, const DNSName& qname, DNSPacket* dp)
     if(rr.dr.d_type == QType::SOA && rr.dr.d_name == qname) {
       string kind;
       dk.getSoaEdit(qname, kind);
-      return editSOARecord(rr, kind, qname);
+      return editSOARecord(rr, kind);
     }
   }
   return false;
 }
 
-bool editSOARecord(DNSZoneRecord& rr, const string& kind, const DNSName& qname) {
+bool editSOARecord(DNSZoneRecord& rr, const string& kind) {
   if(kind.empty())
     return false;
   auto src = getRR<SOARecordContent>(rr.dr);
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 184b49930..d6f241b07 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -653,8 +653,12 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   DNSZoneRecord dzrsoa;
   dzrsoa.auth=true;
   dzrsoa.dr=DNSRecord(soa);
+
+  string kind;
+  dk.getSoaEdit(sd.qname, kind);
+  editSOARecord(dzrsoa, kind);
+
   outpacket->addRecord(dzrsoa);
-  editSOA(dk, sd.qname, outpacket.get());
   if(securedZone) {
     set<DNSName> authSet;
     authSet.insert(target);
@@ -1046,7 +1050,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   /* and terminate with yet again the SOA record */
   outpacket=getFreshAXFRPacket(q);
   outpacket->addRecord(dzrsoa);
-  editSOA(dk, sd.qname, outpacket.get());
   if(haveTSIGDetails && !tsigkeyname.empty())
     outpacket->setTSIGDetails(trc, tsigkeyname, tsigsecret, trc.d_mac, true); 
   
-- 
2.40.0