From 0313ede6e113f5d61fa8182340a964502c9f1954 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 12 Feb 2021 14:51:28 +1100
Subject: [PATCH] Address inconsistencies in checking added RRsets

loading_addrdataset() rejects SOA RRsets which are not at top of zone.
addrdataset() should similarly reject such RRsets.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/0313ede6e113f5d61fa8182340a964502c9f1954
---
 lib/dns/rbtdb.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 34fc404b2e..9d27a1519f 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6839,6 +6839,13 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
 
 	if (rbtdb->common.methods == &zone_methods) {
+		/*
+		 * SOA records are only allowed at top of zone.
+		 */
+		if (rdataset->type == dns_rdatatype_soa &&
+		    node != rbtdb->origin_node) {
+			return (DNS_R_NOTZONETOP);
+		}
 		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
 			  (rdataset->type == dns_rdatatype_nsec3 ||
-- 
2.23.0