disabled xfrin triggerred by a notify. the original implementation naively trusts the notify sender and uses it as the transfer master, which is very dangerous from security point of view.

git-svn-id: svn://bind10.isc.org/svn/bind10/branches/trac221b@2479 e5f2f494-b856-4b98-b285-d166d9295462

src/bin/xfrin/xfrin.py.in

@@ -418,8 +418,22 @@ a separate method for the convenience of unit tests.
                 # share the code.
                 (zone_name, rrclass,
                  master_addr, db_file) = self._parse_cmd_params(args)
-                ret = self.xfrin_start(zone_name, rrclass, db_file,
-                                       master_addr, True)
+
+                # XXX: master_addr is the sender of the notify message.
+                # It's very dangerous to naively trust it as the source of
+                # subsequent zone transfer; any remote node can easily exploit
+                # it to mount zone poisoning or DoS attacks.  We should
+                # locally identify the appropriate set of master servers.
+                # For now, we disable the code below.
+                master_is_valid = False
+
+                if master_is_valid:
+                    ret = self.xfrin_start(zone_name, rrclass, db_file,
+                                           master_addr, True)
+                else:
+                    errmsg = 'Failed to validate the master address ('
+                    errmsg += args['master'] + '), ignoring notify'
+                    ret = [1, errmsg]
                 answer = create_answer(ret[0], ret[1])
             else:
                 answer = create_answer(1, 'unknown command: ' + command)