File bind-CVE-2021-25214.patch of Package bind.34020

Index: bind-9.9.6-P1/lib/dns/xfrin.c
===================================================================
--- bind-9.9.6-P1.orig/lib/dns/xfrin.c
+++ bind-9.9.6-P1/lib/dns/xfrin.c
@@ -472,6 +472,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t
 	    dns_rdatatype_ismeta(rdata->type))
 		FAIL(DNS_R_FORMERR);
 
+       /*
+	* Immediately reject the entire transfer if the RR that is currently
+	* being processed is an SOA record that is not placed at the zone
+	* apex.
+	*/
+       if (rdata->type == dns_rdatatype_soa &&
+	   !dns_name_equal(&xfr->name, name)) {
+	       char namebuf[DNS_NAME_FORMATSIZE];
+	       dns_name_format(name, namebuf, sizeof(namebuf));
+	       xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+			 namebuf);
+	       FAIL(DNS_R_NOTZONETOP);
+       }
+
  redo:
 	switch (xfr->state) {
 	case XFRST_SOAQUERY: