projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Compiler quietening
[exim.git] / src / src / dns.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
3386088d 5/* Copyright (c) University of Cambridge 1995 - 2015 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions for interfacing with the DNS. */
9
10#include "exim.h"
11
12
059ec3d9 13
bef5a11f
PH		 14/*************************************************
15* Fake DNS resolver *
16*************************************************/
17
18/* This function is called instead of res_search() when Exim is running in its
19test harness. It recognizes some special domain names, and uses them to force
433a2980
PH		 20failure and retry responses (optionally with a delay). Otherwise, it calls an
21external utility that mocks-up a nameserver, if it can find the utility.
22If not, it passes its arguments on to res_search(). The fake nameserver may
23also return a code specifying that the name should be passed on.
bef5a11f
PH		 24
25Background: the original test suite required a real nameserver to carry the
8e013028 26test zones, whereas the new test suite has the fake server for portability. This
e7726cbf 27code supports both.
bef5a11f
PH		 28
29Arguments:
e7726cbf 30 domain the domain name
bef5a11f
PH		 31 type the DNS record type
32 answerptr where to put the answer
33 size size of the answer area
34
35Returns: length of returned data, or -1 on error (h_errno set)
36*/
37
38static int
1dc92d5a 39fakens_search(const uschar *domain, int type, uschar *answerptr, int size)
bef5a11f 40{
e7726cbf 41int len = Ustrlen(domain);
433a2980 42int asize = size; /* Locally modified */
e7726cbf 43uschar name[256];
433a2980
PH		 44uschar utilname[256];
45uschar *aptr = answerptr; /* Locally modified */
46struct stat statbuf;
47
48/* Remove terminating dot. */
e7726cbf
PH		 49
50if (domain[len - 1] == '.') len--;
51Ustrncpy(name, domain, len);
52name[len] = 0;
bef5a11f 53
433a2980
PH		 54/* Look for the fakens utility, and if it exists, call it. */
55
5f3d0983
HSHR		 56(void)string_format(utilname, sizeof(utilname), "%s/bin/fakens",
57 config_main_directory);
433a2980
PH		 58
59if (stat(CS utilname, &statbuf) >= 0)
bef5a11f 60 {
433a2980
PH		 61 pid_t pid;
62 int infd, outfd, rc;
63 uschar *argv[5];
64
3735e326 65 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n", name, dns_text_type(type));
433a2980
PH		 66
67 argv[0] = utilname;
5f3d0983 68 argv[1] = config_main_directory;
433a2980
PH		 69 argv[2] = name;
70 argv[3] = dns_text_type(type);
71 argv[4] = NULL;
72
73 pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE);
74 if (pid < 0)
75 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s",
76 strerror(errno));
77
78 len = 0;
79 rc = -1;
80 while (asize > 0 && (rc = read(outfd, aptr, asize)) > 0)
81 {
82 len += rc;
83 aptr += rc; /* Don't modify the actual arguments, because they */
84 asize -= rc; /* may need to be passed on to res_search(). */
85 }
bef5a11f 86
aa7751be 87 /* If we ran out of output buffer before exhausting the return,
1fb7660f
JH		 88 carry on reading and counting it. */
89
90 if (asize == 0)
91 while ((rc = read(outfd, name, sizeof(name))) > 0)
92 len += rc;
93
433a2980
PH		 94 if (rc < 0)
95 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "read from fakens failed: %s",
96 strerror(errno));
bef5a11f 97
433a2980 98 switch(child_close(pid, 0))
bef5a11f 99 {
433a2980
PH		 100 case 0: return len;
101 case 1: h_errno = HOST_NOT_FOUND; return -1;
102 case 2: h_errno = TRY_AGAIN; return -1;
103 default:
104 case 3: h_errno = NO_RECOVERY; return -1;
105 case 4: h_errno = NO_DATA; return -1;
106 case 5: /* Pass on to res_search() */
107 DEBUG(D_dns) debug_printf("fakens returned PASS_ON\n");
bef5a11f
PH		 108 }
109 }
8e013028
HSHR		 110else
111 {
4cea764f 112 DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname);
8e013028 113 }
bef5a11f 114
433a2980 115/* fakens utility not found, or it returned "pass on" */
bef5a11f 116
433a2980 117DEBUG(D_dns) debug_printf("passing %s on to res_search()\n", domain);
e7726cbf
PH		 118
119return res_search(CS domain, C_IN, type, answerptr, size);
bef5a11f
PH		 120}
121
122
059ec3d9
PH		 123
124/*************************************************
125* Initialize and configure resolver *
126*************************************************/
127
128/* Initialize the resolver and the storage for holding DNS answers if this is
129the first time we have been here, and set the resolver options.
130
131Arguments:
132 qualify_single TRUE to set the RES_DEFNAMES option
133 search_parents TRUE to set the RES_DNSRCH option
8c51eead 134 use_dnssec TRUE to set the RES_USE_DNSSEC option
059ec3d9
PH		 135
136Returns: nothing
137*/
138
139void
8c51eead 140dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec)
059ec3d9 141{
5bfb4cdf
PP		 142res_state resp = os_get_dns_resolver_res();
143
144if ((resp->options & RES_INIT) == 0)
059ec3d9 145 {
5bfb4cdf
PP		 146 DEBUG(D_resolver) resp->options |= RES_DEBUG; /* For Cygwin */
147 os_put_dns_resolver_res(resp);
059ec3d9 148 res_init();
5bfb4cdf
PP		 149 DEBUG(D_resolver) resp->options |= RES_DEBUG;
150 os_put_dns_resolver_res(resp);
059ec3d9
PH		 151 }
152
5bfb4cdf
PP		 153resp->options &= ~(RES_DNSRCH | RES_DEFNAMES);
154resp->options |= (qualify_single? RES_DEFNAMES : 0) |
059ec3d9 155 (search_parents? RES_DNSRCH : 0);
5bfb4cdf
PP		 156if (dns_retrans > 0) resp->retrans = dns_retrans;
157if (dns_retry > 0) resp->retry = dns_retry;
e97d1f08
PP		 158
159#ifdef RES_USE_EDNS0
160if (dns_use_edns0 >= 0)
161 {
162 if (dns_use_edns0)
5bfb4cdf 163 resp->options |= RES_USE_EDNS0;
e97d1f08 164 else
5bfb4cdf 165 resp->options &= ~RES_USE_EDNS0;
e97d1f08
PP		 166 DEBUG(D_resolver)
167 debug_printf("Coerced resolver EDNS0 support %s.\n",
168 dns_use_edns0 ? "on" : "off");
169 }
170#else
171if (dns_use_edns0 >= 0)
172 DEBUG(D_resolver)
173 debug_printf("Unable to %sset EDNS0 without resolver support.\n",
174 dns_use_edns0 ? "" : "un");
175#endif
5bfb4cdf 176
1f4a55da
PP		 177#ifndef DISABLE_DNSSEC
178# ifdef RES_USE_DNSSEC
179# ifndef RES_USE_EDNS0
180# error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
181# endif
8c51eead
JH		 182if (use_dnssec)
183 resp->options |= RES_USE_DNSSEC;
0fbd9bff 184if (dns_dnssec_ok >= 0)
1f4a55da 185 {
0fbd9bff 186 if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
1f4a55da
PP		 187 {
188 DEBUG(D_resolver)
0fbd9bff 189 debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
1f4a55da
PP		 190 }
191 else
192 {
0fbd9bff 193 if (dns_dnssec_ok)
1f4a55da
PP		 194 resp->options |= RES_USE_DNSSEC;
195 else
196 resp->options &= ~RES_USE_DNSSEC;
197 DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
0fbd9bff 198 dns_dnssec_ok ? "on" : "off");
1f4a55da
PP		 199 }
200 }
201# else
0fbd9bff 202if (dns_dnssec_ok >= 0)
1f4a55da
PP		 203 DEBUG(D_resolver)
204 debug_printf("Unable to %sset DNSSEC without resolver support.\n",
0fbd9bff 205 dns_dnssec_ok ? "" : "un");
8c51eead
JH		 206if (use_dnssec)
207 DEBUG(D_resolver)
93d4b03a 208 debug_printf("Unable to set DNSSEC without resolver support.\n");
1f4a55da
PP		 209# endif
210#endif /* DISABLE_DNSSEC */
211
5bfb4cdf 212os_put_dns_resolver_res(resp);
059ec3d9
PH		 213}
214
215
216
217/*************************************************
218* Build key name for PTR records *
219*************************************************/
220
221/* This function inverts an IP address and adds the relevant domain, to produce
222a name that can be used to look up PTR records.
223
224Arguments:
225 string the IP address as a string
226 buffer a suitable buffer, long enough to hold the result
227
228Returns: nothing
229*/
230
231void
55414b25 232dns_build_reverse(const uschar *string, uschar *buffer)
059ec3d9 233{
55414b25 234const uschar *p = string + Ustrlen(string);
059ec3d9
PH		 235uschar *pp = buffer;
236
237/* Handle IPv4 address */
238
239#if HAVE_IPV6
240if (Ustrchr(string, ':') == NULL)
241#endif
242 {
243 int i;
244 for (i = 0; i < 4; i++)
245 {
55414b25 246 const uschar *ppp = p;
059ec3d9
PH		 247 while (ppp > string && ppp[-1] != '.') ppp--;
248 Ustrncpy(pp, ppp, p - ppp);
249 pp += p - ppp;
250 *pp++ = '.';
251 p = ppp - 1;
252 }
253 Ustrcpy(pp, "in-addr.arpa");
254 }
255
256/* Handle IPv6 address; convert to binary so as to fill out any
257abbreviation in the textual form. */
258
259#if HAVE_IPV6
260else
261 {
262 int i;
263 int v6[4];
264 (void)host_aton(string, v6);
265
266 /* The original specification for IPv6 reverse lookup was to invert each
267 nibble, and look in the ip6.int domain. The domain was subsequently
268 changed to ip6.arpa. */
269
270 for (i = 3; i >= 0; i--)
271 {
272 int j;
273 for (j = 0; j < 32; j += 4)
274 {
275 sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
276 pp += 2;
277 }
278 }
279 Ustrcpy(pp, "ip6.arpa.");
280
281 /* Another way of doing IPv6 reverse lookups was proposed in conjunction
282 with A6 records. However, it fell out of favour when they did. The
283 alternative was to construct a binary key, and look in ip6.arpa. I tried
284 to make this code do that, but I could not make it work on Solaris 8. The
285 resolver seems to lose the initial backslash somehow. However, now that
286 this style of reverse lookup has been dropped, it doesn't matter. These
287 lines are left here purely for historical interest. */
288
289 /**************************************************
290 Ustrcpy(pp, "\\[x");
291 pp += 3;
292
293 for (i = 0; i < 4; i++)
294 {
295 sprintf(pp, "%08X", v6[i]);
296 pp += 8;
297 }
298 Ustrcpy(pp, "].ip6.arpa.");
299 **************************************************/
300
301 }
302#endif
303}
304
305
306
307
308/*************************************************
309* Get next DNS record from answer block *
310*************************************************/
311
312/* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
e5a9dba6
PH		 313RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
314scan the additional records, and reset == RESET_NEXT to get the next record.
315The result is in static storage which must be copied if it is to be preserved.
059ec3d9
PH		 316
317Arguments:
318 dnsa pointer to dns answer block
319 dnss pointer to dns scan block
320 reset option specifing what portion to scan, as described above
321
322Returns: next dns record, or NULL when no more
323*/
324
325dns_record *
326dns_next_rr(dns_answer *dnsa, dns_scan *dnss, int reset)
327{
328HEADER *h = (HEADER *)dnsa->answer;
329int namelen;
330
331/* Reset the saved data when requested to, and skip to the first required RR */
332
333if (reset != RESET_NEXT)
334 {
335 dnss->rrcount = ntohs(h->qdcount);
336 dnss->aptr = dnsa->answer + sizeof(HEADER);
337
338 /* Skip over questions; failure to expand the name just gives up */
339
340 while (dnss->rrcount-- > 0)
341 {
342 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
343 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
344 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
345 dnss->aptr += namelen + 4; /* skip name & type & class */
346 }
347
348 /* Get the number of answer records. */
349
350 dnss->rrcount = ntohs(h->ancount);
351
e5a9dba6
PH		 352 /* Skip over answers if we want to look at the authority section. Also skip
353 the NS records (i.e. authority section) if wanting to look at the additional
059ec3d9
PH		 354 records. */
355
e5a9dba6
PH		 356 if (reset == RESET_ADDITIONAL) dnss->rrcount += ntohs(h->nscount);
357
358 if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
059ec3d9 359 {
059ec3d9
PH		 360 while (dnss->rrcount-- > 0)
361 {
362 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
363 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
364 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
365 dnss->aptr += namelen + 8; /* skip name, type, class & TTL */
366 GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
367 dnss->aptr += dnss->srr.size; /* skip over it */
368 }
e5a9dba6
PH		 369 dnss->rrcount = (reset == RESET_AUTHORITY)
370 ? ntohs(h->nscount) : ntohs(h->arcount);
059ec3d9
PH		 371 }
372 }
373
059ec3d9
PH		 374/* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
375contains the number of RR records left. */
376
377if (dnss->rrcount-- <= 0) return NULL;
378
379/* If expanding the RR domain name fails, behave as if no more records
380(something safe). */
381
382namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
383 (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
384if (namelen < 0) { dnss->rrcount = 0; return NULL; }
385
386/* Move the pointer past the name and fill in the rest of the data structure
387from the following bytes. */
388
389dnss->aptr += namelen;
390GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
391dnss->aptr += 6; /* Don't want class or TTL */
392GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
393dnss->srr.data = dnss->aptr; /* The record's data follows */
394dnss->aptr += dnss->srr.size; /* Advance to next RR */
395
396/* Return a pointer to the dns_record structure within the dns_answer. This is
397for convenience so that the scans can use nice-looking for loops. */
398
399return &(dnss->srr);
400}
401
402
8db90b31
HSHR		 403/* Extract the AUTHORITY information from the answer. If the
404answer isn't authoritive (AA not set), we do not extract anything.
405
406The AUTHORITIVE section contains NS records if
407the name in question was found, it contains a SOA record
408otherwise. (This is just from experience and some tests, is there
409some spec?)
410
411We've cycle through the AUTHORITY section, since it may contain
412other records (e.g. NSEC3) too. */
09b80b4e
JH		 413
414static const uschar *
415dns_extract_auth_name(const dns_answer * dnsa) /* FIXME: const dns_answer */
9820a77f 416{
09b80b4e
JH		 417dns_scan dnss;
418dns_record * rr;
419HEADER * h = (HEADER *) dnsa->answer;
420
421if (!h->nscount || !h->aa) return NULL;
422for (rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_AUTHORITY);
423 rr;
424 rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_NEXT))
47c20958 425 if (rr->type == (h->ancount ? T_NS : T_SOA)) return rr->name;
09b80b4e 426return NULL;
9820a77f
HSHR		 427}
428
429
059ec3d9
PH		 430
431
1f4a55da
PP		 432/*************************************************
433* Return whether AD bit set in DNS result *
434*************************************************/
435
436/* We do not perform DNSSEC work ourselves; if the administrator has installed
437a verifying resolver which sets AD as appropriate, though, we'll use that.
9820a77f 438(AD = Authentic Data, AA = Authoritive Answer)
1f4a55da
PP		 439
440Argument: pointer to dns answer block
441Returns: bool indicating presence of AD bit
442*/
443
444BOOL
4a142059 445dns_is_secure(const dns_answer * dnsa)
1f4a55da
PP		 446{
447#ifdef DISABLE_DNSSEC
448DEBUG(D_dns)
449 debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n");
450return FALSE;
451#else
09b80b4e
JH		 452HEADER * h = (HEADER *) dnsa->answer;
453const uschar * auth_name;
454const uschar * trusted;
9820a77f
HSHR		 455
456if (h->ad) return TRUE;
9820a77f 457
09b80b4e
JH		 458/* If the resolver we ask is authoritive for the domain in question, it
459* may not set the AD but the AA bit. If we explicitly trust
460* the resolver for that domain (via a domainlist in dns_trust_aa),
461* we return TRUE to indicate a secure answer.
462*/
9820a77f 463
09b80b4e
JH		 464if ( !h->aa
465 || !dns_trust_aa
25bf2076
HSHR		 466 || !(trusted = expand_string(dns_trust_aa))
467 || !*trusted
09b80b4e
JH		 468 || !(auth_name = dns_extract_auth_name(dnsa))
469 || OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL,
470 MCL_DOMAIN, TRUE, NULL)
471 )
472 return FALSE;
9820a77f 473
09b80b4e
JH		 474DEBUG(D_dns) debug_printf("DNS faked the AD bit "
475 "(got AA and matched with dns_trust_aa (%s in %s))\n",
476 auth_name, dns_trust_aa);
9820a77f 477
09b80b4e 478return TRUE;
1f4a55da
PP		 479#endif
480}
481
4a142059
JH		 482static void
483dns_set_insecure(dns_answer * dnsa)
484{
485HEADER * h = (HEADER *)dnsa->answer;
486h->ad = 0;
487}
488
221dff13
HSHR		 489/************************************************
490 * Check whether the AA bit is set *
491 * We need this to warn if we requested AD *
9820a77f 492 * from an authoritive server *
221dff13
HSHR		 493 ************************************************/
494
495BOOL
496dns_is_aa(const dns_answer *dnsa)
497{
498return ((HEADER*)dnsa->answer)->aa;
499}
1f4a55da
PP		 500
501
502
059ec3d9
PH		 503/*************************************************
504* Turn DNS type into text *
505*************************************************/
506
885ccd3e
PH		 507/* Turn the coded record type into a string for printing. All those that Exim
508uses should be included here.
059ec3d9
PH		 509
510Argument: record type
511Returns: pointer to string
512*/
513
514uschar *
515dns_text_type(int t)
516{
517switch(t)
518 {
33397d19
PH		 519 case T_A: return US"A";
520 case T_MX: return US"MX";
521 case T_AAAA: return US"AAAA";
522 case T_A6: return US"A6";
523 case T_TXT: return US"TXT";
eae0036b 524 case T_SPF: return US"SPF";
33397d19 525 case T_PTR: return US"PTR";
885ccd3e 526 case T_SOA: return US"SOA";
33397d19
PH		 527 case T_SRV: return US"SRV";
528 case T_NS: return US"NS";
8e669ac1 529 case T_CNAME: return US"CNAME";
1e06383a 530 case T_TLSA: return US"TLSA";
33397d19 531 default: return US"?";
059ec3d9
PH		 532 }
533}
534
535
536
537/*************************************************
538* Cache a failed DNS lookup result *
539*************************************************/
540
541/* We cache failed lookup results so as not to experience timeouts many
542times for the same domain. We need to retain the resolver options because they
543may change. For successful lookups, we rely on resolver and/or name server
544caching.
545
546Arguments:
547 name the domain name
548 type the lookup type
549 rc the return code
550
551Returns: the return code
552*/
553
554static int
1dc92d5a 555dns_return(const uschar * name, int type, int rc)
059ec3d9 556{
5bfb4cdf 557res_state resp = os_get_dns_resolver_res();
059ec3d9
PH		 558tree_node *node = store_get_perm(sizeof(tree_node) + 290);
559sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
5bfb4cdf 560 resp->options);
059ec3d9
PH		 561node->data.val = rc;
562(void)tree_insertnode(&tree_dns_fails, node);
563return rc;
564}
565
059ec3d9
PH		 566/*************************************************
567* Do basic DNS lookup *
568*************************************************/
569
570/* Call the resolver to look up the given domain name, using the given type,
571and check the result. The error code TRY_AGAIN is documented as meaning "non-
572Authoritive Host not found, or SERVERFAIL". Sometimes there are badly set
573up nameservers that produce this error continually, so there is the option of
574providing a list of domains for which this is treated as a non-existent
575host.
576
577Arguments:
578 dnsa pointer to dns_answer structure
579 name name to look up
580 type type of DNS record required (T_A, T_MX, etc)
581
582Returns: DNS_SUCCEED successful lookup
583 DNS_NOMATCH name not found (NXDOMAIN)
584 or name contains illegal characters (if checking)
30e18802 585 or name is an IP address (for IP address lookup)
059ec3d9
PH		 586 DNS_NODATA domain exists, but no data for this type (NODATA)
587 DNS_AGAIN soft failure, try again later
588 DNS_FAIL DNS failure
589*/
590
591int
1dc92d5a 592dns_basic_lookup(dns_answer *dnsa, const uschar *name, int type)
059ec3d9
PH		 593{
594#ifndef STAND_ALONE
7156b1ef 595int rc = -1;
55414b25 596const uschar *save_domain;
059ec3d9 597#endif
5bfb4cdf 598res_state resp = os_get_dns_resolver_res();
059ec3d9
PH		 599
600tree_node *previous;
601uschar node_name[290];
602
603/* DNS lookup failures of any kind are cached in a tree. This is mainly so that
604a timeout on one domain doesn't happen time and time again for messages that
605have many addresses in the same domain. We rely on the resolver and name server
606caching for successful lookups. */
607
608sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
5bfb4cdf 609 resp->options);
059ec3d9
PH		 610previous = tree_search(tree_dns_fails, node_name);
611if (previous != NULL)
612 {
613 DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
614 name, dns_text_type(type),
615 (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
616 (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
617 (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
618 (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
619 return previous->data.val;
620 }
621
9d4319df
JH		 622#ifdef EXPERIMENTAL_INTERNATIONAL
623/* Convert all names to a-label form before doing lookup */
624 {
625 uschar * alabel;
626 uschar * errstr = NULL;
766e7a65
JH		 627 DEBUG(D_dns) if (string_is_utf8(name))
628 debug_printf("convert utf8 '%s' to alabel for for lookup\n", name);
9d4319df
JH		 629 if ((alabel = string_domain_utf8_to_alabel(name, &errstr)), errstr)
630 {
631 DEBUG(D_dns)
37bf366e 632 debug_printf("DNS name '%s' utf8 conversion to alabel failed: %s\n", name,
9d4319df
JH		 633 errstr);
634 host_find_failed_syntax = TRUE;
635 return DNS_NOMATCH;
636 }
637 name = alabel;
638 }
639#endif
640
059ec3d9
PH		 641/* If configured, check the hygene of the name passed to lookup. Otherwise,
642although DNS lookups may give REFUSED at the lower level, some resolvers
643turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
644domains cannot be in the DNS. The check is now done by a regular expression;
645give it space for substring storage to save it having to get its own if the
646regex has substrings that are used - the default uses a conditional.
647
648This test is omitted for PTR records. These occur only in calls from the dnsdb
649lookup, which constructs the names itself, so they should be OK. Besides,
650bitstring labels don't conform to normal name syntax. (But the aren't used any
651more.)
652
653For SRV records, we omit the initial _smtp._tcp. components at the start. */
654
655#ifndef STAND_ALONE /* Omit this for stand-alone tests */
656
482d1455 657if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
059ec3d9 658 {
1dc92d5a 659 const uschar *checkname = name;
059ec3d9
PH		 660 int ovector[3*(EXPAND_MAXN+1)];
661
476be7e2 662 dns_pattern_init();
059ec3d9
PH		 663
664 /* For an SRV lookup, skip over the first two components (the service and
665 protocol names, which both start with an underscore). */
666
b4161d10 667 if (type == T_SRV || type == T_TLSA)
059ec3d9
PH		 668 {
669 while (*checkname++ != '.');
670 while (*checkname++ != '.');
671 }
672
1dc92d5a 673 if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
059ec3d9
PH		 674 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
675 {
676 DEBUG(D_dns)
677 debug_printf("DNS name syntax check failed: %s (%s)\n", name,
678 dns_text_type(type));
679 host_find_failed_syntax = TRUE;
680 return DNS_NOMATCH;
681 }
682 }
683
684#endif /* STAND_ALONE */
685
686/* Call the resolver; for an overlong response, res_search() will return the
bef5a11f
PH		 687number of bytes the message would need, so we need to check for this case. The
688effect is to truncate overlong data.
689
30e18802
PH		 690On some systems, res_search() will recognize "A-for-A" queries and return
691the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
692nameservers are also believed to do this. It is, of course, contrary to the
693specification of the DNS, so we lock it out. */
694
cc00f4af 695if ((type == T_A || type == T_AAAA) && string_is_ip_address(name, NULL) != 0)
30e18802
PH		 696 return DNS_NOMATCH;
697
698/* If we are running in the test harness, instead of calling the normal resolver
bef5a11f
PH		 699(res_search), we call fakens_search(), which recognizes certain special
700domains, and interfaces to a fake nameserver for certain special zones. */
701
cc00f4af
JH		 702dnsa->answerlen = running_in_test_harness
703 ? fakens_search(name, type, dnsa->answer, MAXPACKET)
704 : res_search(CCS name, C_IN, type, dnsa->answer, MAXPACKET);
059ec3d9 705
80a47a2c
TK		 706if (dnsa->answerlen > MAXPACKET)
707 {
708 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet (size %d), truncating to %d.\n",
709 name, dns_text_type(type), dnsa->answerlen, MAXPACKET);
710 dnsa->answerlen = MAXPACKET;
711 }
059ec3d9
PH		 712
713if (dnsa->answerlen < 0) switch (h_errno)
714 {
715 case HOST_NOT_FOUND:
716 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
717 "returning DNS_NOMATCH\n", name, dns_text_type(type));
718 return dns_return(name, type, DNS_NOMATCH);
719
720 case TRY_AGAIN:
721 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
722 name, dns_text_type(type));
723
724 /* Cut this out for various test programs */
1dc92d5a 725#ifndef STAND_ALONE
55414b25 726 save_domain = deliver_domain;
1dc92d5a 727 deliver_domain = string_copy(name); /* set $domain */
55414b25 728 rc = match_isinlist(name, (const uschar **)&dns_again_means_nonexist, 0, NULL, NULL,
059ec3d9 729 MCL_DOMAIN, TRUE, NULL);
55414b25 730 deliver_domain = save_domain;
059ec3d9
PH		 731 if (rc != OK)
732 {
733 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
734 return dns_return(name, type, DNS_AGAIN);
735 }
736 DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
737 "DNS_NOMATCH\n", name);
738 return dns_return(name, type, DNS_NOMATCH);
739
1dc92d5a 740#else /* For stand-alone tests */
059ec3d9 741 return dns_return(name, type, DNS_AGAIN);
1dc92d5a 742#endif
059ec3d9
PH		 743
744 case NO_RECOVERY:
745 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
746 "returning DNS_FAIL\n", name, dns_text_type(type));
747 return dns_return(name, type, DNS_FAIL);
748
749 case NO_DATA:
750 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
751 "returning DNS_NODATA\n", name, dns_text_type(type));
752 return dns_return(name, type, DNS_NODATA);
753
754 default:
755 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
756 "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
757 return dns_return(name, type, DNS_FAIL);
758 }
759
760DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
761 name, dns_text_type(type));
762
763return DNS_SUCCEED;
764}
765
766
767
768
769/************************************************
770* Do a DNS lookup and handle CNAMES *
771************************************************/
772
773/* Look up the given domain name, using the given type. Follow CNAMEs if
774necessary, but only so many times. There aren't supposed to be CNAME chains in
775the DNS, but you are supposed to cope with them if you find them.
776
777The assumption is made that if the resolver gives back records of the
778requested type *and* a CNAME, we don't need to make another call to look up
779the CNAME. I can't see how it could return only some of the right records. If
780it's done a CNAME lookup in the past, it will have all of them; if not, it
781won't return any.
782
783If fully_qualified_name is not NULL, set it to point to the full name
784returned by the resolver, if this is different to what it is given, unless
785the returned name starts with "*" as some nameservers seem to be returning
766e7a65
JH		 786wildcards in this form. In international mode "different" means "alabel
787forms are different".
059ec3d9
PH		 788
789Arguments:
790 dnsa pointer to dns_answer structure
791 name domain name to look up
792 type DNS record type (T_A, T_MX, etc)
793 fully_qualified_name if not NULL, return the returned name here if its
794 contents are different (i.e. it must be preset)
795
796Returns: DNS_SUCCEED successful lookup
797 DNS_NOMATCH name not found
798 DNS_NODATA no data found
799 DNS_AGAIN soft failure, try again later
800 DNS_FAIL DNS failure
801*/
802
803int
1dc92d5a 804dns_lookup(dns_answer *dnsa, const uschar *name, int type,
55414b25 805 const uschar **fully_qualified_name)
059ec3d9
PH		 806{
807int i;
1dc92d5a 808const uschar *orig_name = name;
c85b3043 809BOOL secure_so_far = TRUE;
059ec3d9
PH		 810
811/* Loop to follow CNAME chains so far, but no further... */
812
813for (i = 0; i < 10; i++)
814 {
815 uschar data[256];
816 dns_record *rr, cname_rr, type_rr;
817 dns_scan dnss;
818 int datalen, rc;
819
820 /* DNS lookup failures get passed straight back. */
821
822 if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED) return rc;
823
824 /* We should have either records of the required type, or a CNAME record,
825 or both. We need to know whether both exist for getting the fully qualified
826 name, but avoid scanning more than necessary. Note that we must copy the
827 contents of any rr blocks returned by dns_next_rr() as they use the same
828 area in the dnsa block. */
829
830 cname_rr.data = type_rr.data = NULL;
831 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1705dd20 832 rr;
059ec3d9
PH		 833 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
834 {
835 if (rr->type == type)
836 {
837 if (type_rr.data == NULL) type_rr = *rr;
838 if (cname_rr.data != NULL) break;
839 }
840 else if (rr->type == T_CNAME) cname_rr = *rr;
841 }
842
a2042e78
PH		 843 /* For the first time round this loop, if a CNAME was found, take the fully
844 qualified name from it; otherwise from the first data record, if present. */
059ec3d9 845
a2042e78 846 if (i == 0 && fully_qualified_name != NULL)
059ec3d9 847 {
766e7a65
JH		 848 uschar * rr_name = cname_rr.data ? cname_rr.name
849 : type_rr.data ? type_rr.name : NULL;
850 if ( rr_name
851 && Ustrcmp(rr_name, *fully_qualified_name) != 0
852 && rr_name[0] != '*'
853#ifdef EXPERIMENTAL_INTERNATIONAL
854 && ( !string_is_utf8(*fully_qualified_name)
855 || Ustrcmp(rr_name,
856 string_domain_utf8_to_alabel(*fully_qualified_name, NULL)) != 0
857 )
858#endif
859 )
860 *fully_qualified_name = string_copy_dnsdomain(rr_name);
059ec3d9
PH		 861 }
862
863 /* If any data records of the correct type were found, we are done. */
864
c85b3043
JH		 865 if (type_rr.data != NULL)
866 {
867 if (!secure_so_far) /* mark insecure if any element of CNAME chain was */
4a142059 868 dns_set_insecure(dnsa);
c85b3043
JH		 869 return DNS_SUCCEED;
870 }
059ec3d9
PH		 871
872 /* If there are no data records, we need to re-scan the DNS using the
873 domain given in the CNAME record, which should exist (otherwise we should
874 have had a failure from dns_lookup). However code against the possibility of
875 its not existing. */
876
877 if (cname_rr.data == NULL) return DNS_FAIL;
878 datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
1dc92d5a 879 cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, sizeof(data));
059ec3d9
PH		 880 if (datalen < 0) return DNS_FAIL;
881 name = data;
a2042e78 882
c85b3043
JH		 883 if (!dns_is_secure(dnsa))
884 secure_so_far = FALSE;
885
a2042e78 886 DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
059ec3d9
PH		 887 } /* Loop back to do another lookup */
888
889/*Control reaches here after 10 times round the CNAME loop. Something isn't
890right... */
891
892log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
893return DNS_FAIL;
894}
895
896
897
33397d19
PH		 898
899
900
901/************************************************
902* Do a DNS lookup and handle virtual types *
903************************************************/
904
9820a77f 905/* This function handles some invented "lookup types" that synthesize features
8e669ac1 906not available in the basic types. The special types all have negative values.
33397d19
PH		 907Positive type values are passed straight on to dns_lookup().
908
909Arguments:
910 dnsa pointer to dns_answer structure
911 name domain name to look up
912 type DNS record type (T_A, T_MX, etc or a "special")
913 fully_qualified_name if not NULL, return the returned name here if its
914 contents are different (i.e. it must be preset)
915
916Returns: DNS_SUCCEED successful lookup
917 DNS_NOMATCH name not found
918 DNS_NODATA no data found
919 DNS_AGAIN soft failure, try again later
920 DNS_FAIL DNS failure
921*/
922
923int
1dc92d5a 924dns_special_lookup(dns_answer *dnsa, const uschar *name, int type,
55414b25 925 const uschar **fully_qualified_name)
33397d19 926{
d2a2c69b 927switch (type)
e5a9dba6 928 {
d2a2c69b
JH		 929 /* The "mx hosts only" type doesn't require any special action here */
930 case T_MXH:
1705dd20 931 return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
d2a2c69b
JH		 932
933 /* Find nameservers for the domain or the nearest enclosing zone, excluding
934 the root servers. */
935 case T_ZNS:
1705dd20
JH		 936 type = T_NS;
937 /* FALLTHROUGH */
d2a2c69b 938 case T_SOA:
1705dd20
JH		 939 {
940 const uschar *d = name;
941 while (d != 0)
942 {
943 int rc = dns_lookup(dnsa, d, type, fully_qualified_name);
944 if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
945 while (*d != 0 && *d != '.') d++;
946 if (*d++ == 0) break;
947 }
948 return DNS_NOMATCH;
949 }
d2a2c69b
JH		 950
951 /* Try to look up the Client SMTP Authorization SRV record for the name. If
952 there isn't one, search from the top downwards for a CSA record in a parent
953 domain, which might be making assertions about subdomains. If we find a record
954 we set fully_qualified_name to whichever lookup succeeded, so that the caller
955 can tell whether to look at the explicit authorization field or the subdomain
956 assertion field. */
957 case T_CSA:
1705dd20
JH		 958 {
959 uschar *srvname, *namesuff, *tld, *p;
960 int priority, weight, port;
961 int limit, rc, i;
962 BOOL ipv6;
963 dns_record *rr;
964 dns_scan dnss;
965
966 DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
967
968 srvname = string_sprintf("_client._smtp.%s", name);
969 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
970 if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
971 {
972 if (rc == DNS_SUCCEED) *fully_qualified_name = string_copy(name);
973 return rc;
974 }
d2a2c69b 975
1705dd20
JH		 976 /* Search for CSA subdomain assertion SRV records from the top downwards,
977 starting with the 2nd level domain. This order maximizes cache-friendliness.
978 We skip the top level domains to avoid loading their nameservers and because
979 we know they'll never have CSA SRV records. */
d2a2c69b 980
1705dd20
JH		 981 namesuff = Ustrrchr(name, '.');
982 if (namesuff == NULL) return DNS_NOMATCH;
983 tld = namesuff + 1;
984 ipv6 = FALSE;
985 limit = dns_csa_search_limit;
986
987 /* Use more appropriate search parameters if we are in the reverse DNS. */
988
989 if (strcmpic(namesuff, US".arpa") == 0)
990 if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
991 {
992 namesuff -= 8;
d2a2c69b 993 tld = namesuff + 1;
1705dd20
JH		 994 limit = 3;
995 }
996 else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
997 {
998 namesuff -= 4;
999 tld = namesuff + 1;
1000 ipv6 = TRUE;
1001 limit = 3;
1002 }
d2a2c69b 1003
1705dd20 1004 DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
d2a2c69b 1005
1705dd20
JH		 1006 /* Do not perform the search if the top level or 2nd level domains do not
1007 exist. This is quite common, and when it occurs all the search queries would
1008 go to the root or TLD name servers, which is not friendly. So we check the
1009 AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
1010 the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
1011 If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
1012 the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
1013
1014 if (rc == DNS_NOMATCH)
1015 {
1016 /* This is really gross. The successful return value from res_search() is
1017 the packet length, which is stored in dnsa->answerlen. If we get a
1018 negative DNS reply then res_search() returns -1, which causes the bounds
1019 checks for name decompression to fail when it is treated as a packet
1020 length, which in turn causes the authority search to fail. The correct
1021 packet length has been lost inside libresolv, so we have to guess a
1022 replacement value. (The only way to fix this properly would be to
1023 re-implement res_search() and res_query() so that they don't muddle their
1024 success and packet length return values.) For added safety we only reset
1025 the packet length if the packet header looks plausible. */
1026
1027 HEADER *h = (HEADER *)dnsa->answer;
1028 if (h->qr == 1 && h->opcode == QUERY && h->tc == 0
1029 && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
1030 && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
1031 && ntohs(h->nscount) >= 1)
1032 dnsa->answerlen = MAXPACKET;
1033
1034 for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
1035 rr;
1036 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
1037 )
1038 if (rr->type != T_SOA) continue;
1039 else if (strcmpic(rr->name, US"") == 0 ||
1040 strcmpic(rr->name, tld) == 0) return DNS_NOMATCH;
1041 else break;
1042 }
d2a2c69b 1043
1705dd20
JH		 1044 for (i = 0; i < limit; i++)
1045 {
1046 if (ipv6)
1047 {
1048 /* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
1049 address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
1050 namesuff -= 8;
1051 if (namesuff <= name) return DNS_NOMATCH;
1052 }
1053 else
1054 /* Find the start of the preceding domain name label. */
1055 do
1056 if (--namesuff <= name) return DNS_NOMATCH;
1057 while (*namesuff != '.');
1058
1059 DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
1060
1061 srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
1062 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
1063 if (rc == DNS_AGAIN) return rc;
1064 if (rc != DNS_SUCCEED) continue;
1065
1066 /* Check that the SRV record we have found is worth returning. We don't
1067 just return the first one we find, because some lower level SRV record
1068 might make stricter assertions than its parent domain. */
1069
1070 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
1071 rr;
1072 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
1073 {
1074 if (rr->type != T_SRV) continue;
d2a2c69b 1075
1705dd20
JH		 1076 /* Extract the numerical SRV fields (p is incremented) */
1077 p = rr->data;
1078 GETSHORT(priority, p);
1079 GETSHORT(weight, p); weight = weight; /* compiler quietening */
1080 GETSHORT(port, p);
d2a2c69b 1081
1705dd20
JH		 1082 /* Check the CSA version number */
1083 if (priority != 1) continue;
d2a2c69b 1084
1705dd20
JH		 1085 /* If it's making an interesting assertion, return this response. */
1086 if (port & 1)
d2a2c69b 1087 {
1705dd20
JH		 1088 *fully_qualified_name = namesuff + 1;
1089 return DNS_SUCCEED;
d2a2c69b 1090 }
d2a2c69b 1091 }
1705dd20
JH		 1092 }
1093 return DNS_NOMATCH;
1094 }
e5a9dba6 1095
d2a2c69b 1096 default:
1705dd20
JH		 1097 if (type >= 0)
1098 return dns_lookup(dnsa, name, type, fully_qualified_name);
e5a9dba6
PH		 1099 }
1100
33397d19
PH		 1101/* Control should never reach here */
1102
1103return DNS_FAIL;
1104}
1105
1106
1107
059ec3d9
PH		 1108
1109
1110/*************************************************
1111* Get address(es) from DNS record *
1112*************************************************/
1113
1114/* The record type is either T_A for an IPv4 address or T_AAAA (or T_A6 when
d2a2c69b 1115supported) for an IPv6 address.
059ec3d9
PH		 1116
1117Argument:
1118 dnsa the DNS answer block
1119 rr the RR
1120
e1a3f32f 1121Returns: pointer to a chain of dns_address items; NULL when the dnsa was overrun
059ec3d9
PH		 1122*/
1123
1124dns_address *
1125dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
1126{
e1a3f32f
JH		 1127dns_address * yield = NULL;
1128uschar * dnsa_lim = dnsa->answer + dnsa->answerlen;
059ec3d9
PH		 1129
1130if (rr->type == T_A)
1131 {
d2a2c69b 1132 uschar *p = US rr->data;
e1a3f32f
JH		 1133 if (p + 4 <= dnsa_lim)
1134 {
1135 yield = store_get(sizeof(dns_address) + 20);
1136 (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1137 yield->next = NULL;
1138 }
059ec3d9
PH		 1139 }
1140
1141#if HAVE_IPV6
1142
059ec3d9
PH		 1143else
1144 {
e1a3f32f
JH		 1145 if (rr->data + 16 <= dnsa_lim)
1146 {
1147 yield = store_get(sizeof(dns_address) + 50);
1148 inet_ntop(AF_INET6, US rr->data, CS yield->address, 50);
1149 yield->next = NULL;
1150 }
059ec3d9
PH		 1151 }
1152#endif /* HAVE_IPV6 */
1153
1154return yield;
1155}
1156
476be7e2
JH		 1157
1158
1159void
1160dns_pattern_init(void)
1161{
1162if (check_dns_names_pattern[0] != 0 && !regex_check_dns_names)
1163 regex_check_dns_names =
1164 regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
1165}
1166
8c51eead
JH		 1167/* vi: aw ai sw=2
1168*/
059ec3d9 1169/* End of dns.c */
Unnamed repository; edit this file 'description' to name the repository.