const uschar * auth_name;
const uschar * trusted;
+if (dnsa->answerlen < 0) return FALSE;
if (h->ad) return TRUE;
-/* If the resolver we ask is authoritative for the domain in question, it
-* may not set the AD but the AA bit. If we explicitly trust
-* the resolver for that domain (via a domainlist in dns_trust_aa),
-* we return TRUE to indicate a secure answer.
-*/
+/* If the resolver we ask is authoritative for the domain in question, it may
+not set the AD but the AA bit. If we explicitly trust the resolver for that
+domain (via a domainlist in dns_trust_aa), we return TRUE to indicate a secure
+answer. */
if ( !h->aa
|| !dns_trust_aa
************************************************/
BOOL
-dns_is_aa(const dns_answer *dnsa)
+dns_is_aa(const dns_answer * dnsa)
{
#ifdef DISABLE_DNSSEC
return FALSE;
#else
-return ((const HEADER*)dnsa->answer)->aa;
+return dnsa->answerlen >= 0 && ((const HEADER *)dnsa->answer)->aa;
#endif
}
Returns: the return code
*/
-/*XXX the derivation of this value needs explaining */
+/* we need: 255 +1 + (max(typetext) == 5) +1 + max(chars_for_long-max) +1 */
#define DNS_FAILTAG_MAX 290
-#define alignment \
- (sizeof(void *) > sizeof(double) ? sizeof(void *) : sizeof(double))
-#define align(n) \
- (((((intptr_t)n) + (alignment-1)) / alignment) * alignment)
#define DNS_FAILNODE_SIZE \
- align(sizeof(tree_node) + DNS_FAILTAG_MAX + sizeof(expiring_data))
+ (sizeof(expiring_data) + sizeof(tree_node) + DNS_FAILTAG_MAX)
static int
dns_fail_return(const uschar * name, int type, time_t expiry, int rc)
e = previous->data.ptr;
else
{
- new = store_get_perm(DNS_FAILNODE_SIZE, is_tainted(name));
-
+ e = store_get_perm(DNS_FAILNODE_SIZE, is_tainted(name));
+ new = (void *)(e+1);
dns_fail_tag(new->name, name, type);
- e = (expiring_data *) align((char *)new + sizeof(tree_node) + DNS_FAILTAG_MAX);
new->data.ptr = e;
(void)tree_insertnode(&tree_dns_fails, new);
}
*/
if ((rc = dns_fail_cache_hit(name, type)) > 0)
+ {
+ dnsa->answerlen = -1;
return rc;
+ }
#ifdef SUPPORT_I18N
/* Convert all names to a-label form before doing lookup */
This test is omitted for PTR records. These occur only in calls from the dnsdb
lookup, which constructs the names itself, so they should be OK. Besides,
-bitstring labels don't conform to normal name syntax. (But the aren't used any
-more.)
-
-For SRV records, we omit the initial _smtp._tcp. components at the start.
-The check has been seen to bite on the destination of a SRV lookup that
-initiall hit a CNAME, for which the next name had only two components.
-RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
-article on SRV says they are not a valid configuration. */
+bitstring labels don't conform to normal name syntax. (But they aren't used any
+more.) */
#ifndef STAND_ALONE /* Omit this for stand-alone tests */
if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
{
- const uschar *checkname = name;
int ovector[3*(EXPAND_MAXN+1)];
dns_pattern_init();
-
- /* For an SRV lookup, skip over the first two components (the service and
- protocol names, which both start with an underscore). */
-
- if (type == T_SRV || type == T_TLSA)
- {
- while (*checkname && *checkname++ != '.') ;
- while (*checkname && *checkname++ != '.') ;
- }
-
- if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
+ if (pcre_exec(regex_check_dns_names, NULL, CCS name, Ustrlen(name),
0, PCRE_EOPT, ovector, nelem(ovector)) < 0)
{
DEBUG(D_dns)
(res_search), we call fakens_search(), which recognizes certain special
domains, and interfaces to a fake nameserver for certain special zones. */
+h_errno = 0;
dnsa->answerlen = f.running_in_test_harness
? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer))
: res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer));