Make dnssec_request_domains/dnssec_require_domains generic

Not only the dnslookup router should use DNSSEC for lookups. The
manualroute and even queryprogram router may just generate a host list.
The names then need to be resolved, optionally via DNSSEC.

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index f274db74e38bb550519cb2f8d8ac03e780a4df00..bd1c8bfddfe5d03e82d41b02241786c80c4351a5 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17018,6 +17018,25 @@ or for any deliveries caused by this router. You should not set this option
 unless you really, really know what you are doing. See also the generic
 transport option of the same name.
 
+.option dnssec_request_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
+.option dnssec_require_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.  Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
 
 .option domains routers&!? "domain list&!!" unset
 .cindex "router" "restricting to specific domains"
@@ -18070,28 +18089,6 @@ when there is a DNS lookup error.
 
 
 
-.option dnssec_request_domains dnslookup "domain list&!!" unset
-.cindex "MX record" "security"
-.cindex "DNSSEC" "MX lookup"
-.cindex "security" "MX lookup"
-.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.
-This applies to all of the SRV, MX, AAAA, A lookup sequence.
-
-
-
-.option dnssec_require_domains dnslookup "domain list&!!" unset
-.cindex "MX record" "security"
-.cindex "DNSSEC" "MX lookup"
-.cindex "security" "MX lookup"
-.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.  Any returns not having the Authenticated Data bit
-(AD bit) set wil be ignored and logged as a host-lookup failure.
-This applies to all of the SRV, MX, AAAA, A lookup sequence.
-
-
 
 .option fail_defer_domains dnslookup "domain list&!!" unset
 .cindex "MX record" "not found"

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c0a965eeba24bde0db6e81438edb4d81a8e214f3..2421bab451711bb78a150597e1baa123e8afb44e 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -83,6 +83,8 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
 
 JH/24 Verification callouts now attempt to use TLS by default.
 
+HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) 
+      are generic router options now. The defaults didn't change.
 
 
 Exim version 4.85

diff --git a/src/src/globals.c b/src/src/globals.c
index a71c80ed90f4913b05cc17f3094fe19879d9514c..868b27e8337d5735ffc15fde49bc76aa52e0f085 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1168,7 +1168,10 @@ router_instance  router_defaults = {
     NULL,                      /* fallback_hostlist */
     NULL,                      /* transport instance */
     NULL,                      /* pass_router */
-    NULL                       /* redirect_router */
+    NULL,                      /* redirect_router */
+
+    NULL,                      /* dnssec_request_domains */
+    NULL                       /* dnssec_require_domains */
 };
 
 uschar *router_name            = NULL;

diff --git a/src/src/route.c b/src/src/route.c
index ec188801c5ec314f32d10f18f61f115fb141a967..2f534b7bf797b68b9c4fb151d32e2e9f094aa613 100644 (file)
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -54,6 +54,10 @@ optionlist optionlist_routers[] = {
                  (void *)offsetof(router_instance, debug_string) },
   { "disable_logging",    opt_bool | opt_public,
                  (void *)offsetof(router_instance, disable_logging) },
+  { "dnssec_request_domains",            opt_stringptr|opt_public,
+                 (void *)offsetof(router_instance, dnssec_request_domains) },
+  { "dnssec_require_domains",            opt_stringptr|opt_public,
+                 (void *)offsetof(router_instance, dnssec_require_domains) },
   { "domains",            opt_stringptr|opt_public,
                  (void *)offsetof(router_instance, domains) },
   { "driver",             opt_stringptr|opt_public,

diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c
index 650e56d336c443195f4372ee1d6780799a5c197d..69b24042876b756e05a2fafe4d40f5ccaf0a3e49 100644 (file)
--- a/src/src/routers/dnslookup.c
+++ b/src/src/routers/dnslookup.c
@@ -18,10 +18,6 @@ optionlist dnslookup_router_options[] = {
       (void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) },
   { "check_srv",          opt_stringptr,
       (void *)(offsetof(dnslookup_router_options_block, check_srv)) },
-  { "dnssec_request_domains",         opt_stringptr,
-      (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) },
-  { "dnssec_require_domains",         opt_stringptr,
-      (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) },
   { "fail_defer_domains", opt_stringptr,
       (void *)(offsetof(dnslookup_router_options_block, fail_defer_domains)) },
   { "mx_domains",         opt_stringptr,
@@ -60,8 +56,6 @@ dnslookup_router_options_block dnslookup_router_option_defaults = {
   NULL,            /* mx_fail_domains */
   NULL,            /* srv_fail_domains */
   NULL,            /* check_srv */
-  NULL,            /* dnssec_request_domains */
-  NULL,            /* dnssec_require_domains */
   NULL             /* fail_defer_domains */
 };
 
@@ -271,7 +265,7 @@ for (;;)
 
   rc = host_find_bydns(&h, CUS rblock->ignore_target_hosts, flags, srv_service,
     ob->srv_fail_domains, ob->mx_fail_domains,
-    ob->dnssec_request_domains, ob->dnssec_require_domains,
+    rblock->dnssec_request_domains, rblock->dnssec_require_domains,
     &fully_qualified_name, &removed);
   if (removed) setflag(addr, af_local_host_removed);
 

diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h
index 907ff0ce32e0997eb6ff4b61511cc9e799a2e33a..af01d5611de7cb3e53eea4b636cac9a846874907 100644 (file)
--- a/src/src/routers/dnslookup.h
+++ b/src/src/routers/dnslookup.h
@@ -17,8 +17,6 @@ typedef struct {
   uschar *mx_fail_domains;
   uschar *srv_fail_domains;
   uschar *check_srv;
-  uschar *dnssec_request_domains;
-  uschar *dnssec_require_domains;
   uschar *fail_defer_domains;
 } dnslookup_router_options_block;
 

diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c
index ab2e4ec2c374cd3f0cac804ac71f2ce4d4252568..7ff7f45e1adce0a09843b0ad0f4880453feb0eac 100644 (file)
--- a/src/src/routers/rf_lookup_hostlist.c
+++ b/src/src/routers/rf_lookup_hostlist.c
@@ -94,8 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
         NULL,                           /* SRV service not relevant */
         NULL,                           /* failing srv domains not relevant */
         NULL,                           /* no special mx failing domains */
-       NULL,                           /* no dnssec request XXX ? */
-       NULL,                           /* no dnssec require XXX ? */
+       rblock->dnssec_request_domains,         /* no dnssec request XXX ? */
+       rblock->dnssec_require_domains,         /* no dnssec require XXX ? */
         NULL,                           /* fully_qualified_name */
         NULL);                          /* indicate local host removed */
     }
@@ -120,7 +120,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
     DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n");
     rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL,
       NULL,
-      NULL, NULL,      /*XXX dnssec? */
+      rblock->dnssec_request_domains,         /* no dnssec request XXX ? */
+      rblock->dnssec_require_domains,         /* no dnssec require XXX ? */
       &canonical_name, &removed);
     if (rc == HOST_FOUND)
       {

diff --git a/src/src/structs.h b/src/src/structs.h
index c181f3f6ed0a9db0bf68c9f205dc691b6a9e2c48..3f9fb6050f0ef3efa1b6705d44f55a3307f88d0b 100644 (file)
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -296,6 +296,8 @@ typedef struct router_instance {
   transport_instance *transport;  /* Transport block (when found) */
   struct router_instance *pass_router; /* Actual router for passed address */
   struct router_instance *redirect_router; /* Actual router for generated address */
+  uschar  *dnssec_request_domains;     /* ask for DNSSEC XXX */
+  uschar  *dnssec_require_domains;     /* require DNSSEC XXX */
 } router_instance;
 
 

diff --git a/test/stdout/0147 b/test/stdout/0147
index b877c6110076289f1c0dd4b5f870954f47c0aa8e..45e48244b940cad275c70c1c182929f0a400534a 100644 (file)
--- a/test/stdout/0147
+++ b/test/stdout/0147
@@ -23,6 +23,8 @@ no_check_local_user
 condition = 
 debug_print = 
 no_disable_logging
+dnssec_request_domains = 
+dnssec_require_domains = 
 domains = 
 driver = accept
 no_dsn_lasthop

diff --git a/test/stdout/0442 b/test/stdout/0442
index b47d7b31b9a40a80681a38e17e97ff524c82141d..34c6510fdce3466b092df448a6c46de638528f3d 100644 (file)
--- a/test/stdout/0442
+++ b/test/stdout/0442
@@ -8,6 +8,8 @@ no_check_local_user
 condition = 
 debug_print = 
 no_disable_logging
+dnssec_request_domains = 
+dnssec_require_domains = 
 domains = 
 driver = accept
 no_dsn_lasthop