projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Oops. I omitted a ( from Brian's patch.
[exim.git] / src / src / dns.c
CommitLineData
bef5a11f 1/* $Cambridge: exim/src/src/dns.c,v 1.10 2005/09/13 15:40:07 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH		 8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Functions for interfacing with the DNS. */
11
12#include "exim.h"
13
14
15/* Function declaration needed for mutual recursion when A6 records
16are supported. */
17
18#if HAVE_IPV6
19#ifdef SUPPORT_A6
20static void dns_complete_a6(dns_address ***, dns_answer *, dns_record *,
21 int, uschar *);
22#endif
23#endif
24
25
bef5a11f
PH		 26/*************************************************
27* Fake DNS resolver *
28*************************************************/
29
30/* This function is called instead of res_search() when Exim is running in its
31test harness. It recognizes some special domain names, and uses them to force
32failure and retry responses (optionally with a delay). It also recognises the
33zones test.ex and 10.in-addr.arpa, and for those it calls an external utility
34that mock-up a nameserver, if it can find the utility. Otherwise, it passes its
35arguments on to res_search().
36
37Background: the original test suite required a real nameserver to carry the
38test.ex and 10.in-addr.arpa zones, whereas the new test suit has the fake
39server for portability. This code supports both.
40
41Arguments:
42 name the domain name
43 type the DNS record type
44 answerptr where to put the answer
45 size size of the answer area
46
47Returns: length of returned data, or -1 on error (h_errno set)
48*/
49
50static int
51fakens_search(uschar *name, int type, uschar *answerptr, int size)
52{
53int len = Ustrlen(name);
54uschar *endname = name + len;
55
56if (len >= 14 && Ustrcmp(endname - 14, "test.again.dns") == 0)
57 {
58 int delay = Uatoi(name); /* digits at the start of the name */
59 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
60 name, dns_text_type(type));
61 if (delay > 0)
62 {
63 DEBUG(D_dns) debug_printf("delaying %d seconds\n", delay);
64 sleep(delay);
65 }
66 h_errno = TRY_AGAIN;
67 return -1;
68 }
69
70if (len >= 13 && Ustrcmp(endname - 13, "test.fail.dns") == 0)
71 {
72 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
73 name, dns_text_type(type));
74 h_errno = NO_RECOVERY;
75 return -1;
76 }
77
78if (Ustrcmp(name, "test.ex") == 0 ||
79 (len > 8 && Ustrcmp(endname - 8, ".test.ex") == 0) ||
80 (len >= 16 && Ustrcmp(endname - 16, ".10.in-addr.arpa") == 0))
81 {
82 uschar utilname[256];
83 struct stat statbuf;
84
85 (void)string_format(utilname, sizeof(utilname), "%s/../bin/fakens",
86 spool_directory);
87
88 if (stat(CS utilname, &statbuf) >= 0)
89 {
90 pid_t pid;
91 int infd, outfd, rc;
92 uschar *argv[5];
93
94 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n",
95 name, dns_text_type(type));
96
97 argv[0] = utilname;
98 argv[1] = spool_directory;
99 argv[2] = name;
100 argv[3] = dns_text_type(type);
101 argv[4] = NULL;
102
103 pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE);
104 if (pid < 0)
105 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s",
106 strerror(errno));
107
108 len = 0;
109 rc = -1;
110 while (size > 0 && (rc = read(outfd, answerptr, size)) > 0)
111 {
112 len += rc;
113 answerptr += rc;
114 size -= rc;
115 }
116
117 if (rc < 0)
118 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "read from fakens failed: %s",
119 strerror(errno));
120
121 switch(child_close(pid, 0))
122 {
123 case 0: return len;
124 case 1: h_errno = HOST_NOT_FOUND; break;
125 case 2: h_errno = TRY_AGAIN; break;
126 default:
127 case 3: h_errno = NO_RECOVERY; break;
128 case 4: h_errno = NO_DATA; break;
129 }
130 return -1;
131 }
132 }
133
134/* Not test.ex or 10.in-addr.arpa, or fakens utility not found. */
135
136return res_search(CS name, C_IN, type, answerptr, size);
137}
138
139
059ec3d9
PH		 140
141/*************************************************
142* Initialize and configure resolver *
143*************************************************/
144
145/* Initialize the resolver and the storage for holding DNS answers if this is
146the first time we have been here, and set the resolver options.
147
148Arguments:
149 qualify_single TRUE to set the RES_DEFNAMES option
150 search_parents TRUE to set the RES_DNSRCH option
151
152Returns: nothing
153*/
154
155void
156dns_init(BOOL qualify_single, BOOL search_parents)
157{
158if ((_res.options & RES_INIT) == 0)
159 {
160 DEBUG(D_resolver) _res.options |= RES_DEBUG; /* For Cygwin */
161 res_init();
162 DEBUG(D_resolver) _res.options |= RES_DEBUG;
163 }
164
165_res.options &= ~(RES_DNSRCH | RES_DEFNAMES);
166_res.options |= (qualify_single? RES_DEFNAMES : 0) |
167 (search_parents? RES_DNSRCH : 0);
168if (dns_retrans > 0) _res.retrans = dns_retrans;
169if (dns_retry > 0) _res.retry = dns_retry;
170}
171
172
173
174/*************************************************
175* Build key name for PTR records *
176*************************************************/
177
178/* This function inverts an IP address and adds the relevant domain, to produce
179a name that can be used to look up PTR records.
180
181Arguments:
182 string the IP address as a string
183 buffer a suitable buffer, long enough to hold the result
184
185Returns: nothing
186*/
187
188void
189dns_build_reverse(uschar *string, uschar *buffer)
190{
191uschar *p = string + Ustrlen(string);
192uschar *pp = buffer;
193
194/* Handle IPv4 address */
195
196#if HAVE_IPV6
197if (Ustrchr(string, ':') == NULL)
198#endif
199 {
200 int i;
201 for (i = 0; i < 4; i++)
202 {
203 uschar *ppp = p;
204 while (ppp > string && ppp[-1] != '.') ppp--;
205 Ustrncpy(pp, ppp, p - ppp);
206 pp += p - ppp;
207 *pp++ = '.';
208 p = ppp - 1;
209 }
210 Ustrcpy(pp, "in-addr.arpa");
211 }
212
213/* Handle IPv6 address; convert to binary so as to fill out any
214abbreviation in the textual form. */
215
216#if HAVE_IPV6
217else
218 {
219 int i;
220 int v6[4];
221 (void)host_aton(string, v6);
222
223 /* The original specification for IPv6 reverse lookup was to invert each
224 nibble, and look in the ip6.int domain. The domain was subsequently
225 changed to ip6.arpa. */
226
227 for (i = 3; i >= 0; i--)
228 {
229 int j;
230 for (j = 0; j < 32; j += 4)
231 {
232 sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
233 pp += 2;
234 }
235 }
236 Ustrcpy(pp, "ip6.arpa.");
237
238 /* Another way of doing IPv6 reverse lookups was proposed in conjunction
239 with A6 records. However, it fell out of favour when they did. The
240 alternative was to construct a binary key, and look in ip6.arpa. I tried
241 to make this code do that, but I could not make it work on Solaris 8. The
242 resolver seems to lose the initial backslash somehow. However, now that
243 this style of reverse lookup has been dropped, it doesn't matter. These
244 lines are left here purely for historical interest. */
245
246 /**************************************************
247 Ustrcpy(pp, "\\[x");
248 pp += 3;
249
250 for (i = 0; i < 4; i++)
251 {
252 sprintf(pp, "%08X", v6[i]);
253 pp += 8;
254 }
255 Ustrcpy(pp, "].ip6.arpa.");
256 **************************************************/
257
258 }
259#endif
260}
261
262
263
264
265/*************************************************
266* Get next DNS record from answer block *
267*************************************************/
268
269/* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
e5a9dba6
PH		 270RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
271scan the additional records, and reset == RESET_NEXT to get the next record.
272The result is in static storage which must be copied if it is to be preserved.
059ec3d9
PH		 273
274Arguments:
275 dnsa pointer to dns answer block
276 dnss pointer to dns scan block
277 reset option specifing what portion to scan, as described above
278
279Returns: next dns record, or NULL when no more
280*/
281
282dns_record *
283dns_next_rr(dns_answer *dnsa, dns_scan *dnss, int reset)
284{
285HEADER *h = (HEADER *)dnsa->answer;
286int namelen;
287
288/* Reset the saved data when requested to, and skip to the first required RR */
289
290if (reset != RESET_NEXT)
291 {
292 dnss->rrcount = ntohs(h->qdcount);
293 dnss->aptr = dnsa->answer + sizeof(HEADER);
294
295 /* Skip over questions; failure to expand the name just gives up */
296
297 while (dnss->rrcount-- > 0)
298 {
299 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
300 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
301 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
302 dnss->aptr += namelen + 4; /* skip name & type & class */
303 }
304
305 /* Get the number of answer records. */
306
307 dnss->rrcount = ntohs(h->ancount);
308
e5a9dba6
PH		 309 /* Skip over answers if we want to look at the authority section. Also skip
310 the NS records (i.e. authority section) if wanting to look at the additional
059ec3d9
PH		 311 records. */
312
e5a9dba6
PH		 313 if (reset == RESET_ADDITIONAL) dnss->rrcount += ntohs(h->nscount);
314
315 if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
059ec3d9 316 {
059ec3d9
PH		 317 while (dnss->rrcount-- > 0)
318 {
319 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
320 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
321 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
322 dnss->aptr += namelen + 8; /* skip name, type, class & TTL */
323 GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
324 dnss->aptr += dnss->srr.size; /* skip over it */
325 }
e5a9dba6
PH		 326 dnss->rrcount = (reset == RESET_AUTHORITY)
327 ? ntohs(h->nscount) : ntohs(h->arcount);
059ec3d9
PH		 328 }
329 }
330
059ec3d9
PH		 331/* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
332contains the number of RR records left. */
333
334if (dnss->rrcount-- <= 0) return NULL;
335
336/* If expanding the RR domain name fails, behave as if no more records
337(something safe). */
338
339namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
340 (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
341if (namelen < 0) { dnss->rrcount = 0; return NULL; }
342
343/* Move the pointer past the name and fill in the rest of the data structure
344from the following bytes. */
345
346dnss->aptr += namelen;
347GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
348dnss->aptr += 6; /* Don't want class or TTL */
349GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
350dnss->srr.data = dnss->aptr; /* The record's data follows */
351dnss->aptr += dnss->srr.size; /* Advance to next RR */
352
353/* Return a pointer to the dns_record structure within the dns_answer. This is
354for convenience so that the scans can use nice-looking for loops. */
355
356return &(dnss->srr);
357}
358
359
360
361
362/*************************************************
363* Turn DNS type into text *
364*************************************************/
365
885ccd3e
PH		 366/* Turn the coded record type into a string for printing. All those that Exim
367uses should be included here.
059ec3d9
PH		 368
369Argument: record type
370Returns: pointer to string
371*/
372
373uschar *
374dns_text_type(int t)
375{
376switch(t)
377 {
33397d19
PH		 378 case T_A: return US"A";
379 case T_MX: return US"MX";
380 case T_AAAA: return US"AAAA";
381 case T_A6: return US"A6";
382 case T_TXT: return US"TXT";
383 case T_PTR: return US"PTR";
885ccd3e 384 case T_SOA: return US"SOA";
33397d19
PH		 385 case T_SRV: return US"SRV";
386 case T_NS: return US"NS";
8e669ac1 387 case T_CNAME: return US"CNAME";
33397d19 388 default: return US"?";
059ec3d9
PH		 389 }
390}
391
392
393
394/*************************************************
395* Cache a failed DNS lookup result *
396*************************************************/
397
398/* We cache failed lookup results so as not to experience timeouts many
399times for the same domain. We need to retain the resolver options because they
400may change. For successful lookups, we rely on resolver and/or name server
401caching.
402
403Arguments:
404 name the domain name
405 type the lookup type
406 rc the return code
407
408Returns: the return code
409*/
410
411static int
412dns_return(uschar *name, int type, int rc)
413{
414tree_node *node = store_get_perm(sizeof(tree_node) + 290);
415sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
416 _res.options);
417node->data.val = rc;
418(void)tree_insertnode(&tree_dns_fails, node);
419return rc;
420}
421
422
423
424/*************************************************
425* Do basic DNS lookup *
426*************************************************/
427
428/* Call the resolver to look up the given domain name, using the given type,
429and check the result. The error code TRY_AGAIN is documented as meaning "non-
430Authoritive Host not found, or SERVERFAIL". Sometimes there are badly set
431up nameservers that produce this error continually, so there is the option of
432providing a list of domains for which this is treated as a non-existent
433host.
434
435Arguments:
436 dnsa pointer to dns_answer structure
437 name name to look up
438 type type of DNS record required (T_A, T_MX, etc)
439
440Returns: DNS_SUCCEED successful lookup
441 DNS_NOMATCH name not found (NXDOMAIN)
442 or name contains illegal characters (if checking)
443 DNS_NODATA domain exists, but no data for this type (NODATA)
444 DNS_AGAIN soft failure, try again later
445 DNS_FAIL DNS failure
446*/
447
448int
449dns_basic_lookup(dns_answer *dnsa, uschar *name, int type)
450{
bef5a11f 451int rc = -1;
059ec3d9 452#ifndef STAND_ALONE
059ec3d9
PH		 453uschar *save;
454#endif
455
456tree_node *previous;
457uschar node_name[290];
458
459/* DNS lookup failures of any kind are cached in a tree. This is mainly so that
460a timeout on one domain doesn't happen time and time again for messages that
461have many addresses in the same domain. We rely on the resolver and name server
462caching for successful lookups. */
463
464sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
465 _res.options);
466previous = tree_search(tree_dns_fails, node_name);
467if (previous != NULL)
468 {
469 DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
470 name, dns_text_type(type),
471 (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
472 (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
473 (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
474 (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
475 return previous->data.val;
476 }
477
059ec3d9
PH		 478/* If configured, check the hygene of the name passed to lookup. Otherwise,
479although DNS lookups may give REFUSED at the lower level, some resolvers
480turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
481domains cannot be in the DNS. The check is now done by a regular expression;
482give it space for substring storage to save it having to get its own if the
483regex has substrings that are used - the default uses a conditional.
484
485This test is omitted for PTR records. These occur only in calls from the dnsdb
486lookup, which constructs the names itself, so they should be OK. Besides,
487bitstring labels don't conform to normal name syntax. (But the aren't used any
488more.)
489
490For SRV records, we omit the initial _smtp._tcp. components at the start. */
491
492#ifndef STAND_ALONE /* Omit this for stand-alone tests */
493
494if (check_dns_names_pattern[0] != 0 && type != T_PTR)
495 {
496 uschar *checkname = name;
497 int ovector[3*(EXPAND_MAXN+1)];
498
499 if (regex_check_dns_names == NULL)
500 regex_check_dns_names =
501 regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
502
503 /* For an SRV lookup, skip over the first two components (the service and
504 protocol names, which both start with an underscore). */
505
506 if (type == T_SRV)
507 {
508 while (*checkname++ != '.');
509 while (*checkname++ != '.');
510 }
511
512 if (pcre_exec(regex_check_dns_names, NULL, CS checkname, Ustrlen(checkname),
513 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
514 {
515 DEBUG(D_dns)
516 debug_printf("DNS name syntax check failed: %s (%s)\n", name,
517 dns_text_type(type));
518 host_find_failed_syntax = TRUE;
519 return DNS_NOMATCH;
520 }
521 }
522
523#endif /* STAND_ALONE */
524
525/* Call the resolver; for an overlong response, res_search() will return the
bef5a11f
PH		 526number of bytes the message would need, so we need to check for this case. The
527effect is to truncate overlong data.
528
529If we are running in the test harness, instead of calling the normal resolver
530(res_search), we call fakens_search(), which recognizes certain special
531domains, and interfaces to a fake nameserver for certain special zones. */
532
533if (running_in_test_harness)
534 dnsa->answerlen = fakens_search(name, type, dnsa->answer, MAXPACKET);
535else
536 dnsa->answerlen = res_search(CS name, C_IN, type, dnsa->answer, MAXPACKET);
059ec3d9 537
059ec3d9
PH		 538if (dnsa->answerlen > MAXPACKET) dnsa->answerlen = MAXPACKET;
539
540if (dnsa->answerlen < 0) switch (h_errno)
541 {
542 case HOST_NOT_FOUND:
543 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
544 "returning DNS_NOMATCH\n", name, dns_text_type(type));
545 return dns_return(name, type, DNS_NOMATCH);
546
547 case TRY_AGAIN:
548 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
549 name, dns_text_type(type));
550
551 /* Cut this out for various test programs */
552 #ifndef STAND_ALONE
553 save = deliver_domain;
554 deliver_domain = name; /* set $domain */
555 rc = match_isinlist(name, &dns_again_means_nonexist, 0, NULL, NULL,
556 MCL_DOMAIN, TRUE, NULL);
557 deliver_domain = save;
558 if (rc != OK)
559 {
560 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
561 return dns_return(name, type, DNS_AGAIN);
562 }
563 DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
564 "DNS_NOMATCH\n", name);
565 return dns_return(name, type, DNS_NOMATCH);
566
567 #else /* For stand-alone tests */
568 return dns_return(name, type, DNS_AGAIN);
569 #endif
570
571 case NO_RECOVERY:
572 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
573 "returning DNS_FAIL\n", name, dns_text_type(type));
574 return dns_return(name, type, DNS_FAIL);
575
576 case NO_DATA:
577 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
578 "returning DNS_NODATA\n", name, dns_text_type(type));
579 return dns_return(name, type, DNS_NODATA);
580
581 default:
582 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
583 "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
584 return dns_return(name, type, DNS_FAIL);
585 }
586
587DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
588 name, dns_text_type(type));
589
590return DNS_SUCCEED;
591}
592
593
594
595
596/************************************************
597* Do a DNS lookup and handle CNAMES *
598************************************************/
599
600/* Look up the given domain name, using the given type. Follow CNAMEs if
601necessary, but only so many times. There aren't supposed to be CNAME chains in
602the DNS, but you are supposed to cope with them if you find them.
603
604The assumption is made that if the resolver gives back records of the
605requested type *and* a CNAME, we don't need to make another call to look up
606the CNAME. I can't see how it could return only some of the right records. If
607it's done a CNAME lookup in the past, it will have all of them; if not, it
608won't return any.
609
610If fully_qualified_name is not NULL, set it to point to the full name
611returned by the resolver, if this is different to what it is given, unless
612the returned name starts with "*" as some nameservers seem to be returning
613wildcards in this form.
614
615Arguments:
616 dnsa pointer to dns_answer structure
617 name domain name to look up
618 type DNS record type (T_A, T_MX, etc)
619 fully_qualified_name if not NULL, return the returned name here if its
620 contents are different (i.e. it must be preset)
621
622Returns: DNS_SUCCEED successful lookup
623 DNS_NOMATCH name not found
624 DNS_NODATA no data found
625 DNS_AGAIN soft failure, try again later
626 DNS_FAIL DNS failure
627*/
628
629int
630dns_lookup(dns_answer *dnsa, uschar *name, int type, uschar **fully_qualified_name)
631{
632int i;
633uschar *orig_name = name;
634
635/* Loop to follow CNAME chains so far, but no further... */
636
637for (i = 0; i < 10; i++)
638 {
639 uschar data[256];
640 dns_record *rr, cname_rr, type_rr;
641 dns_scan dnss;
642 int datalen, rc;
643
644 /* DNS lookup failures get passed straight back. */
645
646 if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED) return rc;
647
648 /* We should have either records of the required type, or a CNAME record,
649 or both. We need to know whether both exist for getting the fully qualified
650 name, but avoid scanning more than necessary. Note that we must copy the
651 contents of any rr blocks returned by dns_next_rr() as they use the same
652 area in the dnsa block. */
653
654 cname_rr.data = type_rr.data = NULL;
655 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
656 rr != NULL;
657 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
658 {
659 if (rr->type == type)
660 {
661 if (type_rr.data == NULL) type_rr = *rr;
662 if (cname_rr.data != NULL) break;
663 }
664 else if (rr->type == T_CNAME) cname_rr = *rr;
665 }
666
667 /* If a CNAME was found, take the fully qualified name from it; otherwise
668 from the first data record, if present. For testing, there is a magic name
669 that gets its casing adjusted, because my resolver doesn't seem to pass back
670 upper case letters in domain names. */
671
672 if (fully_qualified_name != NULL)
673 {
674 if (cname_rr.data != NULL)
675 {
676 if (Ustrcmp(cname_rr.name, *fully_qualified_name) != 0 &&
677 cname_rr.name[0] != '*')
678 *fully_qualified_name = string_copy_dnsdomain(cname_rr.name);
679 }
680 else if (type_rr.data != NULL)
681 {
682 if (running_in_test_harness &&
683 Ustrcmp(type_rr.name, "uppercase.test.ex") == 0)
684 *fully_qualified_name = US"UpperCase.test.ex";
685 else
686 {
687 if (Ustrcmp(type_rr.name, *fully_qualified_name) != 0 &&
688 type_rr.name[0] != '*')
689 *fully_qualified_name = string_copy_dnsdomain(type_rr.name);
690 }
691 }
692 }
693
694 /* If any data records of the correct type were found, we are done. */
695
696 if (type_rr.data != NULL) return DNS_SUCCEED;
697
698 /* If there are no data records, we need to re-scan the DNS using the
699 domain given in the CNAME record, which should exist (otherwise we should
700 have had a failure from dns_lookup). However code against the possibility of
701 its not existing. */
702
703 if (cname_rr.data == NULL) return DNS_FAIL;
704 datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
705 cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256);
706 if (datalen < 0) return DNS_FAIL;
707 name = data;
708 } /* Loop back to do another lookup */
709
710/*Control reaches here after 10 times round the CNAME loop. Something isn't
711right... */
712
713log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
714return DNS_FAIL;
715}
716
717
718
33397d19
PH		 719
720
721
722/************************************************
723* Do a DNS lookup and handle virtual types *
724************************************************/
725
8e669ac1
PH		 726/* This function handles some invented "lookup types" that synthesize feature
727not available in the basic types. The special types all have negative values.
33397d19
PH		 728Positive type values are passed straight on to dns_lookup().
729
730Arguments:
731 dnsa pointer to dns_answer structure
732 name domain name to look up
733 type DNS record type (T_A, T_MX, etc or a "special")
734 fully_qualified_name if not NULL, return the returned name here if its
735 contents are different (i.e. it must be preset)
736
737Returns: DNS_SUCCEED successful lookup
738 DNS_NOMATCH name not found
739 DNS_NODATA no data found
740 DNS_AGAIN soft failure, try again later
741 DNS_FAIL DNS failure
742*/
743
744int
8e669ac1 745dns_special_lookup(dns_answer *dnsa, uschar *name, int type,
33397d19
PH		 746 uschar **fully_qualified_name)
747{
748if (type >= 0) return dns_lookup(dnsa, name, type, fully_qualified_name);
749
ea3bc19b
PH		 750/* The "mx hosts only" type doesn't require any special action here */
751
752if (type == T_MXH) return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
753
8e669ac1 754/* Find nameservers for the domain or the nearest enclosing zone, excluding the
33397d19
PH		 755root servers. */
756
757if (type == T_ZNS)
758 {
759 uschar *d = name;
760 while (d != 0)
761 {
762 int rc = dns_lookup(dnsa, d, T_NS, fully_qualified_name);
763 if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
764 while (*d != 0 && *d != '.') d++;
8e669ac1 765 if (*d++ == 0) break;
33397d19 766 }
8e669ac1
PH		 767 return DNS_NOMATCH;
768 }
33397d19 769
e5a9dba6
PH		 770/* Try to look up the Client SMTP Authorization SRV record for the name. If
771there isn't one, search from the top downwards for a CSA record in a parent
772domain, which might be making assertions about subdomains. If we find a record
773we set fully_qualified_name to whichever lookup succeeded, so that the caller
774can tell whether to look at the explicit authorization field or the subdomain
775assertion field. */
776
777if (type == T_CSA)
778 {
779 uschar *srvname, *namesuff, *tld, *p;
780 int priority, weight, port;
781 int limit, rc, i;
782 BOOL ipv6;
783 dns_record *rr;
784 dns_scan dnss;
785
786 DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
787
788 srvname = string_sprintf("_client._smtp.%s", name);
789 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
790 if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
791 {
792 if (rc == DNS_SUCCEED) *fully_qualified_name = name;
793 return rc;
794 }
795
796 /* Search for CSA subdomain assertion SRV records from the top downwards,
797 starting with the 2nd level domain. This order maximizes cache-friendliness.
798 We skip the top level domains to avoid loading their nameservers and because
799 we know they'll never have CSA SRV records. */
800
801 namesuff = Ustrrchr(name, '.');
802 if (namesuff == NULL) return DNS_NOMATCH;
803 tld = namesuff + 1;
804 ipv6 = FALSE;
805 limit = dns_csa_search_limit;
806
807 /* Use more appropriate search parameters if we are in the reverse DNS. */
808
809 if (strcmpic(namesuff, US".arpa") == 0)
810 {
811 if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
812 {
813 namesuff -= 8;
814 tld = namesuff + 1;
815 limit = 3;
816 }
817 else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
818 {
819 namesuff -= 4;
820 tld = namesuff + 1;
821 ipv6 = TRUE;
822 limit = 3;
823 }
824 }
825
826 DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
827
828 /* Do not perform the search if the top level or 2nd level domains do not
829 exist. This is quite common, and when it occurs all the search queries would
830 go to the root or TLD name servers, which is not friendly. So we check the
831 AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
832 the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
833 If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
834 the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
835
836 if (rc == DNS_NOMATCH)
837 {
838 /* This is really gross. The successful return value from res_search() is
839 the packet length, which is stored in dnsa->answerlen. If we get a
840 negative DNS reply then res_search() returns -1, which causes the bounds
841 checks for name decompression to fail when it is treated as a packet
842 length, which in turn causes the authority search to fail. The correct
843 packet length has been lost inside libresolv, so we have to guess a
844 replacement value. (The only way to fix this properly would be to
845 re-implement res_search() and res_query() so that they don't muddle their
846 success and packet length return values.) For added safety we only reset
847 the packet length if the packet header looks plausible. */
848
849 HEADER *h = (HEADER *)dnsa->answer;
850 if (h->qr == 1 && h->opcode == QUERY && h->tc == 0
851 && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
852 && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
853 && ntohs(h->nscount) >= 1)
854 dnsa->answerlen = MAXPACKET;
855
856 for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
857 rr != NULL;
858 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
859 if (rr->type != T_SOA) continue;
860 else if (strcmpic(rr->name, US"") == 0 ||
861 strcmpic(rr->name, tld) == 0) return DNS_NOMATCH;
862 else break;
863 }
864
865 for (i = 0; i < limit; i++)
866 {
867 if (ipv6)
868 {
869 /* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
870 address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
871 namesuff -= 8;
872 if (namesuff <= name) return DNS_NOMATCH;
873 }
874 else
875 /* Find the start of the preceding domain name label. */
876 do
877 if (--namesuff <= name) return DNS_NOMATCH;
878 while (*namesuff != '.');
879
880 DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
881
882 srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
883 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
884 if (rc == DNS_AGAIN) return rc;
885 if (rc != DNS_SUCCEED) continue;
886
887 /* Check that the SRV record we have found is worth returning. We don't
888 just return the first one we find, because some lower level SRV record
889 might make stricter assertions than its parent domain. */
890
891 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
892 rr != NULL;
893 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
894 {
895 if (rr->type != T_SRV) continue;
896
897 /* Extract the numerical SRV fields (p is incremented) */
898 p = rr->data;
899 GETSHORT(priority, p);
900 GETSHORT(weight, p);
901 GETSHORT(port, p);
902
903 /* Check the CSA version number */
904 if (priority != 1) continue;
905
906 /* If it's making an interesting assertion, return this response. */
907 if (port & 1)
908 {
909 *fully_qualified_name = namesuff + 1;
910 return DNS_SUCCEED;
911 }
912 }
913 }
914 return DNS_NOMATCH;
915 }
916
33397d19
PH		 917/* Control should never reach here */
918
919return DNS_FAIL;
920}
921
922
923
059ec3d9
PH		 924/* Support for A6 records has been commented out since they were demoted to
925experimental status at IETF 51. */
926
927#if HAVE_IPV6 && defined(SUPPORT_A6)
928
929/*************************************************
930* Search DNS block for prefix RRs *
931*************************************************/
932
933/* Called from dns_complete_a6() to search an additional section or a main
934answer section for required prefix records to complete an IPv6 address obtained
935from an A6 record. For each prefix record, a recursive call to dns_complete_a6
936is made, with a new copy of the address so far.
937
938Arguments:
939 dnsa the DNS answer block
940 which RESET_ADDITIONAL or RESET_ANSWERS
941 name name of prefix record
942 yptrptr pointer to the pointer that points to where to hang the next
943 dns_address structure
944 bits number of bits we have already got
945 bitvec the bits we have already got
946
947Returns: TRUE if any records were found
948*/
949
950static BOOL
951dns_find_prefix(dns_answer *dnsa, int which, uschar *name, dns_address
952 ***yptrptr, int bits, uschar *bitvec)
953{
954BOOL yield = FALSE;
955dns_record *rr;
956dns_scan dnss;
957
958for (rr = dns_next_rr(dnsa, &dnss, which);
959 rr != NULL;
960 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
961 {
962 uschar cbitvec[16];
963 if (rr->type != T_A6 || strcmpic(rr->name, name) != 0) continue;
964 yield = TRUE;
965 memcpy(cbitvec, bitvec, sizeof(cbitvec));
966 dns_complete_a6(yptrptr, dnsa, rr, bits, cbitvec);
967 }
968
969return yield;
970}
971
972
973
974/*************************************************
975* Follow chains of A6 records *
976*************************************************/
977
978/* A6 records may be incomplete, with pointers to other records containing more
979bits of the address. There can be a tree structure, leading to a number of
980addresses originating from a single initial A6 record.
981
982Arguments:
983 yptrptr pointer to the pointer that points to where to hang the next
984 dns_address structure
985 dnsa the current DNS answer block
986 rr the RR we have at present
987 bits number of bits we have already got
988 bitvec the bits we have already got
989
990Returns: nothing
991*/
992
993static void
994dns_complete_a6(dns_address ***yptrptr, dns_answer *dnsa, dns_record *rr,
995 int bits, uschar *bitvec)
996{
997static uschar bitmask[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
998uschar *p = (uschar *)(rr->data);
999int prefix_len, suffix_len;
1000int i, j, k;
1001uschar *chainptr;
1002uschar chain[264];
1003dns_answer cdnsa;
1004
1005/* The prefix length is the first byte. It defines the prefix which is missing
1006from the data in this record as a number of bits. Zero means this is the end of
1007a chain. The suffix is the data in this record; only sufficient bytes to hold
1008it are supplied. There may be zero bytes. We have to ignore trailing bits that
1009we have already obtained from earlier RRs in the chain. */
1010
1011prefix_len = *p++; /* bits */
1012suffix_len = (128 - prefix_len + 7)/8; /* bytes */
1013
1014/* If the prefix in this record is greater than the prefix in the previous
1015record in the chain, we have to ignore the record (RFC 2874). */
1016
1017if (prefix_len > 128 - bits) return;
1018
1019/* In this little loop, the number of bits up to and including the current byte
1020is held in k. If we have none of the bits in this byte, we can just or it into
1021the current data. If we have all of the bits in this byte, we skip it.
1022Otherwise, some masking has to be done. */
1023
1024for (i = suffix_len - 1, j = 15, k = 8; i >= 0; i--)
1025 {
1026 int required = k - bits;
1027 if (required >= 8) bitvec[j] |= p[i];
1028 else if (required > 0) bitvec[j] |= p[i] & bitmask[required];
1029 j--; /* I tried putting these in the "for" statement, but gcc muttered */
1030 k += 8; /* about computed values not being used. */
1031 }
1032
1033/* If the prefix_length is zero, we are at the end of a chain. Build a
1034dns_address item with the current data, hang it onto the end of the chain,
1035adjust the hanging pointer, and we are done. */
1036
1037if (prefix_len == 0)
1038 {
1039 dns_address *new = store_get(sizeof(dns_address) + 50);
1040 inet_ntop(AF_INET6, bitvec, CS new->address, 50);
1041 new->next = NULL;
1042 **yptrptr = new;
1043 *yptrptr = &(new->next);
1044 return;
1045 }
1046
1047/* Prefix length is not zero. Reset the number of bits that we have collected
1048so far, and extract the chain name. */
1049
1050bits = 128 - prefix_len;
1051p += suffix_len;
1052
1053chainptr = chain;
1054while ((i = *p++) != 0)
1055 {
1056 if (chainptr != chain) *chainptr++ = '.';
1057 memcpy(chainptr, p, i);
1058 chainptr += i;
1059 p += i;
1060 }
1061*chainptr = 0;
1062chainptr = chain;
1063
1064/* Now scan the current DNS response record to see if the additional section
1065contains the records we want. This processing can be cut out for testing
1066purposes. */
1067
1068if (dns_find_prefix(dnsa, RESET_ADDITIONAL, chainptr, yptrptr, bits, bitvec))
1069 return;
1070
1071/* No chain records were found in the current DNS response block. Do a new DNS
1072lookup to try to find these records. This opens up the possibility of DNS
1073failures. We ignore them at this point; if all branches of the tree fail, there
1074will be no addresses at the end. */
1075
1076if (dns_lookup(&cdnsa, chainptr, T_A6, NULL) == DNS_SUCCEED)
1077 (void)dns_find_prefix(&cdnsa, RESET_ANSWERS, chainptr, yptrptr, bits, bitvec);
1078}
1079#endif /* HAVE_IPV6 && defined(SUPPORT_A6) */
1080
1081
1082
1083
1084/*************************************************
1085* Get address(es) from DNS record *
1086*************************************************/
1087
1088/* The record type is either T_A for an IPv4 address or T_AAAA (or T_A6 when
1089supported) for an IPv6 address. In the A6 case, there may be several addresses,
1090generated by following chains. A recursive function does all the hard work. A6
1091records now look like passing into history, so the code is only included when
1092explicitly asked for.
1093
1094Argument:
1095 dnsa the DNS answer block
1096 rr the RR
1097
1098Returns: pointer a chain of dns_address items
1099*/
1100
1101dns_address *
1102dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
1103{
1104dns_address *yield = NULL;
1105
1106#if HAVE_IPV6 && defined(SUPPORT_A6)
1107dns_address **yieldptr = &yield;
1108uschar bitvec[16];
1109#else
1110dnsa = dnsa; /* Stop picky compilers warning */
1111#endif
1112
1113if (rr->type == T_A)
1114 {
1115 uschar *p = (uschar *)(rr->data);
1116 yield = store_get(sizeof(dns_address) + 20);
1117 (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1118 yield->next = NULL;
1119 }
1120
1121#if HAVE_IPV6
1122
1123#ifdef SUPPORT_A6
1124else if (rr->type == T_A6)
1125 {
1126 memset(bitvec, 0, sizeof(bitvec));
1127 dns_complete_a6(&yieldptr, dnsa, rr, 0, bitvec);
1128 }
1129#endif /* SUPPORT_A6 */
1130
1131else
1132 {
1133 yield = store_get(sizeof(dns_address) + 50);
1134 inet_ntop(AF_INET6, (uschar *)(rr->data), CS yield->address, 50);
1135 yield->next = NULL;
1136 }
1137#endif /* HAVE_IPV6 */
1138
1139return yield;
1140}
1141
1142/* End of dns.c */
Unnamed repository; edit this file 'description' to name the repository.