projects / exim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Added dns_use_edns0 main option.
[exim.git] / src / src / dns.c
1 /* $Cambridge: exim/src/src/dns.c,v 1.21 2009/11/16 19:50:36 nm4 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Functions for interfacing with the DNS. */
11
12 #include "exim.h"
13
14
15 /* Function declaration needed for mutual recursion when A6 records
16 are supported. */
17
18 #if HAVE_IPV6
19 #ifdef SUPPORT_A6
20 static void dns_complete_a6(dns_address ***, dns_answer *, dns_record *,
21 int, uschar *);
22 #endif
23 #endif
24
25
26 /*************************************************
27 * Fake DNS resolver *
28 *************************************************/
29
30 /* This function is called instead of res_search() when Exim is running in its
31 test harness. It recognizes some special domain names, and uses them to force
32 failure and retry responses (optionally with a delay). Otherwise, it calls an
33 external utility that mocks-up a nameserver, if it can find the utility.
34 If not, it passes its arguments on to res_search(). The fake nameserver may
35 also return a code specifying that the name should be passed on.
36
37 Background: the original test suite required a real nameserver to carry the
38 test zones, whereas the new test suit has the fake server for portability. This
39 code supports both.
40
41 Arguments:
42 domain the domain name
43 type the DNS record type
44 answerptr where to put the answer
45 size size of the answer area
46
47 Returns: length of returned data, or -1 on error (h_errno set)
48 */
49
50 static int
51 fakens_search(uschar *domain, int type, uschar *answerptr, int size)
52 {
53 int len = Ustrlen(domain);
54 int asize = size; /* Locally modified */
55 uschar *endname;
56 uschar name[256];
57 uschar utilname[256];
58 uschar *aptr = answerptr; /* Locally modified */
59 struct stat statbuf;
60
61 /* Remove terminating dot. */
62
63 if (domain[len - 1] == '.') len--;
64 Ustrncpy(name, domain, len);
65 name[len] = 0;
66 endname = name + len;
67
68 /* This code, for forcing TRY_AGAIN and NO_RECOVERY, is here so that it works
69 for the old test suite that uses a real nameserver. When the old test suite is
70 eventually abandoned, this code could be moved into the fakens utility. */
71
72 if (len >= 14 && Ustrcmp(endname - 14, "test.again.dns") == 0)
73 {
74 int delay = Uatoi(name); /* digits at the start of the name */
75 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
76 name, dns_text_type(type));
77 if (delay > 0)
78 {
79 DEBUG(D_dns) debug_printf("delaying %d seconds\n", delay);
80 sleep(delay);
81 }
82 h_errno = TRY_AGAIN;
83 return -1;
84 }
85
86 if (len >= 13 && Ustrcmp(endname - 13, "test.fail.dns") == 0)
87 {
88 DEBUG(D_dns) debug_printf("Return from DNS lookup of %s (%s) faked for testing\n",
89 name, dns_text_type(type));
90 h_errno = NO_RECOVERY;
91 return -1;
92 }
93
94 /* Look for the fakens utility, and if it exists, call it. */
95
96 (void)string_format(utilname, sizeof(utilname), "%s/../bin/fakens",
97 spool_directory);
98
99 if (stat(CS utilname, &statbuf) >= 0)
100 {
101 pid_t pid;
102 int infd, outfd, rc;
103 uschar *argv[5];
104
105 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n",
106 name, dns_text_type(type));
107
108 argv[0] = utilname;
109 argv[1] = spool_directory;
110 argv[2] = name;
111 argv[3] = dns_text_type(type);
112 argv[4] = NULL;
113
114 pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE);
115 if (pid < 0)
116 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s",
117 strerror(errno));
118
119 len = 0;
120 rc = -1;
121 while (asize > 0 && (rc = read(outfd, aptr, asize)) > 0)
122 {
123 len += rc;
124 aptr += rc; /* Don't modify the actual arguments, because they */
125 asize -= rc; /* may need to be passed on to res_search(). */
126 }
127
128 if (rc < 0)
129 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "read from fakens failed: %s",
130 strerror(errno));
131
132 switch(child_close(pid, 0))
133 {
134 case 0: return len;
135 case 1: h_errno = HOST_NOT_FOUND; return -1;
136 case 2: h_errno = TRY_AGAIN; return -1;
137 default:
138 case 3: h_errno = NO_RECOVERY; return -1;
139 case 4: h_errno = NO_DATA; return -1;
140 case 5: /* Pass on to res_search() */
141 DEBUG(D_dns) debug_printf("fakens returned PASS_ON\n");
142 }
143 }
144
145 /* fakens utility not found, or it returned "pass on" */
146
147 DEBUG(D_dns) debug_printf("passing %s on to res_search()\n", domain);
148
149 return res_search(CS domain, C_IN, type, answerptr, size);
150 }
151
152
153
154 /*************************************************
155 * Initialize and configure resolver *
156 *************************************************/
157
158 /* Initialize the resolver and the storage for holding DNS answers if this is
159 the first time we have been here, and set the resolver options.
160
161 Arguments:
162 qualify_single TRUE to set the RES_DEFNAMES option
163 search_parents TRUE to set the RES_DNSRCH option
164
165 Returns: nothing
166 */
167
168 void
169 dns_init(BOOL qualify_single, BOOL search_parents)
170 {
171 if ((_res.options & RES_INIT) == 0)
172 {
173 DEBUG(D_resolver) _res.options |= RES_DEBUG; /* For Cygwin */
174 res_init();
175 DEBUG(D_resolver) _res.options |= RES_DEBUG;
176 }
177
178 _res.options &= ~(RES_DNSRCH | RES_DEFNAMES);
179 _res.options |= (qualify_single? RES_DEFNAMES : 0) |
180 (search_parents? RES_DNSRCH : 0);
181 if (dns_retrans > 0) _res.retrans = dns_retrans;
182 if (dns_retry > 0) _res.retry = dns_retry;
183
184 #ifdef RES_USE_EDNS0
185 if (dns_use_edns0 >= 0)
186 {
187 if (dns_use_edns0)
188 _res.options |= RES_USE_EDNS0;
189 else
190 _res.options &= ~RES_USE_EDNS0;
191 DEBUG(D_resolver)
192 debug_printf("Coerced resolver EDNS0 support %s.\n",
193 dns_use_edns0 ? "on" : "off");
194 }
195 #else
196 if (dns_use_edns0 >= 0)
197 DEBUG(D_resolver)
198 debug_printf("Unable to %sset EDNS0 without resolver support.\n",
199 dns_use_edns0 ? "" : "un");
200 #endif
201 }
202
203
204
205 /*************************************************
206 * Build key name for PTR records *
207 *************************************************/
208
209 /* This function inverts an IP address and adds the relevant domain, to produce
210 a name that can be used to look up PTR records.
211
212 Arguments:
213 string the IP address as a string
214 buffer a suitable buffer, long enough to hold the result
215
216 Returns: nothing
217 */
218
219 void
220 dns_build_reverse(uschar *string, uschar *buffer)
221 {
222 uschar *p = string + Ustrlen(string);
223 uschar *pp = buffer;
224
225 /* Handle IPv4 address */
226
227 #if HAVE_IPV6
228 if (Ustrchr(string, ':') == NULL)
229 #endif
230 {
231 int i;
232 for (i = 0; i < 4; i++)
233 {
234 uschar *ppp = p;
235 while (ppp > string && ppp[-1] != '.') ppp--;
236 Ustrncpy(pp, ppp, p - ppp);
237 pp += p - ppp;
238 *pp++ = '.';
239 p = ppp - 1;
240 }
241 Ustrcpy(pp, "in-addr.arpa");
242 }
243
244 /* Handle IPv6 address; convert to binary so as to fill out any
245 abbreviation in the textual form. */
246
247 #if HAVE_IPV6
248 else
249 {
250 int i;
251 int v6[4];
252 (void)host_aton(string, v6);
253
254 /* The original specification for IPv6 reverse lookup was to invert each
255 nibble, and look in the ip6.int domain. The domain was subsequently
256 changed to ip6.arpa. */
257
258 for (i = 3; i >= 0; i--)
259 {
260 int j;
261 for (j = 0; j < 32; j += 4)
262 {
263 sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
264 pp += 2;
265 }
266 }
267 Ustrcpy(pp, "ip6.arpa.");
268
269 /* Another way of doing IPv6 reverse lookups was proposed in conjunction
270 with A6 records. However, it fell out of favour when they did. The
271 alternative was to construct a binary key, and look in ip6.arpa. I tried
272 to make this code do that, but I could not make it work on Solaris 8. The
273 resolver seems to lose the initial backslash somehow. However, now that
274 this style of reverse lookup has been dropped, it doesn't matter. These
275 lines are left here purely for historical interest. */
276
277 /**************************************************
278 Ustrcpy(pp, "\\[x");
279 pp += 3;
280
281 for (i = 0; i < 4; i++)
282 {
283 sprintf(pp, "%08X", v6[i]);
284 pp += 8;
285 }
286 Ustrcpy(pp, "].ip6.arpa.");
287 **************************************************/
288
289 }
290 #endif
291 }
292
293
294
295
296 /*************************************************
297 * Get next DNS record from answer block *
298 *************************************************/
299
300 /* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
301 RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
302 scan the additional records, and reset == RESET_NEXT to get the next record.
303 The result is in static storage which must be copied if it is to be preserved.
304
305 Arguments:
306 dnsa pointer to dns answer block
307 dnss pointer to dns scan block
308 reset option specifing what portion to scan, as described above
309
310 Returns: next dns record, or NULL when no more
311 */
312
313 dns_record *
314 dns_next_rr(dns_answer *dnsa, dns_scan *dnss, int reset)
315 {
316 HEADER *h = (HEADER *)dnsa->answer;
317 int namelen;
318
319 /* Reset the saved data when requested to, and skip to the first required RR */
320
321 if (reset != RESET_NEXT)
322 {
323 dnss->rrcount = ntohs(h->qdcount);
324 dnss->aptr = dnsa->answer + sizeof(HEADER);
325
326 /* Skip over questions; failure to expand the name just gives up */
327
328 while (dnss->rrcount-- > 0)
329 {
330 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
331 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
332 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
333 dnss->aptr += namelen + 4; /* skip name & type & class */
334 }
335
336 /* Get the number of answer records. */
337
338 dnss->rrcount = ntohs(h->ancount);
339
340 /* Skip over answers if we want to look at the authority section. Also skip
341 the NS records (i.e. authority section) if wanting to look at the additional
342 records. */
343
344 if (reset == RESET_ADDITIONAL) dnss->rrcount += ntohs(h->nscount);
345
346 if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
347 {
348 while (dnss->rrcount-- > 0)
349 {
350 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
351 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
352 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
353 dnss->aptr += namelen + 8; /* skip name, type, class & TTL */
354 GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
355 dnss->aptr += dnss->srr.size; /* skip over it */
356 }
357 dnss->rrcount = (reset == RESET_AUTHORITY)
358 ? ntohs(h->nscount) : ntohs(h->arcount);
359 }
360 }
361
362 /* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
363 contains the number of RR records left. */
364
365 if (dnss->rrcount-- <= 0) return NULL;
366
367 /* If expanding the RR domain name fails, behave as if no more records
368 (something safe). */
369
370 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
371 (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
372 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
373
374 /* Move the pointer past the name and fill in the rest of the data structure
375 from the following bytes. */
376
377 dnss->aptr += namelen;
378 GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
379 dnss->aptr += 6; /* Don't want class or TTL */
380 GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
381 dnss->srr.data = dnss->aptr; /* The record's data follows */
382 dnss->aptr += dnss->srr.size; /* Advance to next RR */
383
384 /* Return a pointer to the dns_record structure within the dns_answer. This is
385 for convenience so that the scans can use nice-looking for loops. */
386
387 return &(dnss->srr);
388 }
389
390
391
392
393 /*************************************************
394 * Turn DNS type into text *
395 *************************************************/
396
397 /* Turn the coded record type into a string for printing. All those that Exim
398 uses should be included here.
399
400 Argument: record type
401 Returns: pointer to string
402 */
403
404 uschar *
405 dns_text_type(int t)
406 {
407 switch(t)
408 {
409 case T_A: return US"A";
410 case T_MX: return US"MX";
411 case T_AAAA: return US"AAAA";
412 case T_A6: return US"A6";
413 case T_TXT: return US"TXT";
414 case T_PTR: return US"PTR";
415 case T_SOA: return US"SOA";
416 case T_SRV: return US"SRV";
417 case T_NS: return US"NS";
418 case T_CNAME: return US"CNAME";
419 default: return US"?";
420 }
421 }
422
423
424
425 /*************************************************
426 * Cache a failed DNS lookup result *
427 *************************************************/
428
429 /* We cache failed lookup results so as not to experience timeouts many
430 times for the same domain. We need to retain the resolver options because they
431 may change. For successful lookups, we rely on resolver and/or name server
432 caching.
433
434 Arguments:
435 name the domain name
436 type the lookup type
437 rc the return code
438
439 Returns: the return code
440 */
441
442 static int
443 dns_return(uschar *name, int type, int rc)
444 {
445 tree_node *node = store_get_perm(sizeof(tree_node) + 290);
446 sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
447 _res.options);
448 node->data.val = rc;
449 (void)tree_insertnode(&tree_dns_fails, node);
450 return rc;
451 }
452
453
454
455 /*************************************************
456 * Do basic DNS lookup *
457 *************************************************/
458
459 /* Call the resolver to look up the given domain name, using the given type,
460 and check the result. The error code TRY_AGAIN is documented as meaning "non-
461 Authoritive Host not found, or SERVERFAIL". Sometimes there are badly set
462 up nameservers that produce this error continually, so there is the option of
463 providing a list of domains for which this is treated as a non-existent
464 host.
465
466 Arguments:
467 dnsa pointer to dns_answer structure
468 name name to look up
469 type type of DNS record required (T_A, T_MX, etc)
470
471 Returns: DNS_SUCCEED successful lookup
472 DNS_NOMATCH name not found (NXDOMAIN)
473 or name contains illegal characters (if checking)
474 or name is an IP address (for IP address lookup)
475 DNS_NODATA domain exists, but no data for this type (NODATA)
476 DNS_AGAIN soft failure, try again later
477 DNS_FAIL DNS failure
478 */
479
480 int
481 dns_basic_lookup(dns_answer *dnsa, uschar *name, int type)
482 {
483 #ifndef STAND_ALONE
484 int rc = -1;
485 uschar *save;
486 #endif
487
488 tree_node *previous;
489 uschar node_name[290];
490
491 /* DNS lookup failures of any kind are cached in a tree. This is mainly so that
492 a timeout on one domain doesn't happen time and time again for messages that
493 have many addresses in the same domain. We rely on the resolver and name server
494 caching for successful lookups. */
495
496 sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
497 _res.options);
498 previous = tree_search(tree_dns_fails, node_name);
499 if (previous != NULL)
500 {
501 DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
502 name, dns_text_type(type),
503 (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
504 (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
505 (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
506 (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
507 return previous->data.val;
508 }
509
510 /* If configured, check the hygene of the name passed to lookup. Otherwise,
511 although DNS lookups may give REFUSED at the lower level, some resolvers
512 turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
513 domains cannot be in the DNS. The check is now done by a regular expression;
514 give it space for substring storage to save it having to get its own if the
515 regex has substrings that are used - the default uses a conditional.
516
517 This test is omitted for PTR records. These occur only in calls from the dnsdb
518 lookup, which constructs the names itself, so they should be OK. Besides,
519 bitstring labels don't conform to normal name syntax. (But the aren't used any
520 more.)
521
522 For SRV records, we omit the initial _smtp._tcp. components at the start. */
523
524 #ifndef STAND_ALONE /* Omit this for stand-alone tests */
525
526 if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
527 {
528 uschar *checkname = name;
529 int ovector[3*(EXPAND_MAXN+1)];
530
531 if (regex_check_dns_names == NULL)
532 regex_check_dns_names =
533 regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
534
535 /* For an SRV lookup, skip over the first two components (the service and
536 protocol names, which both start with an underscore). */
537
538 if (type == T_SRV)
539 {
540 while (*checkname++ != '.');
541 while (*checkname++ != '.');
542 }
543
544 if (pcre_exec(regex_check_dns_names, NULL, CS checkname, Ustrlen(checkname),
545 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
546 {
547 DEBUG(D_dns)
548 debug_printf("DNS name syntax check failed: %s (%s)\n", name,
549 dns_text_type(type));
550 host_find_failed_syntax = TRUE;
551 return DNS_NOMATCH;
552 }
553 }
554
555 #endif /* STAND_ALONE */
556
557 /* Call the resolver; for an overlong response, res_search() will return the
558 number of bytes the message would need, so we need to check for this case. The
559 effect is to truncate overlong data.
560
561 On some systems, res_search() will recognize "A-for-A" queries and return
562 the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
563 nameservers are also believed to do this. It is, of course, contrary to the
564 specification of the DNS, so we lock it out. */
565
566 if ((
567 #ifdef SUPPORT_A6
568 type == T_A6 ||
569 #endif
570 type == T_A || type == T_AAAA) &&
571 string_is_ip_address(name, NULL) != 0)
572 return DNS_NOMATCH;
573
574 /* If we are running in the test harness, instead of calling the normal resolver
575 (res_search), we call fakens_search(), which recognizes certain special
576 domains, and interfaces to a fake nameserver for certain special zones. */
577
578 if (running_in_test_harness)
579 dnsa->answerlen = fakens_search(name, type, dnsa->answer, MAXPACKET);
580 else
581 dnsa->answerlen = res_search(CS name, C_IN, type, dnsa->answer, MAXPACKET);
582
583 if (dnsa->answerlen > MAXPACKET)
584 {
585 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet (size %d), truncating to %d.\n",
586 name, dns_text_type(type), dnsa->answerlen, MAXPACKET);
587 dnsa->answerlen = MAXPACKET;
588 }
589
590 if (dnsa->answerlen < 0) switch (h_errno)
591 {
592 case HOST_NOT_FOUND:
593 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
594 "returning DNS_NOMATCH\n", name, dns_text_type(type));
595 return dns_return(name, type, DNS_NOMATCH);
596
597 case TRY_AGAIN:
598 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
599 name, dns_text_type(type));
600
601 /* Cut this out for various test programs */
602 #ifndef STAND_ALONE
603 save = deliver_domain;
604 deliver_domain = name; /* set $domain */
605 rc = match_isinlist(name, &dns_again_means_nonexist, 0, NULL, NULL,
606 MCL_DOMAIN, TRUE, NULL);
607 deliver_domain = save;
608 if (rc != OK)
609 {
610 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
611 return dns_return(name, type, DNS_AGAIN);
612 }
613 DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
614 "DNS_NOMATCH\n", name);
615 return dns_return(name, type, DNS_NOMATCH);
616
617 #else /* For stand-alone tests */
618 return dns_return(name, type, DNS_AGAIN);
619 #endif
620
621 case NO_RECOVERY:
622 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
623 "returning DNS_FAIL\n", name, dns_text_type(type));
624 return dns_return(name, type, DNS_FAIL);
625
626 case NO_DATA:
627 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
628 "returning DNS_NODATA\n", name, dns_text_type(type));
629 return dns_return(name, type, DNS_NODATA);
630
631 default:
632 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
633 "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
634 return dns_return(name, type, DNS_FAIL);
635 }
636
637 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
638 name, dns_text_type(type));
639
640 return DNS_SUCCEED;
641 }
642
643
644
645
646 /************************************************
647 * Do a DNS lookup and handle CNAMES *
648 ************************************************/
649
650 /* Look up the given domain name, using the given type. Follow CNAMEs if
651 necessary, but only so many times. There aren't supposed to be CNAME chains in
652 the DNS, but you are supposed to cope with them if you find them.
653
654 The assumption is made that if the resolver gives back records of the
655 requested type *and* a CNAME, we don't need to make another call to look up
656 the CNAME. I can't see how it could return only some of the right records. If
657 it's done a CNAME lookup in the past, it will have all of them; if not, it
658 won't return any.
659
660 If fully_qualified_name is not NULL, set it to point to the full name
661 returned by the resolver, if this is different to what it is given, unless
662 the returned name starts with "*" as some nameservers seem to be returning
663 wildcards in this form.
664
665 Arguments:
666 dnsa pointer to dns_answer structure
667 name domain name to look up
668 type DNS record type (T_A, T_MX, etc)
669 fully_qualified_name if not NULL, return the returned name here if its
670 contents are different (i.e. it must be preset)
671
672 Returns: DNS_SUCCEED successful lookup
673 DNS_NOMATCH name not found
674 DNS_NODATA no data found
675 DNS_AGAIN soft failure, try again later
676 DNS_FAIL DNS failure
677 */
678
679 int
680 dns_lookup(dns_answer *dnsa, uschar *name, int type, uschar **fully_qualified_name)
681 {
682 int i;
683 uschar *orig_name = name;
684
685 /* Loop to follow CNAME chains so far, but no further... */
686
687 for (i = 0; i < 10; i++)
688 {
689 uschar data[256];
690 dns_record *rr, cname_rr, type_rr;
691 dns_scan dnss;
692 int datalen, rc;
693
694 /* DNS lookup failures get passed straight back. */
695
696 if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED) return rc;
697
698 /* We should have either records of the required type, or a CNAME record,
699 or both. We need to know whether both exist for getting the fully qualified
700 name, but avoid scanning more than necessary. Note that we must copy the
701 contents of any rr blocks returned by dns_next_rr() as they use the same
702 area in the dnsa block. */
703
704 cname_rr.data = type_rr.data = NULL;
705 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
706 rr != NULL;
707 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
708 {
709 if (rr->type == type)
710 {
711 if (type_rr.data == NULL) type_rr = *rr;
712 if (cname_rr.data != NULL) break;
713 }
714 else if (rr->type == T_CNAME) cname_rr = *rr;
715 }
716
717 /* For the first time round this loop, if a CNAME was found, take the fully
718 qualified name from it; otherwise from the first data record, if present. */
719
720 if (i == 0 && fully_qualified_name != NULL)
721 {
722 if (cname_rr.data != NULL)
723 {
724 if (Ustrcmp(cname_rr.name, *fully_qualified_name) != 0 &&
725 cname_rr.name[0] != '*')
726 *fully_qualified_name = string_copy_dnsdomain(cname_rr.name);
727 }
728 else if (type_rr.data != NULL)
729 {
730 if (Ustrcmp(type_rr.name, *fully_qualified_name) != 0 &&
731 type_rr.name[0] != '*')
732 *fully_qualified_name = string_copy_dnsdomain(type_rr.name);
733 }
734 }
735
736 /* If any data records of the correct type were found, we are done. */
737
738 if (type_rr.data != NULL) return DNS_SUCCEED;
739
740 /* If there are no data records, we need to re-scan the DNS using the
741 domain given in the CNAME record, which should exist (otherwise we should
742 have had a failure from dns_lookup). However code against the possibility of
743 its not existing. */
744
745 if (cname_rr.data == NULL) return DNS_FAIL;
746 datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
747 cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256);
748 if (datalen < 0) return DNS_FAIL;
749 name = data;
750
751 DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
752 } /* Loop back to do another lookup */
753
754 /*Control reaches here after 10 times round the CNAME loop. Something isn't
755 right... */
756
757 log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
758 return DNS_FAIL;
759 }
760
761
762
763
764
765
766 /************************************************
767 * Do a DNS lookup and handle virtual types *
768 ************************************************/
769
770 /* This function handles some invented "lookup types" that synthesize feature
771 not available in the basic types. The special types all have negative values.
772 Positive type values are passed straight on to dns_lookup().
773
774 Arguments:
775 dnsa pointer to dns_answer structure
776 name domain name to look up
777 type DNS record type (T_A, T_MX, etc or a "special")
778 fully_qualified_name if not NULL, return the returned name here if its
779 contents are different (i.e. it must be preset)
780
781 Returns: DNS_SUCCEED successful lookup
782 DNS_NOMATCH name not found
783 DNS_NODATA no data found
784 DNS_AGAIN soft failure, try again later
785 DNS_FAIL DNS failure
786 */
787
788 int
789 dns_special_lookup(dns_answer *dnsa, uschar *name, int type,
790 uschar **fully_qualified_name)
791 {
792 if (type >= 0) return dns_lookup(dnsa, name, type, fully_qualified_name);
793
794 /* The "mx hosts only" type doesn't require any special action here */
795
796 if (type == T_MXH) return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
797
798 /* Find nameservers for the domain or the nearest enclosing zone, excluding the
799 root servers. */
800
801 if (type == T_ZNS)
802 {
803 uschar *d = name;
804 while (d != 0)
805 {
806 int rc = dns_lookup(dnsa, d, T_NS, fully_qualified_name);
807 if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
808 while (*d != 0 && *d != '.') d++;
809 if (*d++ == 0) break;
810 }
811 return DNS_NOMATCH;
812 }
813
814 /* Try to look up the Client SMTP Authorization SRV record for the name. If
815 there isn't one, search from the top downwards for a CSA record in a parent
816 domain, which might be making assertions about subdomains. If we find a record
817 we set fully_qualified_name to whichever lookup succeeded, so that the caller
818 can tell whether to look at the explicit authorization field or the subdomain
819 assertion field. */
820
821 if (type == T_CSA)
822 {
823 uschar *srvname, *namesuff, *tld, *p;
824 int priority, weight, port;
825 int limit, rc, i;
826 BOOL ipv6;
827 dns_record *rr;
828 dns_scan dnss;
829
830 DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
831
832 srvname = string_sprintf("_client._smtp.%s", name);
833 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
834 if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
835 {
836 if (rc == DNS_SUCCEED) *fully_qualified_name = name;
837 return rc;
838 }
839
840 /* Search for CSA subdomain assertion SRV records from the top downwards,
841 starting with the 2nd level domain. This order maximizes cache-friendliness.
842 We skip the top level domains to avoid loading their nameservers and because
843 we know they'll never have CSA SRV records. */
844
845 namesuff = Ustrrchr(name, '.');
846 if (namesuff == NULL) return DNS_NOMATCH;
847 tld = namesuff + 1;
848 ipv6 = FALSE;
849 limit = dns_csa_search_limit;
850
851 /* Use more appropriate search parameters if we are in the reverse DNS. */
852
853 if (strcmpic(namesuff, US".arpa") == 0)
854 {
855 if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
856 {
857 namesuff -= 8;
858 tld = namesuff + 1;
859 limit = 3;
860 }
861 else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
862 {
863 namesuff -= 4;
864 tld = namesuff + 1;
865 ipv6 = TRUE;
866 limit = 3;
867 }
868 }
869
870 DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
871
872 /* Do not perform the search if the top level or 2nd level domains do not
873 exist. This is quite common, and when it occurs all the search queries would
874 go to the root or TLD name servers, which is not friendly. So we check the
875 AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
876 the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
877 If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
878 the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
879
880 if (rc == DNS_NOMATCH)
881 {
882 /* This is really gross. The successful return value from res_search() is
883 the packet length, which is stored in dnsa->answerlen. If we get a
884 negative DNS reply then res_search() returns -1, which causes the bounds
885 checks for name decompression to fail when it is treated as a packet
886 length, which in turn causes the authority search to fail. The correct
887 packet length has been lost inside libresolv, so we have to guess a
888 replacement value. (The only way to fix this properly would be to
889 re-implement res_search() and res_query() so that they don't muddle their
890 success and packet length return values.) For added safety we only reset
891 the packet length if the packet header looks plausible. */
892
893 HEADER *h = (HEADER *)dnsa->answer;
894 if (h->qr == 1 && h->opcode == QUERY && h->tc == 0
895 && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
896 && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
897 && ntohs(h->nscount) >= 1)
898 dnsa->answerlen = MAXPACKET;
899
900 for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
901 rr != NULL;
902 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
903 if (rr->type != T_SOA) continue;
904 else if (strcmpic(rr->name, US"") == 0 ||
905 strcmpic(rr->name, tld) == 0) return DNS_NOMATCH;
906 else break;
907 }
908
909 for (i = 0; i < limit; i++)
910 {
911 if (ipv6)
912 {
913 /* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
914 address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
915 namesuff -= 8;
916 if (namesuff <= name) return DNS_NOMATCH;
917 }
918 else
919 /* Find the start of the preceding domain name label. */
920 do
921 if (--namesuff <= name) return DNS_NOMATCH;
922 while (*namesuff != '.');
923
924 DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
925
926 srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
927 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
928 if (rc == DNS_AGAIN) return rc;
929 if (rc != DNS_SUCCEED) continue;
930
931 /* Check that the SRV record we have found is worth returning. We don't
932 just return the first one we find, because some lower level SRV record
933 might make stricter assertions than its parent domain. */
934
935 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
936 rr != NULL;
937 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
938 {
939 if (rr->type != T_SRV) continue;
940
941 /* Extract the numerical SRV fields (p is incremented) */
942 p = rr->data;
943 GETSHORT(priority, p);
944 GETSHORT(weight, p);
945 GETSHORT(port, p);
946
947 /* Check the CSA version number */
948 if (priority != 1) continue;
949
950 /* If it's making an interesting assertion, return this response. */
951 if (port & 1)
952 {
953 *fully_qualified_name = namesuff + 1;
954 return DNS_SUCCEED;
955 }
956 }
957 }
958 return DNS_NOMATCH;
959 }
960
961 /* Control should never reach here */
962
963 return DNS_FAIL;
964 }
965
966
967
968 /* Support for A6 records has been commented out since they were demoted to
969 experimental status at IETF 51. */
970
971 #if HAVE_IPV6 && defined(SUPPORT_A6)
972
973 /*************************************************
974 * Search DNS block for prefix RRs *
975 *************************************************/
976
977 /* Called from dns_complete_a6() to search an additional section or a main
978 answer section for required prefix records to complete an IPv6 address obtained
979 from an A6 record. For each prefix record, a recursive call to dns_complete_a6
980 is made, with a new copy of the address so far.
981
982 Arguments:
983 dnsa the DNS answer block
984 which RESET_ADDITIONAL or RESET_ANSWERS
985 name name of prefix record
986 yptrptr pointer to the pointer that points to where to hang the next
987 dns_address structure
988 bits number of bits we have already got
989 bitvec the bits we have already got
990
991 Returns: TRUE if any records were found
992 */
993
994 static BOOL
995 dns_find_prefix(dns_answer *dnsa, int which, uschar *name, dns_address
996 ***yptrptr, int bits, uschar *bitvec)
997 {
998 BOOL yield = FALSE;
999 dns_record *rr;
1000 dns_scan dnss;
1001
1002 for (rr = dns_next_rr(dnsa, &dnss, which);
1003 rr != NULL;
1004 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
1005 {
1006 uschar cbitvec[16];
1007 if (rr->type != T_A6 || strcmpic(rr->name, name) != 0) continue;
1008 yield = TRUE;
1009 memcpy(cbitvec, bitvec, sizeof(cbitvec));
1010 dns_complete_a6(yptrptr, dnsa, rr, bits, cbitvec);
1011 }
1012
1013 return yield;
1014 }
1015
1016
1017
1018 /*************************************************
1019 * Follow chains of A6 records *
1020 *************************************************/
1021
1022 /* A6 records may be incomplete, with pointers to other records containing more
1023 bits of the address. There can be a tree structure, leading to a number of
1024 addresses originating from a single initial A6 record.
1025
1026 Arguments:
1027 yptrptr pointer to the pointer that points to where to hang the next
1028 dns_address structure
1029 dnsa the current DNS answer block
1030 rr the RR we have at present
1031 bits number of bits we have already got
1032 bitvec the bits we have already got
1033
1034 Returns: nothing
1035 */
1036
1037 static void
1038 dns_complete_a6(dns_address ***yptrptr, dns_answer *dnsa, dns_record *rr,
1039 int bits, uschar *bitvec)
1040 {
1041 static uschar bitmask[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
1042 uschar *p = (uschar *)(rr->data);
1043 int prefix_len, suffix_len;
1044 int i, j, k;
1045 uschar *chainptr;
1046 uschar chain[264];
1047 dns_answer cdnsa;
1048
1049 /* The prefix length is the first byte. It defines the prefix which is missing
1050 from the data in this record as a number of bits. Zero means this is the end of
1051 a chain. The suffix is the data in this record; only sufficient bytes to hold
1052 it are supplied. There may be zero bytes. We have to ignore trailing bits that
1053 we have already obtained from earlier RRs in the chain. */
1054
1055 prefix_len = *p++; /* bits */
1056 suffix_len = (128 - prefix_len + 7)/8; /* bytes */
1057
1058 /* If the prefix in this record is greater than the prefix in the previous
1059 record in the chain, we have to ignore the record (RFC 2874). */
1060
1061 if (prefix_len > 128 - bits) return;
1062
1063 /* In this little loop, the number of bits up to and including the current byte
1064 is held in k. If we have none of the bits in this byte, we can just or it into
1065 the current data. If we have all of the bits in this byte, we skip it.
1066 Otherwise, some masking has to be done. */
1067
1068 for (i = suffix_len - 1, j = 15, k = 8; i >= 0; i--)
1069 {
1070 int required = k - bits;
1071 if (required >= 8) bitvec[j] |= p[i];
1072 else if (required > 0) bitvec[j] |= p[i] & bitmask[required];
1073 j--; /* I tried putting these in the "for" statement, but gcc muttered */
1074 k += 8; /* about computed values not being used. */
1075 }
1076
1077 /* If the prefix_length is zero, we are at the end of a chain. Build a
1078 dns_address item with the current data, hang it onto the end of the chain,
1079 adjust the hanging pointer, and we are done. */
1080
1081 if (prefix_len == 0)
1082 {
1083 dns_address *new = store_get(sizeof(dns_address) + 50);
1084 inet_ntop(AF_INET6, bitvec, CS new->address, 50);
1085 new->next = NULL;
1086 **yptrptr = new;
1087 *yptrptr = &(new->next);
1088 return;
1089 }
1090
1091 /* Prefix length is not zero. Reset the number of bits that we have collected
1092 so far, and extract the chain name. */
1093
1094 bits = 128 - prefix_len;
1095 p += suffix_len;
1096
1097 chainptr = chain;
1098 while ((i = *p++) != 0)
1099 {
1100 if (chainptr != chain) *chainptr++ = '.';
1101 memcpy(chainptr, p, i);
1102 chainptr += i;
1103 p += i;
1104 }
1105 *chainptr = 0;
1106 chainptr = chain;
1107
1108 /* Now scan the current DNS response record to see if the additional section
1109 contains the records we want. This processing can be cut out for testing
1110 purposes. */
1111
1112 if (dns_find_prefix(dnsa, RESET_ADDITIONAL, chainptr, yptrptr, bits, bitvec))
1113 return;
1114
1115 /* No chain records were found in the current DNS response block. Do a new DNS
1116 lookup to try to find these records. This opens up the possibility of DNS
1117 failures. We ignore them at this point; if all branches of the tree fail, there
1118 will be no addresses at the end. */
1119
1120 if (dns_lookup(&cdnsa, chainptr, T_A6, NULL) == DNS_SUCCEED)
1121 (void)dns_find_prefix(&cdnsa, RESET_ANSWERS, chainptr, yptrptr, bits, bitvec);
1122 }
1123 #endif /* HAVE_IPV6 && defined(SUPPORT_A6) */
1124
1125
1126
1127
1128 /*************************************************
1129 * Get address(es) from DNS record *
1130 *************************************************/
1131
1132 /* The record type is either T_A for an IPv4 address or T_AAAA (or T_A6 when
1133 supported) for an IPv6 address. In the A6 case, there may be several addresses,
1134 generated by following chains. A recursive function does all the hard work. A6
1135 records now look like passing into history, so the code is only included when
1136 explicitly asked for.
1137
1138 Argument:
1139 dnsa the DNS answer block
1140 rr the RR
1141
1142 Returns: pointer a chain of dns_address items
1143 */
1144
1145 dns_address *
1146 dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
1147 {
1148 dns_address *yield = NULL;
1149
1150 #if HAVE_IPV6 && defined(SUPPORT_A6)
1151 dns_address **yieldptr = &yield;
1152 uschar bitvec[16];
1153 #else
1154 dnsa = dnsa; /* Stop picky compilers warning */
1155 #endif
1156
1157 if (rr->type == T_A)
1158 {
1159 uschar *p = (uschar *)(rr->data);
1160 yield = store_get(sizeof(dns_address) + 20);
1161 (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1162 yield->next = NULL;
1163 }
1164
1165 #if HAVE_IPV6
1166
1167 #ifdef SUPPORT_A6
1168 else if (rr->type == T_A6)
1169 {
1170 memset(bitvec, 0, sizeof(bitvec));
1171 dns_complete_a6(&yieldptr, dnsa, rr, 0, bitvec);
1172 }
1173 #endif /* SUPPORT_A6 */
1174
1175 else
1176 {
1177 yield = store_get(sizeof(dns_address) + 50);
1178 inet_ntop(AF_INET6, (uschar *)(rr->data), CS yield->address, 50);
1179 yield->next = NULL;
1180 }
1181 #endif /* HAVE_IPV6 */
1182
1183 return yield;
1184 }
1185
1186 /* End of dns.c */
Unnamed repository; edit this file 'description' to name the repository.