1. Update version.
[exim.git] / src / src / dns.c
1 /* $Cambridge: exim/src/src/dns.c,v 1.6 2005/05/10 10:19:11 ph10 Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2005 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10 /* Functions for interfacing with the DNS. */
11
12 #include "exim.h"
13
14
15 /* Function declaration needed for mutual recursion when A6 records
16 are supported. */
17
18 #if HAVE_IPV6
19 #ifdef SUPPORT_A6
20 static void dns_complete_a6(dns_address ***, dns_answer *, dns_record *,
21 int, uschar *);
22 #endif
23 #endif
24
25
26
27 /*************************************************
28 * Initialize and configure resolver *
29 *************************************************/
30
31 /* Initialize the resolver and the storage for holding DNS answers if this is
32 the first time we have been here, and set the resolver options.
33
34 Arguments:
35 qualify_single TRUE to set the RES_DEFNAMES option
36 search_parents TRUE to set the RES_DNSRCH option
37
38 Returns: nothing
39 */
40
41 void
42 dns_init(BOOL qualify_single, BOOL search_parents)
43 {
44 if ((_res.options & RES_INIT) == 0)
45 {
46 DEBUG(D_resolver) _res.options |= RES_DEBUG; /* For Cygwin */
47 res_init();
48 DEBUG(D_resolver) _res.options |= RES_DEBUG;
49 }
50
51 _res.options &= ~(RES_DNSRCH | RES_DEFNAMES);
52 _res.options |= (qualify_single? RES_DEFNAMES : 0) |
53 (search_parents? RES_DNSRCH : 0);
54 if (dns_retrans > 0) _res.retrans = dns_retrans;
55 if (dns_retry > 0) _res.retry = dns_retry;
56 }
57
58
59
60 /*************************************************
61 * Build key name for PTR records *
62 *************************************************/
63
64 /* This function inverts an IP address and adds the relevant domain, to produce
65 a name that can be used to look up PTR records.
66
67 Arguments:
68 string the IP address as a string
69 buffer a suitable buffer, long enough to hold the result
70
71 Returns: nothing
72 */
73
74 void
75 dns_build_reverse(uschar *string, uschar *buffer)
76 {
77 uschar *p = string + Ustrlen(string);
78 uschar *pp = buffer;
79
80 /* Handle IPv4 address */
81
82 #if HAVE_IPV6
83 if (Ustrchr(string, ':') == NULL)
84 #endif
85 {
86 int i;
87 for (i = 0; i < 4; i++)
88 {
89 uschar *ppp = p;
90 while (ppp > string && ppp[-1] != '.') ppp--;
91 Ustrncpy(pp, ppp, p - ppp);
92 pp += p - ppp;
93 *pp++ = '.';
94 p = ppp - 1;
95 }
96 Ustrcpy(pp, "in-addr.arpa");
97 }
98
99 /* Handle IPv6 address; convert to binary so as to fill out any
100 abbreviation in the textual form. */
101
102 #if HAVE_IPV6
103 else
104 {
105 int i;
106 int v6[4];
107 (void)host_aton(string, v6);
108
109 /* The original specification for IPv6 reverse lookup was to invert each
110 nibble, and look in the ip6.int domain. The domain was subsequently
111 changed to ip6.arpa. */
112
113 for (i = 3; i >= 0; i--)
114 {
115 int j;
116 for (j = 0; j < 32; j += 4)
117 {
118 sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
119 pp += 2;
120 }
121 }
122 Ustrcpy(pp, "ip6.arpa.");
123
124 /* Another way of doing IPv6 reverse lookups was proposed in conjunction
125 with A6 records. However, it fell out of favour when they did. The
126 alternative was to construct a binary key, and look in ip6.arpa. I tried
127 to make this code do that, but I could not make it work on Solaris 8. The
128 resolver seems to lose the initial backslash somehow. However, now that
129 this style of reverse lookup has been dropped, it doesn't matter. These
130 lines are left here purely for historical interest. */
131
132 /**************************************************
133 Ustrcpy(pp, "\\[x");
134 pp += 3;
135
136 for (i = 0; i < 4; i++)
137 {
138 sprintf(pp, "%08X", v6[i]);
139 pp += 8;
140 }
141 Ustrcpy(pp, "].ip6.arpa.");
142 **************************************************/
143
144 }
145 #endif
146 }
147
148
149
150
151 /*************************************************
152 * Get next DNS record from answer block *
153 *************************************************/
154
155 /* Call this with reset == RESET_ANSWERS to scan the answer block, reset ==
156 RESET_AUTHORITY to scan the authority records, reset == RESET_ADDITIONAL to
157 scan the additional records, and reset == RESET_NEXT to get the next record.
158 The result is in static storage which must be copied if it is to be preserved.
159
160 Arguments:
161 dnsa pointer to dns answer block
162 dnss pointer to dns scan block
163 reset option specifing what portion to scan, as described above
164
165 Returns: next dns record, or NULL when no more
166 */
167
168 dns_record *
169 dns_next_rr(dns_answer *dnsa, dns_scan *dnss, int reset)
170 {
171 HEADER *h = (HEADER *)dnsa->answer;
172 int namelen;
173
174 /* Reset the saved data when requested to, and skip to the first required RR */
175
176 if (reset != RESET_NEXT)
177 {
178 dnss->rrcount = ntohs(h->qdcount);
179 dnss->aptr = dnsa->answer + sizeof(HEADER);
180
181 /* Skip over questions; failure to expand the name just gives up */
182
183 while (dnss->rrcount-- > 0)
184 {
185 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
186 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
187 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
188 dnss->aptr += namelen + 4; /* skip name & type & class */
189 }
190
191 /* Get the number of answer records. */
192
193 dnss->rrcount = ntohs(h->ancount);
194
195 /* Skip over answers if we want to look at the authority section. Also skip
196 the NS records (i.e. authority section) if wanting to look at the additional
197 records. */
198
199 if (reset == RESET_ADDITIONAL) dnss->rrcount += ntohs(h->nscount);
200
201 if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
202 {
203 while (dnss->rrcount-- > 0)
204 {
205 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
206 dnss->aptr, (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
207 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
208 dnss->aptr += namelen + 8; /* skip name, type, class & TTL */
209 GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
210 dnss->aptr += dnss->srr.size; /* skip over it */
211 }
212 dnss->rrcount = (reset == RESET_AUTHORITY)
213 ? ntohs(h->nscount) : ntohs(h->arcount);
214 }
215 }
216
217 /* The variable dnss->aptr is now pointing at the next RR, and dnss->rrcount
218 contains the number of RR records left. */
219
220 if (dnss->rrcount-- <= 0) return NULL;
221
222 /* If expanding the RR domain name fails, behave as if no more records
223 (something safe). */
224
225 namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr,
226 (DN_EXPAND_ARG4_TYPE) &(dnss->srr.name), DNS_MAXNAME);
227 if (namelen < 0) { dnss->rrcount = 0; return NULL; }
228
229 /* Move the pointer past the name and fill in the rest of the data structure
230 from the following bytes. */
231
232 dnss->aptr += namelen;
233 GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
234 dnss->aptr += 6; /* Don't want class or TTL */
235 GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
236 dnss->srr.data = dnss->aptr; /* The record's data follows */
237 dnss->aptr += dnss->srr.size; /* Advance to next RR */
238
239 /* Return a pointer to the dns_record structure within the dns_answer. This is
240 for convenience so that the scans can use nice-looking for loops. */
241
242 return &(dnss->srr);
243 }
244
245
246
247
248 /*************************************************
249 * Turn DNS type into text *
250 *************************************************/
251
252 /* Turn the coded record type into a string for printing.
253
254 Argument: record type
255 Returns: pointer to string
256 */
257
258 uschar *
259 dns_text_type(int t)
260 {
261 switch(t)
262 {
263 case T_A: return US"A";
264 case T_MX: return US"MX";
265 case T_AAAA: return US"AAAA";
266 case T_A6: return US"A6";
267 case T_TXT: return US"TXT";
268 case T_PTR: return US"PTR";
269 case T_SRV: return US"SRV";
270 case T_NS: return US"NS";
271 case T_CNAME: return US"CNAME";
272 default: return US"?";
273 }
274 }
275
276
277
278 /*************************************************
279 * Cache a failed DNS lookup result *
280 *************************************************/
281
282 /* We cache failed lookup results so as not to experience timeouts many
283 times for the same domain. We need to retain the resolver options because they
284 may change. For successful lookups, we rely on resolver and/or name server
285 caching.
286
287 Arguments:
288 name the domain name
289 type the lookup type
290 rc the return code
291
292 Returns: the return code
293 */
294
295 static int
296 dns_return(uschar *name, int type, int rc)
297 {
298 tree_node *node = store_get_perm(sizeof(tree_node) + 290);
299 sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
300 _res.options);
301 node->data.val = rc;
302 (void)tree_insertnode(&tree_dns_fails, node);
303 return rc;
304 }
305
306
307
308 /*************************************************
309 * Do basic DNS lookup *
310 *************************************************/
311
312 /* Call the resolver to look up the given domain name, using the given type,
313 and check the result. The error code TRY_AGAIN is documented as meaning "non-
314 Authoritive Host not found, or SERVERFAIL". Sometimes there are badly set
315 up nameservers that produce this error continually, so there is the option of
316 providing a list of domains for which this is treated as a non-existent
317 host.
318
319 Arguments:
320 dnsa pointer to dns_answer structure
321 name name to look up
322 type type of DNS record required (T_A, T_MX, etc)
323
324 Returns: DNS_SUCCEED successful lookup
325 DNS_NOMATCH name not found (NXDOMAIN)
326 or name contains illegal characters (if checking)
327 DNS_NODATA domain exists, but no data for this type (NODATA)
328 DNS_AGAIN soft failure, try again later
329 DNS_FAIL DNS failure
330 */
331
332 int
333 dns_basic_lookup(dns_answer *dnsa, uschar *name, int type)
334 {
335 #ifndef STAND_ALONE
336 int rc;
337 uschar *save;
338 #endif
339
340 tree_node *previous;
341 uschar node_name[290];
342
343 /* DNS lookup failures of any kind are cached in a tree. This is mainly so that
344 a timeout on one domain doesn't happen time and time again for messages that
345 have many addresses in the same domain. We rely on the resolver and name server
346 caching for successful lookups. */
347
348 sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
349 _res.options);
350 previous = tree_search(tree_dns_fails, node_name);
351 if (previous != NULL)
352 {
353 DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
354 name, dns_text_type(type),
355 (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
356 (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
357 (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
358 (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
359 return previous->data.val;
360 }
361
362 /* If we are running in the test harness, recognize a couple of special
363 names that always give error returns. This makes it straightforward to
364 test the handling of DNS errors. */
365
366 if (running_in_test_harness)
367 {
368 uschar *endname = name + Ustrlen(name);
369 if (Ustrcmp(endname - 14, "test.again.dns") == 0)
370 {
371 int delay = Uatoi(name); /* digits at the start of the name */
372 DEBUG(D_dns) debug_printf("Real DNS lookup of %s (%s) bypassed for testing\n",
373 name, dns_text_type(type));
374 if (delay > 0)
375 {
376 DEBUG(D_dns) debug_printf("delaying %d seconds\n", delay);
377 sleep(delay);
378 }
379 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
380 return dns_return(name, type, DNS_AGAIN);
381 }
382 if (Ustrcmp(endname - 13, "test.fail.dns") == 0)
383 {
384 DEBUG(D_dns) debug_printf("Real DNS lookup of %s (%s) bypassed for testing\n",
385 name, dns_text_type(type));
386 DEBUG(D_dns) debug_printf("returning DNS_FAIL\n");
387 return dns_return(name, type, DNS_FAIL);
388 }
389 }
390
391 /* If configured, check the hygene of the name passed to lookup. Otherwise,
392 although DNS lookups may give REFUSED at the lower level, some resolvers
393 turn this into TRY_AGAIN, which is silly. Give a NOMATCH return, since such
394 domains cannot be in the DNS. The check is now done by a regular expression;
395 give it space for substring storage to save it having to get its own if the
396 regex has substrings that are used - the default uses a conditional.
397
398 This test is omitted for PTR records. These occur only in calls from the dnsdb
399 lookup, which constructs the names itself, so they should be OK. Besides,
400 bitstring labels don't conform to normal name syntax. (But the aren't used any
401 more.)
402
403 For SRV records, we omit the initial _smtp._tcp. components at the start. */
404
405 #ifndef STAND_ALONE /* Omit this for stand-alone tests */
406
407 if (check_dns_names_pattern[0] != 0 && type != T_PTR)
408 {
409 uschar *checkname = name;
410 int ovector[3*(EXPAND_MAXN+1)];
411
412 if (regex_check_dns_names == NULL)
413 regex_check_dns_names =
414 regex_must_compile(check_dns_names_pattern, FALSE, TRUE);
415
416 /* For an SRV lookup, skip over the first two components (the service and
417 protocol names, which both start with an underscore). */
418
419 if (type == T_SRV)
420 {
421 while (*checkname++ != '.');
422 while (*checkname++ != '.');
423 }
424
425 if (pcre_exec(regex_check_dns_names, NULL, CS checkname, Ustrlen(checkname),
426 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
427 {
428 DEBUG(D_dns)
429 debug_printf("DNS name syntax check failed: %s (%s)\n", name,
430 dns_text_type(type));
431 host_find_failed_syntax = TRUE;
432 return DNS_NOMATCH;
433 }
434 }
435
436 #endif /* STAND_ALONE */
437
438 /* Call the resolver; for an overlong response, res_search() will return the
439 number of bytes the message would need, so we need to check for this case.
440 The effect is to truncate overlong data. */
441
442 dnsa->answerlen = res_search(CS name, C_IN, type, dnsa->answer, MAXPACKET);
443 if (dnsa->answerlen > MAXPACKET) dnsa->answerlen = MAXPACKET;
444
445 if (dnsa->answerlen < 0) switch (h_errno)
446 {
447 case HOST_NOT_FOUND:
448 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
449 "returning DNS_NOMATCH\n", name, dns_text_type(type));
450 return dns_return(name, type, DNS_NOMATCH);
451
452 case TRY_AGAIN:
453 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
454 name, dns_text_type(type));
455
456 /* Cut this out for various test programs */
457 #ifndef STAND_ALONE
458 save = deliver_domain;
459 deliver_domain = name; /* set $domain */
460 rc = match_isinlist(name, &dns_again_means_nonexist, 0, NULL, NULL,
461 MCL_DOMAIN, TRUE, NULL);
462 deliver_domain = save;
463 if (rc != OK)
464 {
465 DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
466 return dns_return(name, type, DNS_AGAIN);
467 }
468 DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
469 "DNS_NOMATCH\n", name);
470 return dns_return(name, type, DNS_NOMATCH);
471
472 #else /* For stand-alone tests */
473 return dns_return(name, type, DNS_AGAIN);
474 #endif
475
476 case NO_RECOVERY:
477 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
478 "returning DNS_FAIL\n", name, dns_text_type(type));
479 return dns_return(name, type, DNS_FAIL);
480
481 case NO_DATA:
482 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
483 "returning DNS_NODATA\n", name, dns_text_type(type));
484 return dns_return(name, type, DNS_NODATA);
485
486 default:
487 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
488 "returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
489 return dns_return(name, type, DNS_FAIL);
490 }
491
492 DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
493 name, dns_text_type(type));
494
495 return DNS_SUCCEED;
496 }
497
498
499
500
501 /************************************************
502 * Do a DNS lookup and handle CNAMES *
503 ************************************************/
504
505 /* Look up the given domain name, using the given type. Follow CNAMEs if
506 necessary, but only so many times. There aren't supposed to be CNAME chains in
507 the DNS, but you are supposed to cope with them if you find them.
508
509 The assumption is made that if the resolver gives back records of the
510 requested type *and* a CNAME, we don't need to make another call to look up
511 the CNAME. I can't see how it could return only some of the right records. If
512 it's done a CNAME lookup in the past, it will have all of them; if not, it
513 won't return any.
514
515 If fully_qualified_name is not NULL, set it to point to the full name
516 returned by the resolver, if this is different to what it is given, unless
517 the returned name starts with "*" as some nameservers seem to be returning
518 wildcards in this form.
519
520 Arguments:
521 dnsa pointer to dns_answer structure
522 name domain name to look up
523 type DNS record type (T_A, T_MX, etc)
524 fully_qualified_name if not NULL, return the returned name here if its
525 contents are different (i.e. it must be preset)
526
527 Returns: DNS_SUCCEED successful lookup
528 DNS_NOMATCH name not found
529 DNS_NODATA no data found
530 DNS_AGAIN soft failure, try again later
531 DNS_FAIL DNS failure
532 */
533
534 int
535 dns_lookup(dns_answer *dnsa, uschar *name, int type, uschar **fully_qualified_name)
536 {
537 int i;
538 uschar *orig_name = name;
539
540 /* Loop to follow CNAME chains so far, but no further... */
541
542 for (i = 0; i < 10; i++)
543 {
544 uschar data[256];
545 dns_record *rr, cname_rr, type_rr;
546 dns_scan dnss;
547 int datalen, rc;
548
549 /* DNS lookup failures get passed straight back. */
550
551 if ((rc = dns_basic_lookup(dnsa, name, type)) != DNS_SUCCEED) return rc;
552
553 /* We should have either records of the required type, or a CNAME record,
554 or both. We need to know whether both exist for getting the fully qualified
555 name, but avoid scanning more than necessary. Note that we must copy the
556 contents of any rr blocks returned by dns_next_rr() as they use the same
557 area in the dnsa block. */
558
559 cname_rr.data = type_rr.data = NULL;
560 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
561 rr != NULL;
562 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
563 {
564 if (rr->type == type)
565 {
566 if (type_rr.data == NULL) type_rr = *rr;
567 if (cname_rr.data != NULL) break;
568 }
569 else if (rr->type == T_CNAME) cname_rr = *rr;
570 }
571
572 /* If a CNAME was found, take the fully qualified name from it; otherwise
573 from the first data record, if present. For testing, there is a magic name
574 that gets its casing adjusted, because my resolver doesn't seem to pass back
575 upper case letters in domain names. */
576
577 if (fully_qualified_name != NULL)
578 {
579 if (cname_rr.data != NULL)
580 {
581 if (Ustrcmp(cname_rr.name, *fully_qualified_name) != 0 &&
582 cname_rr.name[0] != '*')
583 *fully_qualified_name = string_copy_dnsdomain(cname_rr.name);
584 }
585 else if (type_rr.data != NULL)
586 {
587 if (running_in_test_harness &&
588 Ustrcmp(type_rr.name, "uppercase.test.ex") == 0)
589 *fully_qualified_name = US"UpperCase.test.ex";
590 else
591 {
592 if (Ustrcmp(type_rr.name, *fully_qualified_name) != 0 &&
593 type_rr.name[0] != '*')
594 *fully_qualified_name = string_copy_dnsdomain(type_rr.name);
595 }
596 }
597 }
598
599 /* If any data records of the correct type were found, we are done. */
600
601 if (type_rr.data != NULL) return DNS_SUCCEED;
602
603 /* If there are no data records, we need to re-scan the DNS using the
604 domain given in the CNAME record, which should exist (otherwise we should
605 have had a failure from dns_lookup). However code against the possibility of
606 its not existing. */
607
608 if (cname_rr.data == NULL) return DNS_FAIL;
609 datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
610 cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256);
611 if (datalen < 0) return DNS_FAIL;
612 name = data;
613 } /* Loop back to do another lookup */
614
615 /*Control reaches here after 10 times round the CNAME loop. Something isn't
616 right... */
617
618 log_write(0, LOG_MAIN, "CNAME loop for %s encountered", orig_name);
619 return DNS_FAIL;
620 }
621
622
623
624
625
626
627 /************************************************
628 * Do a DNS lookup and handle virtual types *
629 ************************************************/
630
631 /* This function handles some invented "lookup types" that synthesize feature
632 not available in the basic types. The special types all have negative values.
633 Positive type values are passed straight on to dns_lookup().
634
635 Arguments:
636 dnsa pointer to dns_answer structure
637 name domain name to look up
638 type DNS record type (T_A, T_MX, etc or a "special")
639 fully_qualified_name if not NULL, return the returned name here if its
640 contents are different (i.e. it must be preset)
641
642 Returns: DNS_SUCCEED successful lookup
643 DNS_NOMATCH name not found
644 DNS_NODATA no data found
645 DNS_AGAIN soft failure, try again later
646 DNS_FAIL DNS failure
647 */
648
649 int
650 dns_special_lookup(dns_answer *dnsa, uschar *name, int type,
651 uschar **fully_qualified_name)
652 {
653 if (type >= 0) return dns_lookup(dnsa, name, type, fully_qualified_name);
654
655 /* The "mx hosts only" type doesn't require any special action here */
656
657 if (type == T_MXH) return dns_lookup(dnsa, name, T_MX, fully_qualified_name);
658
659 /* Find nameservers for the domain or the nearest enclosing zone, excluding the
660 root servers. */
661
662 if (type == T_ZNS)
663 {
664 uschar *d = name;
665 while (d != 0)
666 {
667 int rc = dns_lookup(dnsa, d, T_NS, fully_qualified_name);
668 if (rc != DNS_NOMATCH && rc != DNS_NODATA) return rc;
669 while (*d != 0 && *d != '.') d++;
670 if (*d++ == 0) break;
671 }
672 return DNS_NOMATCH;
673 }
674
675 /* Try to look up the Client SMTP Authorization SRV record for the name. If
676 there isn't one, search from the top downwards for a CSA record in a parent
677 domain, which might be making assertions about subdomains. If we find a record
678 we set fully_qualified_name to whichever lookup succeeded, so that the caller
679 can tell whether to look at the explicit authorization field or the subdomain
680 assertion field. */
681
682 if (type == T_CSA)
683 {
684 uschar *srvname, *namesuff, *tld, *p;
685 int priority, weight, port;
686 int limit, rc, i;
687 BOOL ipv6;
688 dns_record *rr;
689 dns_scan dnss;
690
691 DEBUG(D_dns) debug_printf("CSA lookup of %s\n", name);
692
693 srvname = string_sprintf("_client._smtp.%s", name);
694 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
695 if (rc == DNS_SUCCEED || rc == DNS_AGAIN)
696 {
697 if (rc == DNS_SUCCEED) *fully_qualified_name = name;
698 return rc;
699 }
700
701 /* Search for CSA subdomain assertion SRV records from the top downwards,
702 starting with the 2nd level domain. This order maximizes cache-friendliness.
703 We skip the top level domains to avoid loading their nameservers and because
704 we know they'll never have CSA SRV records. */
705
706 namesuff = Ustrrchr(name, '.');
707 if (namesuff == NULL) return DNS_NOMATCH;
708 tld = namesuff + 1;
709 ipv6 = FALSE;
710 limit = dns_csa_search_limit;
711
712 /* Use more appropriate search parameters if we are in the reverse DNS. */
713
714 if (strcmpic(namesuff, US".arpa") == 0)
715 {
716 if (namesuff - 8 > name && strcmpic(namesuff - 8, US".in-addr.arpa") == 0)
717 {
718 namesuff -= 8;
719 tld = namesuff + 1;
720 limit = 3;
721 }
722 else if (namesuff - 4 > name && strcmpic(namesuff - 4, US".ip6.arpa") == 0)
723 {
724 namesuff -= 4;
725 tld = namesuff + 1;
726 ipv6 = TRUE;
727 limit = 3;
728 }
729 }
730
731 DEBUG(D_dns) debug_printf("CSA TLD %s\n", tld);
732
733 /* Do not perform the search if the top level or 2nd level domains do not
734 exist. This is quite common, and when it occurs all the search queries would
735 go to the root or TLD name servers, which is not friendly. So we check the
736 AUTHORITY section; if it contains the root's SOA record or the TLD's SOA then
737 the TLD or the 2LD (respectively) doesn't exist and we can skip the search.
738 If the TLD and the 2LD exist but the explicit CSA record lookup failed, then
739 the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */
740
741 if (rc == DNS_NOMATCH)
742 {
743 /* This is really gross. The successful return value from res_search() is
744 the packet length, which is stored in dnsa->answerlen. If we get a
745 negative DNS reply then res_search() returns -1, which causes the bounds
746 checks for name decompression to fail when it is treated as a packet
747 length, which in turn causes the authority search to fail. The correct
748 packet length has been lost inside libresolv, so we have to guess a
749 replacement value. (The only way to fix this properly would be to
750 re-implement res_search() and res_query() so that they don't muddle their
751 success and packet length return values.) For added safety we only reset
752 the packet length if the packet header looks plausible. */
753
754 HEADER *h = (HEADER *)dnsa->answer;
755 if (h->qr == 1 && h->opcode == QUERY && h->tc == 0
756 && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
757 && ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
758 && ntohs(h->nscount) >= 1)
759 dnsa->answerlen = MAXPACKET;
760
761 for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
762 rr != NULL;
763 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
764 if (rr->type != T_SOA) continue;
765 else if (strcmpic(rr->name, US"") == 0 ||
766 strcmpic(rr->name, tld) == 0) return DNS_NOMATCH;
767 else break;
768 }
769
770 for (i = 0; i < limit; i++)
771 {
772 if (ipv6)
773 {
774 /* Scan through the IPv6 reverse DNS in chunks of 16 bits worth of IP
775 address, i.e. 4 hex chars and 4 dots, i.e. 8 chars. */
776 namesuff -= 8;
777 if (namesuff <= name) return DNS_NOMATCH;
778 }
779 else
780 /* Find the start of the preceding domain name label. */
781 do
782 if (--namesuff <= name) return DNS_NOMATCH;
783 while (*namesuff != '.');
784
785 DEBUG(D_dns) debug_printf("CSA parent search at %s\n", namesuff + 1);
786
787 srvname = string_sprintf("_client._smtp.%s", namesuff + 1);
788 rc = dns_lookup(dnsa, srvname, T_SRV, NULL);
789 if (rc == DNS_AGAIN) return rc;
790 if (rc != DNS_SUCCEED) continue;
791
792 /* Check that the SRV record we have found is worth returning. We don't
793 just return the first one we find, because some lower level SRV record
794 might make stricter assertions than its parent domain. */
795
796 for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
797 rr != NULL;
798 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
799 {
800 if (rr->type != T_SRV) continue;
801
802 /* Extract the numerical SRV fields (p is incremented) */
803 p = rr->data;
804 GETSHORT(priority, p);
805 GETSHORT(weight, p);
806 GETSHORT(port, p);
807
808 /* Check the CSA version number */
809 if (priority != 1) continue;
810
811 /* If it's making an interesting assertion, return this response. */
812 if (port & 1)
813 {
814 *fully_qualified_name = namesuff + 1;
815 return DNS_SUCCEED;
816 }
817 }
818 }
819 return DNS_NOMATCH;
820 }
821
822 /* Control should never reach here */
823
824 return DNS_FAIL;
825 }
826
827
828
829 /* Support for A6 records has been commented out since they were demoted to
830 experimental status at IETF 51. */
831
832 #if HAVE_IPV6 && defined(SUPPORT_A6)
833
834 /*************************************************
835 * Search DNS block for prefix RRs *
836 *************************************************/
837
838 /* Called from dns_complete_a6() to search an additional section or a main
839 answer section for required prefix records to complete an IPv6 address obtained
840 from an A6 record. For each prefix record, a recursive call to dns_complete_a6
841 is made, with a new copy of the address so far.
842
843 Arguments:
844 dnsa the DNS answer block
845 which RESET_ADDITIONAL or RESET_ANSWERS
846 name name of prefix record
847 yptrptr pointer to the pointer that points to where to hang the next
848 dns_address structure
849 bits number of bits we have already got
850 bitvec the bits we have already got
851
852 Returns: TRUE if any records were found
853 */
854
855 static BOOL
856 dns_find_prefix(dns_answer *dnsa, int which, uschar *name, dns_address
857 ***yptrptr, int bits, uschar *bitvec)
858 {
859 BOOL yield = FALSE;
860 dns_record *rr;
861 dns_scan dnss;
862
863 for (rr = dns_next_rr(dnsa, &dnss, which);
864 rr != NULL;
865 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
866 {
867 uschar cbitvec[16];
868 if (rr->type != T_A6 || strcmpic(rr->name, name) != 0) continue;
869 yield = TRUE;
870 memcpy(cbitvec, bitvec, sizeof(cbitvec));
871 dns_complete_a6(yptrptr, dnsa, rr, bits, cbitvec);
872 }
873
874 return yield;
875 }
876
877
878
879 /*************************************************
880 * Follow chains of A6 records *
881 *************************************************/
882
883 /* A6 records may be incomplete, with pointers to other records containing more
884 bits of the address. There can be a tree structure, leading to a number of
885 addresses originating from a single initial A6 record.
886
887 Arguments:
888 yptrptr pointer to the pointer that points to where to hang the next
889 dns_address structure
890 dnsa the current DNS answer block
891 rr the RR we have at present
892 bits number of bits we have already got
893 bitvec the bits we have already got
894
895 Returns: nothing
896 */
897
898 static void
899 dns_complete_a6(dns_address ***yptrptr, dns_answer *dnsa, dns_record *rr,
900 int bits, uschar *bitvec)
901 {
902 static uschar bitmask[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
903 uschar *p = (uschar *)(rr->data);
904 int prefix_len, suffix_len;
905 int i, j, k;
906 uschar *chainptr;
907 uschar chain[264];
908 dns_answer cdnsa;
909
910 /* The prefix length is the first byte. It defines the prefix which is missing
911 from the data in this record as a number of bits. Zero means this is the end of
912 a chain. The suffix is the data in this record; only sufficient bytes to hold
913 it are supplied. There may be zero bytes. We have to ignore trailing bits that
914 we have already obtained from earlier RRs in the chain. */
915
916 prefix_len = *p++; /* bits */
917 suffix_len = (128 - prefix_len + 7)/8; /* bytes */
918
919 /* If the prefix in this record is greater than the prefix in the previous
920 record in the chain, we have to ignore the record (RFC 2874). */
921
922 if (prefix_len > 128 - bits) return;
923
924 /* In this little loop, the number of bits up to and including the current byte
925 is held in k. If we have none of the bits in this byte, we can just or it into
926 the current data. If we have all of the bits in this byte, we skip it.
927 Otherwise, some masking has to be done. */
928
929 for (i = suffix_len - 1, j = 15, k = 8; i >= 0; i--)
930 {
931 int required = k - bits;
932 if (required >= 8) bitvec[j] |= p[i];
933 else if (required > 0) bitvec[j] |= p[i] & bitmask[required];
934 j--; /* I tried putting these in the "for" statement, but gcc muttered */
935 k += 8; /* about computed values not being used. */
936 }
937
938 /* If the prefix_length is zero, we are at the end of a chain. Build a
939 dns_address item with the current data, hang it onto the end of the chain,
940 adjust the hanging pointer, and we are done. */
941
942 if (prefix_len == 0)
943 {
944 dns_address *new = store_get(sizeof(dns_address) + 50);
945 inet_ntop(AF_INET6, bitvec, CS new->address, 50);
946 new->next = NULL;
947 **yptrptr = new;
948 *yptrptr = &(new->next);
949 return;
950 }
951
952 /* Prefix length is not zero. Reset the number of bits that we have collected
953 so far, and extract the chain name. */
954
955 bits = 128 - prefix_len;
956 p += suffix_len;
957
958 chainptr = chain;
959 while ((i = *p++) != 0)
960 {
961 if (chainptr != chain) *chainptr++ = '.';
962 memcpy(chainptr, p, i);
963 chainptr += i;
964 p += i;
965 }
966 *chainptr = 0;
967 chainptr = chain;
968
969 /* Now scan the current DNS response record to see if the additional section
970 contains the records we want. This processing can be cut out for testing
971 purposes. */
972
973 if (dns_find_prefix(dnsa, RESET_ADDITIONAL, chainptr, yptrptr, bits, bitvec))
974 return;
975
976 /* No chain records were found in the current DNS response block. Do a new DNS
977 lookup to try to find these records. This opens up the possibility of DNS
978 failures. We ignore them at this point; if all branches of the tree fail, there
979 will be no addresses at the end. */
980
981 if (dns_lookup(&cdnsa, chainptr, T_A6, NULL) == DNS_SUCCEED)
982 (void)dns_find_prefix(&cdnsa, RESET_ANSWERS, chainptr, yptrptr, bits, bitvec);
983 }
984 #endif /* HAVE_IPV6 && defined(SUPPORT_A6) */
985
986
987
988
989 /*************************************************
990 * Get address(es) from DNS record *
991 *************************************************/
992
993 /* The record type is either T_A for an IPv4 address or T_AAAA (or T_A6 when
994 supported) for an IPv6 address. In the A6 case, there may be several addresses,
995 generated by following chains. A recursive function does all the hard work. A6
996 records now look like passing into history, so the code is only included when
997 explicitly asked for.
998
999 Argument:
1000 dnsa the DNS answer block
1001 rr the RR
1002
1003 Returns: pointer a chain of dns_address items
1004 */
1005
1006 dns_address *
1007 dns_address_from_rr(dns_answer *dnsa, dns_record *rr)
1008 {
1009 dns_address *yield = NULL;
1010
1011 #if HAVE_IPV6 && defined(SUPPORT_A6)
1012 dns_address **yieldptr = &yield;
1013 uschar bitvec[16];
1014 #else
1015 dnsa = dnsa; /* Stop picky compilers warning */
1016 #endif
1017
1018 if (rr->type == T_A)
1019 {
1020 uschar *p = (uschar *)(rr->data);
1021 yield = store_get(sizeof(dns_address) + 20);
1022 (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
1023 yield->next = NULL;
1024 }
1025
1026 #if HAVE_IPV6
1027
1028 #ifdef SUPPORT_A6
1029 else if (rr->type == T_A6)
1030 {
1031 memset(bitvec, 0, sizeof(bitvec));
1032 dns_complete_a6(&yieldptr, dnsa, rr, 0, bitvec);
1033 }
1034 #endif /* SUPPORT_A6 */
1035
1036 else
1037 {
1038 yield = store_get(sizeof(dns_address) + 50);
1039 inet_ntop(AF_INET6, (uschar *)(rr->data), CS yield->address, 50);
1040 yield->next = NULL;
1041 }
1042 #endif /* HAVE_IPV6 */
1043
1044 return yield;
1045 }
1046
1047 /* End of dns.c */