Add DNS debug aid if we requsted AD but got AA

[exim.git] / src / src / host.c

diff --git a/src/src/host.c b/src/src/host.c
index 5629d7db2948086149089e5162775c91ad3b45f2..19b5805b9a074b410f71ee72df6c9ec93628e93d 100644 (file)
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -2228,7 +2228,8 @@ Arguments:
   fully_qualified_name  if not NULL, return fully qualified name here if
                           the contents are different (i.e. it must be preset
                           to something)
   fully_qualified_name  if not NULL, return fully qualified name here if
                           the contents are different (i.e. it must be preset
                           to something)

-  dnnssec_require      if TRUE check the DNS result AD bit
+  dnssec_request       if TRUE request the AD bit
+  dnssec_require       if TRUE require the AD bit

 
 Returns:       HOST_FIND_FAILED     couldn't find A record
                HOST_FIND_AGAIN      try again later
 
 Returns:       HOST_FIND_FAILED     couldn't find A record
                HOST_FIND_AGAIN      try again later


@@ -2300,6 +2301,12 @@ for (; i >= 0; i--)
   lookup_dnssec_authenticated = !dnssec_request ? NULL
     : dns_is_secure(&dnsa) ? US"yes" : US"no";
 
   lookup_dnssec_authenticated = !dnssec_request ? NULL
     : dns_is_secure(&dnsa) ? US"yes" : US"no";
 

+  DEBUG(D_dns)
+    if ((dnssec_request || dnssec_require)
+       & !dns_is_secure(&dnsa)
+       & dns_is_aa(&dnsa))
+      debug_printf("DNS lookup of %.256s (A/AAA/A6) asked for AD, but got AA\n", host->name);
+

   /* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups
   fails or times out, but not if another one succeeds. (In the early
   IPv6 days there are name servers that always fail on AAAA, but are happy
   /* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups
   fails or times out, but not if another one succeeds. (In the early
   IPv6 days there are name servers that always fail on AAAA, but are happy


@@ -2544,7 +2551,7 @@ dns_init((whichrrs & HOST_FIND_QUALIFY_SINGLE) != 0,
 host_find_failed_syntax = FALSE;
 
 /* First, if requested, look for SRV records. The service name is given; we
 host_find_failed_syntax = FALSE;
 
 /* First, if requested, look for SRV records. The service name is given; we

-assume TCP progocol. DNS domain names are constrained to a maximum of 256
+assume TCP protocol. DNS domain names are constrained to a maximum of 256

 characters, so the code below should be safe. */
 
 if ((whichrrs & HOST_FIND_BY_SRV) != 0)
 characters, so the code below should be safe. */
 
 if ((whichrrs & HOST_FIND_BY_SRV) != 0)


@@ -2565,6 +2572,12 @@ if ((whichrrs & HOST_FIND_BY_SRV) != 0)
   lookup_dnssec_authenticated = NULL;
   rc = dns_lookup_timerwrap(&dnsa, buffer, ind_type, CUSS &temp_fully_qualified_name);
 
   lookup_dnssec_authenticated = NULL;
   rc = dns_lookup_timerwrap(&dnsa, buffer, ind_type, CUSS &temp_fully_qualified_name);
 

+  DEBUG(D_dns)
+    if ((dnssec_request || dnssec_require)
+       & !dns_is_secure(&dnsa)
+       & dns_is_aa(&dnsa))
+      debug_printf("DNS lookup of %.256s (SRV) requested AD, but got AA\n", host->name);
+

   if (dnssec_request)
     {
     if (dns_is_secure(&dnsa))
   if (dnssec_request)
     {
     if (dns_is_secure(&dnsa))


@@ -2611,6 +2624,12 @@ if (rc != DNS_SUCCEED && (whichrrs & HOST_FIND_BY_MX) != 0)
   lookup_dnssec_authenticated = NULL;
   rc = dns_lookup_timerwrap(&dnsa, host->name, ind_type, fully_qualified_name);
 
   lookup_dnssec_authenticated = NULL;
   rc = dns_lookup_timerwrap(&dnsa, host->name, ind_type, fully_qualified_name);
 

+  DEBUG(D_dns)
+    if ((dnssec_request || dnssec_require)
+       & !dns_is_secure(&dnsa)
+       & dns_is_aa(&dnsa))
+      debug_printf("DNS lookup of %.256s (MX) asked for AD, but got AA\n", host->name);
+

   if (dnssec_request)
     {
     if (dns_is_secure(&dnsa))
   if (dnssec_request)
     {
     if (dns_is_secure(&dnsa))